• Home
  • cyber
  • Angular: Angular XSS Vulnerability Threatens Thousands of Web Applications
cyber Vulnerability

Angular: Angular XSS Vulnerability Threatens Thousands of Web Applications

Mar 17, 2026 2 min read
Angular: Angular XSS Vulnerability Threatens Thousands of Web Applications

High-Severity XSS Vulnerability (CVE-2026-32635) Discovered in Angular Framework

A critical Cross-Site Scripting (XSS) vulnerability, CVE-2026-32635, has been identified in Angular, a widely used web application framework. The flaw resides in the framework’s runtime and compiler, specifically affecting internationalization (i18n) attribute bindings.

The vulnerability allows attackers to bypass Angular’s built-in sanitization mechanisms, enabling the injection of malicious scripts into web applications. Exploitation occurs when developers combine sensitive HTML attributes (e.g., href, src, action, background, data, formaction) with i18n tags, creating a blind spot in Angular’s security protections. If untrusted user input is bound to these attributes while marked for internationalization, the sanitization process is completely circumvented.

With a High severity rating, the flaw has low attack complexity and can be exploited remotely. Successful attacks could lead to:

  • Session hijacking (theft of cookies/authentication tokens, enabling account takeovers).
  • Data exfiltration (capture and transmission of sensitive user data to attacker-controlled servers).
  • Unauthorized actions (manipulation of application functions on behalf of victims).

The vulnerability affects @angular/compiler and @angular/core packages across multiple release branches, specifically versions 17.0.0 through 22.0.0-next.2. The Angular team has released patches for the following versions:

  • 22.0.0-next.3
  • 21.2.4
  • 20.3.18
  • 19.2.20

Legacy versions (17 and 18) remain unpatched, requiring immediate mitigation for affected applications. Recommended workarounds include:

"id": "ANG1773750677",
"linkid": "angularframework",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Developers and organizations '
                                              'using affected Angular versions '
                                              '(17.0.0 through 22.0.0-next.2)',
                        'industry': 'Technology/Software Development',
                        'name': 'Angular Framework',
                        'type': 'Software Framework'}],
 'attack_vector': 'Remote',
 'data_breach': {'data_exfiltration': 'Possible',
                 'personally_identifiable_information': 'Possible',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Authentication tokens, session '
                                             'cookies, sensitive user data'},
 'description': 'A critical Cross-Site Scripting (XSS) vulnerability, '
                'CVE-2026-32635, has been identified in Angular, a widely used '
                'web application framework. The flaw resides in the '
                'framework’s runtime and compiler, specifically affecting '
                'internationalization (i18n) attribute bindings. The '
                'vulnerability allows attackers to bypass Angular’s built-in '
                'sanitization mechanisms, enabling the injection of malicious '
                'scripts into web applications. Exploitation occurs when '
                'developers combine sensitive HTML attributes with i18n tags, '
                'creating a blind spot in Angular’s security protections. '
                'Successful attacks could lead to session hijacking, data '
                'exfiltration, and unauthorized actions.',
 'impact': {'data_compromised': 'Sensitive user data, authentication tokens, '
                                'session cookies',
            'identity_theft_risk': 'High',
            'operational_impact': 'Session hijacking, unauthorized actions, '
                                  'data exfiltration',
            'systems_affected': 'Web applications using Angular framework '
                                '(versions 17.0.0 through 22.0.0-next.2)'},
 'post_incident_analysis': {'corrective_actions': 'Patches released for '
                                                  'affected versions. '
                                                  'Workarounds provided for '
                                                  'legacy versions.',
                            'root_causes': 'Combination of sensitive HTML '
                                           'attributes with i18n tags bypasses '
                                           'Angular’s built-in sanitization '
                                           'mechanisms.'},
 'recommendations': 'Apply patches immediately. For unpatched versions, '
                    'implement workarounds such as blocking untrusted input, '
                    'removing i18n tags from vulnerable attributes, and using '
                    'DomSanitizer for manual sanitization.',
 'references': [{'source': 'Angular Security Advisory'}],
 'response': {'containment_measures': 'Patches released for versions '
                                      '22.0.0-next.3, 21.2.4, 20.3.18, and '
                                      '19.2.20. Workarounds include blocking '
                                      'untrusted input, removing i18n tags '
                                      'from vulnerable attributes, and '
                                      'enforcing manual sanitization via '
                                      'DomSanitizer.',
              'remediation_measures': 'Apply patches for affected versions. '
                                      'Legacy versions (17 and 18) require '
                                      'manual mitigation.'},
 'title': 'High-Severity XSS Vulnerability (CVE-2026-32635) Discovered in '
          'Angular Framework',
 'type': 'Cross-Site Scripting (XSS)',
 'vulnerability_exploited': 'CVE-2026-32635'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.