Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Versions prior to 21.2.0, 21.1.16, 20.3.17, and 19.2.19 have a cross-Site scripting vulnerability in the Angular internationalization (i18n) pipeline. In ICU messages (International Components for Unicode), HTML from translated content was not properly sanitized and could execute arbitrary JavaScript. Angular i18n typically involves three steps, extracting all messages from an application in the source language, sending the messages to be translated, and then merging their translations back into the final source code. Translations are frequently handled by contracts with specific partner companies, and involve sending the source messages to a separate contractor before receiving final translations for display to the end user. If the returned translations have malicious content, it could be rendered into the application and execute arbitrary JavaScript. When successfully exploited, this vulnerability allows for execution of attacker controlled JavaScript in the application origin. Depending on the nature of the application being exploited this could lead to credential exfiltration and/or page vandalism. Several preconditions apply to the attack. The attacker must compromise the translation file (xliff, xtb, etc.). Unlike most XSS vulnerabilities, this issue is not exploitable by arbitrary users. An attacker must first compromise an application's translation file before they can escalate privileges into the Angular application client. The victim application must use Angular i18n, use one or more ICU messages, render an ICU message, and not defend against XSS via a safe content security policy. Versions 21.2.0, 21.1.6, 20.3.17, and 19.2.19 patch the issue. Until the patch is applied, developers should consider reviewing and verifying translated content received from untrusted third parties before incorporating it in an Angular application, enabling strict CSP controls to block unauthorized JavaScript from executing on the page, and enabling Trusted Types to enforce proper HTML sanitization.
Published: 2026-02-26
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via XSS
Action: Immediate Patch
AI Analysis

Impact

The XSS flaw, a classic example of CWE-79 (Cross‑Site Scripting), arises when Angular i18n processes ICU messages from external translation files. Because HTML within the translated content is not sanitized, a malicious translator can inject JavaScript that runs in the context of the application. Once executed, the script can steal credentials, modify the page or perform other client‑side attacks, effectively giving an attacker remote code execution within the application origin. The likely attack vector is the injection of malicious HTML into an external translation file that Angular will later parse and render.

Affected Systems

Angular developers who still use versions older than 21.2.0, 21.1.16, 20.3.17 or 19.2.19 – including any pre‑release builds such as 21.2.0‑next0, 21.2.0‑next1, 21.2.0‑next2, 21.2.0‑next3 or 21.2.0‑rc0 – are exposed. The vulnerability is triggered only when the application uses Angular i18n with ICU messages that are parsed from an external translation file (e.g., XLIFF or XTB). Applications that do not use i18n or do not render ICU messages are not affected. Based on the description, it is inferred that the flaw is only exploitable when translation files are imported from third‑party sources.

Risk and Exploitability

The CVSS base score of 7.6 indicates a moderate to high severity. The EPSS score of less than 1 % suggests that, while the flaw is known, the probability of exploitation in the near term is low, partly because an attacker must gain access to a translation file or supply a malicious translation. The vulnerability is not listed in the CISA KEV catalogue, and there is no indication of public exploits at this time. Nonetheless, the potential impact – arbitrary client‑side code execution – warrants immediate remediation. The likely attack vector involves an attacker compromising or forging a translation file that is subsequently merged into the application, allowing the injection of untrusted HTML that is rendered with user privileges.

Generated by OpenCVE AI on April 18, 2026 at 17:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Angular 21.2.0 or later, 21.1.6 or later, 20.3.17 or later, or 19.2.19 or later, applying the security fix that sanitizes ICU messages.
  • Perform a thorough audit of all translation files supplied by third‑party partners, ensuring that any inserted HTML is sanitized or stripped before integration, and reject any files containing raw script tags.
  • Enable a Content Security Policy that blocks inline JavaScript and restricts script sources to trusted origins, thereby mitigating accidental execution of injected code.
  • Configure Trusted Types in the application to enforce safe usage of the DOM and prevent injection of unsanitized content.

Generated by OpenCVE AI on April 18, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-prjf-86w9-mfqv Angular i18n vulnerable to Cross-Site Scripting
History

Sat, 28 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:angular:angular:*:*:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular:21.2.0:next0:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular:21.2.0:next1:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular:21.2.0:next2:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular:21.2.0:next3:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular:21.2.0:rc0:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Angular
Angular angular
Vendors & Products Angular
Angular angular

Thu, 26 Feb 2026 02:15:00 +0000

Type Values Removed Values Added
Description Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Versions prior to 21.2.0, 21.1.16, 20.3.17, and 19.2.19 have a cross-Site scripting vulnerability in the Angular internationalization (i18n) pipeline. In ICU messages (International Components for Unicode), HTML from translated content was not properly sanitized and could execute arbitrary JavaScript. Angular i18n typically involves three steps, extracting all messages from an application in the source language, sending the messages to be translated, and then merging their translations back into the final source code. Translations are frequently handled by contracts with specific partner companies, and involve sending the source messages to a separate contractor before receiving final translations for display to the end user. If the returned translations have malicious content, it could be rendered into the application and execute arbitrary JavaScript. When successfully exploited, this vulnerability allows for execution of attacker controlled JavaScript in the application origin. Depending on the nature of the application being exploited this could lead to credential exfiltration and/or page vandalism. Several preconditions apply to the attack. The attacker must compromise the translation file (xliff, xtb, etc.). Unlike most XSS vulnerabilities, this issue is not exploitable by arbitrary users. An attacker must first compromise an application's translation file before they can escalate privileges into the Angular application client. The victim application must use Angular i18n, use one or more ICU messages, render an ICU message, and not defend against XSS via a safe content security policy. Versions 21.2.0, 21.1.6, 20.3.17, and 19.2.19 patch the issue. Until the patch is applied, developers should consider reviewing and verifying translated content received from untrusted third parties before incorporating it in an Angular application, enabling strict CSP controls to block unauthorized JavaScript from executing on the page, and enabling Trusted Types to enforce proper HTML sanitization.
Title Angular i18n vulnerable to Cross-Site Scripting (XSS)
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Angular Angular
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:47:38.387Z

Reserved: 2026-02-25T03:24:57.793Z

Link: CVE-2026-27970

cve-icon Vulnrichment

Updated: 2026-02-26T14:47:32.718Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T02:16:24.353

Modified: 2026-02-27T17:11:53.417

Link: CVE-2026-27970

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-26T02:03:43Z

Links: CVE-2026-27970 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses