Listen to this Post
Angular, Cross‑Site Scripting (XSS), CVE‑2026‑32635 (High)
How CVE‑2026‑32635 Works
CVE‑2026‑32635 is a cross‑site scripting (XSS) vulnerability in the Angular framework that arises from a sanitization bypass in two‑way data bindings. Angular normally treats all values as untrusted and applies context‑aware sanitization to prevent XSS attacks. However, when a security‑sensitive native DOM property—such as innerHTML, srcdoc, src, href, data, or sandbox—is used with the two‑way binding syntax ([(property)]="value" or bindon‑property="value"), the Angular template compiler fails to apply the proper sanitizer.
The root cause lies in the way the compiler handles the `TwoWayProperty` operation. Instead of calling the same schema‑derived sanitization function that is used for one‑way bindings (
="value"</code>), the compiler emits the property binding without any sanitization. As a result, any value bound through a two‑way binding is inserted into the DOM exactly as provided, allowing an attacker who controls that value to inject arbitrary HTML or JavaScript.
For the vulnerability to be exploited, three preconditions must be met:
1. The application must use two‑way binding on a sensitive DOM property (e.g., <code><div [(innerHTML)]="userContent"></div></code>).
2. The value bound to that property must be influenced by user‑controlled input.
3. The application does not manually sanitize the value before binding it.
When these conditions are satisfied, an attacker can supply a malicious payload (such as <code><img src=x onerror=alert(1)></code>) that bypasses Angular’s built‑in sanitization and executes arbitrary JavaScript in the victim’s browser. This can lead to session hijacking, data exfiltration, or unauthorized actions performed on behalf of the victim.
The vulnerability affects multiple Angular versions: all releases before 22.0.0‑next.3, 21.2.4, 20.3.18, and 19.2.20. It is fixed in those versions.
<h2 style="color: blue;">DailyCVE Form</h2>
<h2 style="color: blue;">| Field | Value |</h2>
<h2 style="color: blue;">|-|-|</h2>
<h2 style="color: blue;">| Platform | `@angular/compiler` |</h2>
<
h2 style="color: blue;">| Version | <code><22.0.0‑next.3</code>, <code><21.2.4</code>, <code><20.3.18</code>, `<19.2.20` |</h2>
<h2 style="color: blue;">| Vulnerability | XSS sanitization bypass |</h2>
<h2 style="color: blue;">| Severity | High |</h2>
<h2 style="color: blue;">| date | 2026‑03‑13 |</h2>
<h2 style="color: blue;">| Prediction | 2026‑03‑20 |</h2>
<h2 style="color: blue;">What Undercode Say: Analytics</h2>
[bash]
Check Angular version in your project
ng version | grep Angular
List all projects using Angular (global)
find . -name "package.json" -exec grep -H "@angular/core" {} \;
For a specific project, extract the Angular version
cat package.json | grep "@angular/core"
Code Example Demonstrating the Vulnerability
@Component({
template: `<div [(innerHTML)]="userContent"></div>`
})
export class VulnerableComponent {
userContent = ''; // Value could be taken from a URL parameter or input field
}
If an attacker sets `userContent` to <img src=x onerror=alert(1)>, the script executes when the view renders.
How Exploit:
- Identify a two‑way binding that uses a sensitive DOM property (e.g.,
innerHTML,srcdoc,src,href,data,sandbox). - Control the bound value via a URL parameter, form input, or any other user‑controlled source.
- Inject a malicious payload like `
` or a more sophisticated script that exfiltrates cookies or performs actions.
- Trigger the rendering of the view that contains the two‑way binding.
- Observe the script execution in the victim’s browser, leading to session hijacking or data theft.
Protection:
- Upgrade Angular to 22.0.0‑next.3, 21.2.4, 20.3.18, or 19.2.20 or later.
- Avoid two‑way binding on security‑sensitive DOM properties; prefer one‑way bindings (
="value"</code>).</li> <li>Always sanitize user‑controlled values using Angular’s `DomSanitizer` before binding them, even when using two‑way syntax: [bash] import { DomSanitizer, SafeHtml } from '@angular/platform-browser'; ... userContent: SafeHtml = this.sanitizer.bypassSecurityTrustHtml(sanitizedValue); - Implement a Content Security Policy (CSP) that restricts script sources and disables `unsafe-inline` and
unsafe-eval. - Use Trusted Types to lock down DOM injection points.
- Regularly scan dependencies with `npm audit` or `ng update` to detect vulnerable Angular versions.
Impact:
- Client‑side cross‑site scripting (XSS) allowing arbitrary script execution in the context of the vulnerable application.
- Session hijacking – an attacker can steal session cookies, tokens, or other authentication material.
- Data exfiltration – sensitive information displayed in the application can be captured and sent to an attacker‑controlled server.
- Unauthorized actions – the attacker can perform state‑changing operations (e.g., transferring funds, changing account settings) on behalf of the victim.
- Reputation damage – for organizations, a successful XSS attack can lead to loss of user trust and regulatory penalties.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
