Cyber Resilience

CVE-2026-32635

High

Published: 16 March 2026

Published
16 March 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 25.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32635 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Angular Angular Cli. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32635 is a cross-site scripting (XSS) vulnerability in the Angular runtime and compiler, affecting the open-source development platform for building mobile and desktop web applications using TypeScript, JavaScript, and other languages. The issue impacts Angular versions prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20. It arises when an application uses a security-sensitive attribute, such as href on an anchor tag, alongside Angular's internationalization feature by adding an i18n-<attribute> name. This configuration bypasses Angular's built-in sanitization, enabling malicious script injection through data binding to untrusted user-generated data. The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) and is associated with CWE-79.

An attacker can exploit this vulnerability if they can influence data bound to the affected attribute in an Angular application that has internationalization enabled on security-sensitive attributes. Exploitation requires low privileges (PR:L), such as an authenticated user, and user interaction (UI:R), such as clicking a malicious link. Successful exploitation allows the attacker to inject and execute arbitrary scripts in the context of the victim's browser with changed scope (S:C), potentially leading to high impacts on confidentiality, integrity, and availability, including theft of sensitive data, session hijacking, or full application compromise.

The Angular security advisory (GHSA-g93w-mfhg-p222) and associated pull requests (#67541 and #67561) confirm the vulnerability has been fixed in Angular versions 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20. Security practitioners should advise developers to upgrade to these patched versions immediately and review applications for improper use of i18n on sensitive attributes bound to untrusted inputs, disabling internationalization on such attributes where possible as an interim measure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs…

more

when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. This vulnerability is fixed in 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

XSS in public-facing Angular web app directly enables T1190 exploitation of the vulnerability for initial access; bypass of sanitization allows arbitrary JavaScript execution via T1059.007.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-26907Shared CWE-79
CVE-2025-69084Shared CWE-79
CVE-2025-69048Shared CWE-79
CVE-2025-22567Shared CWE-79
CVE-2025-69324Shared CWE-79
CVE-2026-1841Shared CWE-79
CVE-2025-26588Shared CWE-79
CVE-2025-23850Shared CWE-79
CVE-2025-23643Shared CWE-79
CVE-2025-23616Shared CWE-79

Affected Assets

angular
angular cli
22.0.0 · 17.0.0 — 19.2.0 · 20.0.0 — 20.3.18 · 21.0.0 — 21.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation through patching Angular to fixed versions (22.0.0-next.3, 21.2.4, 20.3.18, 19.2.20) directly eliminates the sanitization bypass in i18n-enabled security-sensitive attributes.

prevent

Output filtering enforces sanitization and encoding of data bound to security-sensitive attributes like href, preventing malicious script injection despite Angular's i18n feature.

prevent

Input validation restricts untrusted user-generated data to safe formats before binding to Angular attributes, mitigating the risk of XSS payloads reaching vulnerable i18n configurations.

References