CVE-2026-32635
Published: Mar 13, 2026
Modified: Mar 17, 2026
Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. This vulnerability is fixed in 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20.
| Vendor | Product | Versions |
|---|---|---|
@angular | compiler | affected >= 22.0.0-next.0, < 22.0.0-next.3affected >= 21.0.0-next.0, < 21.2.4affected >= 20.0.0-next.0, < 20.3.18affected >= 17.0.0.next.0, < 19.2.20 |
@angular | core | affected >= 22.0.0-next.0, < 22.0.0-next.3affected >= 21.0.0-next.0, < 21.2.4affected >= 20.0.0-next.0, < 20.3.18affected >= 17.0.0.next.0, < 19.2.20 |
Weaknesses (CWE)
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now