VYPR
Critical severity9.0NVD Advisory· Published Mar 16, 2026· Updated Apr 30, 2026

CVE-2026-32635

CVE-2026-32635

Description

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n- name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. This vulnerability is fixed in 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@angular/corenpm
>= 22.0.0-next.0, < 22.0.0-next.322.0.0-next.3
@angular/corenpm
>= 21.0.0-next.0, < 21.2.421.2.4
@angular/corenpm
>= 20.0.0-next.0.0.0, < 20.3.1820.3.18
@angular/corenpm
>= 19.0.0-next.0, < 19.2.2019.2.20
@angular/corenpm
>= 17.0.0-next.0, <= 18.2.14
@angular/compilernpm
>= 22.0.0-next.0, < 22.0.0-next.322.0.0-next.3
@angular/compilernpm
>= 21.0.0-next.0, < 21.2.421.2.4
@angular/compilernpm
>= 20.0.0-next.0.0.0, < 20.3.1820.3.18
@angular/compilernpm
>= 19.0.0-next.0, < 19.2.2019.2.20
@angular/compilernpm
>= 17.0.0-next.0, <= 18.2.14

Affected products

5
  • cpe:2.3:a:angular:angular_cli:*:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:a:angular:angular_cli:*:*:*:*:*:*:*:*range: >=17.0.0,<19.2.0
    • cpe:2.3:a:angular:angular_cli:22.0.0:next0:*:*:*:*:*:*
    • cpe:2.3:a:angular:angular_cli:22.0.0:next1:*:*:*:*:*:*
  • ghsa-coords2 versions
    >= 22.0.0-next.0, < 22.0.0-next.3+ 1 more
    • (no CPE)range: >= 22.0.0-next.0, < 22.0.0-next.3
    • (no CPE)range: >= 22.0.0-next.0, < 22.0.0-next.3

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.