CVE-2026-32635
Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n- name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. This vulnerability is fixed in 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@angular/corenpm | >= 22.0.0-next.0, < 22.0.0-next.3 | 22.0.0-next.3 |
@angular/corenpm | >= 21.0.0-next.0, < 21.2.4 | 21.2.4 |
@angular/corenpm | >= 20.0.0-next.0.0.0, < 20.3.18 | 20.3.18 |
@angular/corenpm | >= 19.0.0-next.0, < 19.2.20 | 19.2.20 |
@angular/corenpm | >= 17.0.0-next.0, <= 18.2.14 | — |
@angular/compilernpm | >= 22.0.0-next.0, < 22.0.0-next.3 | 22.0.0-next.3 |
@angular/compilernpm | >= 21.0.0-next.0, < 21.2.4 | 21.2.4 |
@angular/compilernpm | >= 20.0.0-next.0.0.0, < 20.3.18 | 20.3.18 |
@angular/compilernpm | >= 19.0.0-next.0, < 19.2.20 | 19.2.20 |
@angular/compilernpm | >= 17.0.0-next.0, <= 18.2.14 | — |
Affected products
5cpe:2.3:a:angular:angular_cli:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:angular:angular_cli:*:*:*:*:*:*:*:*range: >=17.0.0,<19.2.0
- cpe:2.3:a:angular:angular_cli:22.0.0:next0:*:*:*:*:*:*
- cpe:2.3:a:angular:angular_cli:22.0.0:next1:*:*:*:*:*:*
- ghsa-coords2 versions
>= 22.0.0-next.0, < 22.0.0-next.3+ 1 more
- (no CPE)range: >= 22.0.0-next.0, < 22.0.0-next.3
- (no CPE)range: >= 22.0.0-next.0, < 22.0.0-next.3
Patches
Vulnerability mechanics
References
9- github.com/angular/angular/pull/67541nvdIssue TrackingPatchWEB
- github.com/angular/angular/pull/67561nvdIssue TrackingPatchWEB
- github.com/advisories/GHSA-g93w-mfhg-p222ghsaADVISORY
- github.com/angular/angular/security/advisories/GHSA-g93w-mfhg-p222nvdVendor AdvisoryMitigationWEB
- nvd.nist.gov/vuln/detail/CVE-2026-32635ghsaADVISORY
- github.com/angular/angular/commit/224e60ecb1b90115baa702f1c06edc1d64d86187ghsaWEB
- github.com/angular/angular/commit/78dea55351fb305b33a919c43a6b363137eca166ghsaWEB
- github.com/angular/angular/commit/8630319f74c9575a21693d875cc7d5252516146dghsaWEB
- github.com/angular/angular/commit/ed2d324f9cc12aab6cfa0569ef10b73243a62c65ghsaWEB
News mentions
0No linked articles in our index yet.