Web apps are at risk because of an Angular XSS vulnerability. There is a serious Cross-Site Scripting (XSS) flaw in the popular Angular framework. This flaw is known as CVE-2026-32635 and falls under CWE-79.
It affects both the @angular/compiler and @angular/core packages. This vulnerability could give hackers access to a huge number of enterprise and consumer web apps around the world that use Angular. The problem comes from how Angular handles internationalization (i18n) for HTML attributes that are important for security. Angular comes with a strong built-in sanitization mechanism that automatically cleans up harmful input to stop code injection.
But security researchers found that this important protection doesn't work when an app allows internationalization for a sensitive attribute. Adding i18n-href to an anchor tag, for instance, tells the framework to handle the attribute for translation.
If a developer binds untrusted, user-generated data to that localized attribute at the same time, an attacker can add harmful scripts. The i18n binding makes the framework skip its normal security checks by accident. href, src, action, formaction, and data are some of the most common attributes that are vulnerable to this bypass.
To take advantage of this weakness, certain things need to be in place. The application that is the target must run a version of Angular that is known to be vulnerable and link unclean user input to a sensitive attribute. Use the i18n-
This level of access has serious security risks: Session Hijacking: It's easy for bad actors to steal session cookies and authentication tokens.
Data Exfiltration: Scripts that are maliciously injected can quietly collect and send sensitive user data to external command-and-control servers. Unauthorized Actions: Attackers can make the app do things that are harmful or administrative for the user who was attacked. Versions and patches that are affected The Angular development team has released security updates for several release tracks.
But without an official patch, older version branches are still open to attack. Versions 22.0.0-next.0 through below 22.0.0-next.3 of the @angular/compiler and @angular/core packages are vulnerable. They were fixed in 22.0.0-next.3. Versions 21.0.0-next.0 through 21.2.4 are affected, but a fix is available in 21.2.4.
Versions 20.0.0-next.0 through 20.3.18 are also vulnerable, but a patch is available in 20.3.18. Versions 19.0.0-next.0 through 19.2.20 are affected, but 19.2.20 has a fix. Versions 17.0.0-next.0 through 18.2.14 are vulnerable, and there is no patch available right now.
The best way to protect your infrastructure is to update your Angular app to one of the patched versions listed above, which are available on Angular's official GitHub releases. If upgrading right away isn't possible, development teams must make sure that any data linked to weak attributes never comes from untrustworthy sources, like database queries, API responses, or URL parameters. Another option for developers is to use Angular's DomSanitizer to manually enforce security.
Applications can stop the threat even if the internationalization bypass is triggered by explicitly cleaning the data before it connects to the Document Object Model (DOM). This will neutralize the injected scripts., LinkedIn, and X for daily updates on cybersecurity. Get in touch with us to have your stories featured.
