Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. This vulnerability is fixed in 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20.
Published: 2026-03-13
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting via i18n attribute bindings
Action: Patch
AI Analysis

Impact

Angular allows developers to internationalize attribute values with the i18n- attribute syntax. For security‑sensitive attributes such as href, the framework normally sanitizes bound values to prevent script execution. However, when an attribute is internationalized, Angular’s sanitization is bypassed. If the bound value originates from untrusted user‑generated data, an attacker can inject malicious JavaScript that executes in the context of the affected web page, leading to credential theft, defacement, or further exploitation. The flaw is a classic CWE‑79 cross‑site scripting weakness. This attack can occur entirely on the client side and does not require any server‑side code changes.

Affected Systems

The vulnerability exists in the Angular runtime and compiler packages (@angular:compiler, @angular:core). It affects all releases before 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20. Users running any of these older versions should assess whether the application renders sensitive attributes that are bound to user data and have i18n enabled.

Risk and Exploitability

The CVSS base score for this issue is 8.6, indicating high severity, but the EPSS score of less than 1% suggests a low probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a malicious user or content provider to supply the vulnerable input to the application, typically via a crafted URL or form input that binds to a sensitive attribute such as href. Once the client browser renders the page, the injected script runs with the user’s privileges.

Generated by OpenCVE AI on March 17, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Angular 22.0.0-next.3 or later, 21.2.4 or later, 20.3.18 or later, or 19.2.20 or later

Generated by OpenCVE AI on March 17, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g93w-mfhg-p222 Angular vulnerable to XSS in i18n attribute bindings
History

Tue, 17 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

threat_severity

Moderate

Mon, 16 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Angular
Angular angular
Angular compiler
Vendors & Products Angular
Angular angular
Angular compiler

Fri, 13 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. This vulnerability is fixed in 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20.
Title Angular has XSS in i18n attribute bindings
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Angular Angular Compiler
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-17T03:55:33.785Z

Reserved: 2026-03-12T15:29:36.559Z

Link: CVE-2026-32635

cve-icon Vulnrichment

Updated: 2026-03-16T15:31:34.969Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:19:40.753

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-32635

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-13T20:58:12Z

Links: CVE-2026-32635 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:31Z

Weaknesses