Angular XSS Vulnerability Exposes Thousands of web Applications to XSS Attacks

A high-severity Cross-Site Scripting (XSS) vulnerability has been discovered in the widely used Angular framework. Tracked as CVE-2026-32635 and categorized under CWE-79, this flaw affects both the @angular/compiler and @angular/core packages.

Because Angular powers countless enterprise and consumer web applications worldwide, this vulnerability potentially exposes a massive attack surface to threat actors.

The vulnerability stems from how Angular handles internationalization (i18n) for security-sensitive HTML attributes.

By default, Angular provides a robust built-in sanitization mechanism that automatically sanitizes malicious input to prevent code injection.

However, security researchers discovered that this critical protection is bypassed when an application enables internationalization for a sensitive attribute.

For example, adding i18n-href to an anchor tag tells the framework to handle the attribute for translation. If a developer simultaneously binds untrusted, user-generated data to that localized attribute, an attacker can inject malicious scripts.

The i18n binding inadvertently forces the framework to skip its standard security checks. Commonly targeted attributes vulnerable to this bypass include href, src, action, formaction, and data.

Exploiting this vulnerability requires specific conditions to align. The target application must run a vulnerable version of Angular and bind unsanitized user input to a sensitive attribute.

Mark that value for internationalization using the i18n-<name> syntax on the same element. Once these preconditions are met, an attacker can execute arbitrary JavaScript within the context of the vulnerable application.

This level of access leads to severe security consequences:

• Session Hijacking: Threat actors can easily steal session cookies and authentication tokens.
• Data Exfiltration: Maliciously injected scripts can silently capture and transmit sensitive user data to external command-and-control servers.
• Unauthorized Actions: Attackers can force the application to perform administrative or destructive actions on behalf of the victimized user.

Affected Versions and Patches

The Angular development team has rolled out security updates for multiple release tracks. However, older version branches currently remain vulnerable without an official patch.

The @angular/compiler and @angular/core packages are vulnerable in versions 22.0.0-next.0 through below 22.0.0-next.3, patched in 22.0.0-next.3.

Versions 21.0.0-next.0 through 21.2.4 are affected, with a fix available in 21.2.4. Versions 20.0.0-next.0 through 20.3.18 are vulnerable, patched in 20.3.18.

Versions 19.0.0-next.0 through 19.2.20 are affected, with a fix in 19.2.20. Versions 17.0.0-next.0 through 18.2.14 are vulnerable, and no patch is currently available.

The most effective way to secure your infrastructure is to update your Angular application to a patched version listed above, as published in Angular’s official GitHub releases.

If upgrading immediately is not an operational option, development teams must strictly ensure that any data bound to vulnerable attributes never originates from untrusted sources, such as database queries, API responses, or URL parameters.

Alternatively, developers can manually enforce security by passing inputs through Angular’s DomSanitizer.

By explicitly sanitizing the data before it binds to the Document Object Model (DOM), applications can neutralize the injected scripts and prevent the threat even if the internationalization bypass is triggered.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.