{
  "canonical_id": "angular--CVE-2026-32635",
  "system_id": "angular",
  "display_name": "Angular",
  "category": "frameworks",
  "advisory_mode": "core",
  "title": "Angular vulnerable to XSS in i18n attribute bindings",
  "summary": "A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding `i18n-<attribute>` name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. \n\nThe following example illustrates the issue:\n```html\n<a href=\"{{maliciousUrl}}\" i18n-href>Click me</a>\n```\n\nThe following attributes have been confirmed to be vulnerable:\n- `action`\n- `background`\n- `cite`\n- `codebase`\n- `data`\n- `formaction`\n- `href`\n- `itemtype`\n- `longdesc`\n- `poster`\n- `src`\n- `xlink:href`\n\n### Impact\nWhen exploited, this vulnerability allows an attacker to execute arbitrary code within the context of the vulnerable application's domain. This enables:\n- Session Hijacking: Stealing session cookies and authentication tokens.\n- Data Exfiltration: Capturing and transmitting sensitive user data.\n- Unauthorized Actions: Performing actions on behalf of the user.\n\n### Attack Preconditions\n1. The application must use a vulnerable version of Angular.\n2. The application must bind unsanitized user input to one of the attributes mentioned above.\n3. The bound value must be marked for internationalization via the presence of a `i18n-<name>` attribute on the same element.\n\n### Patches\n- 22.0.0-next.3\n- 21.2.4\n- 20.3.18\n- 19.2.20\n\n### Workarounds\nThe primary workaround is to ensure that any data bound to the vulnerable attributes is **never sourced from untrusted user input** (e.g., database, API response, URL parameters) until the patch is applied, or when it is, it shouldn't be marked for internationalization.\n\nAlternatively, users can explicitly sanitize their attributes by passing them through Angular's `DomSanitizer`:\n```ts\nimport {Component, inject, SecurityContext} from '@angular/core';\nimport {DomSanitizer} from '@angular/platform-browser';\n\n@Component({\n  template: `\n    <form action=\"{{url}}\" i18n-action>\n      <button>Submit</button>\n    </form>\n  `,\n})\nexport class App {\n  url: string;\n\n  constructor() {\n    const dangerousUrl = 'javascript:alert(1)';\n    const sanitizer = inject(DomSanitizer);\n    this.url = sanitizer.sanitize(SecurityContext.URL, dangerousUrl) || '';\n  }\n}\n```\n\n### References\n- [Fix 1](https://github.com/angular/angular/pull/67541) \n- [Fix 2](https://github.com/angular/angular/pull/67561)",
  "published_at": "2026-03-13T20:56:18Z",
  "updated_at": "2026-03-17T01:31:35.828211Z",
  "severity": "medium",
  "cvss_score": 4.0,
  "exploit_status": "unknown",
  "source_confidence": "official",
  "official_source_url": "https://github.com/angular/angular/security/advisories/GHSA-g93w-mfhg-p222",
  "secondary_source_urls": [
    "https://nvd.nist.gov/vuln/detail/CVE-2026-32635",
    "https://github.com/angular/angular/pull/67541",
    "https://github.com/angular/angular/pull/67561",
    "https://github.com/angular/angular/commit/224e60ecb1b90115baa702f1c06edc1d64d86187",
    "https://github.com/angular/angular/commit/78dea55351fb305b33a919c43a6b363137eca166",
    "https://github.com/angular/angular/commit/8630319f74c9575a21693d875cc7d5252516146d",
    "https://github.com/angular/angular/commit/ed2d324f9cc12aab6cfa0569ef10b73243a62c65",
    "https://github.com/angular/angular"
  ],
  "aliases": [
    "CVE-2026-32635",
    "GHSA-g93w-mfhg-p222"
  ],
  "cve_ids": [
    "CVE-2026-32635"
  ],
  "ghsa_ids": [
    "GHSA-g93w-mfhg-p222"
  ],
  "osv_ids": [
    "GHSA-g93w-mfhg-p222"
  ],
  "affected_versions": [
    "introduced=22.0.0-next.0, fixed<22.0.0-next.3",
    "introduced=21.0.0-next.0, fixed<21.2.4",
    "introduced=20.0.0-next.0.0.0, fixed<20.3.18",
    "introduced=19.0.0-next.0, fixed<19.2.20",
    "introduced=17.0.0-next.0, last_affected=18.2.14"
  ],
  "fixed_versions": [
    "22.0.0-next.3",
    "21.2.4",
    "20.3.18",
    "19.2.20"
  ],
  "package_name": "@angular/core",
  "render_markdown": true,
  "case_path": "07-framework-security/frameworks/angular/cases/angular-cve-2026-32635.md",
  "secure_code_topics": [
    "xss-output-encoding",
    "template-injection-guard",
    "csp-trusted-types",
    "token-cookie-storage"
  ],
  "status": "generated",
  "triage_reasons": [],
  "verification_status": "triage-manual",
  "verification_mode": "synthetic",
  "last_verified_at": null,
  "last_run_id": null,
  "evidence_bundle": null,
  "historical_status": null,
  "latest_status": null,
  "browser_evidence": {
    "required": false,
    "present": false,
    "refs": []
  },
  "repro_profile_id": "xss-generic",
  "artifact_mode": "synthetic",
  "blocked_reason": null,
  "metadata": {
    "source_names": [
      "OSV Angular"
    ],
    "source_kinds": [
      "osv-batch"
    ],
    "candidate_count": 2
  }
}