CVE-2026-32635
Published: 16 March 2026
Summary
CVE-2026-32635 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Angular Angular Cli. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-32635 is a cross-site scripting (XSS) vulnerability in the Angular runtime and compiler, affecting the open-source development platform for building mobile and desktop web applications using TypeScript, JavaScript, and other languages. The issue impacts Angular versions prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20. It arises when an application uses a security-sensitive attribute, such as href on an anchor tag, alongside Angular's internationalization feature by adding an i18n-<attribute> name. This configuration bypasses Angular's built-in sanitization, enabling malicious script injection through data binding to untrusted user-generated data. The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) and is associated with CWE-79.
An attacker can exploit this vulnerability if they can influence data bound to the affected attribute in an Angular application that has internationalization enabled on security-sensitive attributes. Exploitation requires low privileges (PR:L), such as an authenticated user, and user interaction (UI:R), such as clicking a malicious link. Successful exploitation allows the attacker to inject and execute arbitrary scripts in the context of the victim's browser with changed scope (S:C), potentially leading to high impacts on confidentiality, integrity, and availability, including theft of sensitive data, session hijacking, or full application compromise.
The Angular security advisory (GHSA-g93w-mfhg-p222) and associated pull requests (#67541 and #67561) confirm the vulnerability has been fixed in Angular versions 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20. Security practitioners should advise developers to upgrade to these patched versions immediately and review applications for improper use of i18n on sensitive attributes bound to untrusted inputs, disabling internationalization on such attributes where possible as an interim measure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12140
Vulnerability details
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs…
more
when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. This vulnerability is fixed in 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in public-facing Angular web app directly enables T1190 exploitation of the vulnerability for initial access; bypass of sanitization allows arbitrary JavaScript execution via T1059.007.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation through patching Angular to fixed versions (22.0.0-next.3, 21.2.4, 20.3.18, 19.2.20) directly eliminates the sanitization bypass in i18n-enabled security-sensitive attributes.
Output filtering enforces sanitization and encoding of data bound to security-sensitive attributes like href, preventing malicious script injection despite Angular's i18n feature.
Input validation restricts untrusted user-generated data to safe formats before binding to Angular attributes, mitigating the risk of XSS payloads reaching vulnerable i18n configurations.