{"id":"CVE-2026-32635","summary":"Angular has XSS in i18n attribute bindings","details":"Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-\u003cattribute\u003e name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. This vulnerability is fixed in 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20.","aliases":["GHSA-g93w-mfhg-p222"],"modified":"2026-04-10T05:43:04.651308Z","published":"2026-03-13T20:58:12.554Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32635.json","cwe_ids":["CWE-79"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32635.json"},{"type":"ADVISORY","url":"https://github.com/angular/angular/security/advisories/GHSA-g93w-mfhg-p222"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32635"},{"type":"FIX","url":"https://github.com/angular/angular/pull/67541"},{"type":"FIX","url":"https://github.com/angular/angular/pull/67561"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/angular/angular","events":[{"introduced":"62676269d207db80576052d080b756e938be97ea"},{"fixed":"4cbc1a1d87e2b2a5d9447bb74ca26bc2d83f16ec"}],"database_specific":{"versions":[{"introduced":"22.0.0-next.0"},{"fixed":"22.0.0-next.3"}]}},{"type":"GIT","repo":"https://github.com/angular/angular","events":[{"introduced":"a0ee6bdfe4102357dd231bcf02f5ff4d44fb585c"},{"fixed":"8017617fd96c2e891b181aca1e6038ba6268bd4c"}],"database_specific":{"versions":[{"introduced":"21.0.0-next.0"},{"fixed":"21.2.4"}]}},{"type":"GIT","repo":"https://github.com/angular/angular","events":[{"introduced":"ab2ee22c3d1a80b7ffe2c74c988dbd2503305b70"},{"fixed":"cef3164f97c3b9308d3d9b9893e1487558696f5a"}],"database_specific":{"versions":[{"introduced":"20.0.0-next.0"},{"fixed":"20.3.18"}]}},{"type":"GIT","repo":"https://github.com/angular/angular","events":[{"introduced":"77504f18afd4ff0bacf35599ab4f85892cc92048"},{"fixed":"2c51d98dd4ed3cc0ad427e2e2b26f3434785ae19"}],"database_specific":{"versions":[{"introduced":"17.0.0.next.0"},{"fixed":"19.2.20"}]}}],"versions":["17.0.0-next.0","17.0.0-next.1","17.0.0-next.2","17.0.0-next.3","17.0.0-next.4","17.0.0-next.5","17.0.0-next.6","17.0.0-next.7","17.1.0-next.0","17.1.0-next.1","17.1.0-next.2","17.1.0-next.3","17.1.0-next.4","17.1.0-next.5","17.2.0-next.0","17.2.0-next.1","17.3.0-next.0","17.3.0-next.1","18.0.0-next.0","18.0.0-next.1","18.0.0-next.2","18.0.0-next.3","18.0.0-next.4","18.0.0-next.5","18.1.0-next.0","18.1.0-next.1","18.1.0-next.2","18.1.0-next.3","18.1.0-next.4","18.2.0-next.0","18.2.0-next.1","18.2.0-next.2","18.2.0-next.3","18.2.0-next.4","19.0.0-next.0","19.0.0-next.1","19.0.0-next.10","19.0.0-next.2","19.0.0-next.3","19.0.0-next.4","19.0.0-next.5","19.0.0-next.6","19.0.0-next.7","19.0.0-next.8","19.0.0-next.9","19.1.0-next.0","19.1.0-next.1","19.1.0-next.2","19.1.0-next.3","19.1.0-next.4","19.2.0","19.2.0-next.0","19.2.0-next.1","19.2.0-next.2","19.2.0-next.3","19.2.0-rc.0","19.2.1","19.2.10","19.2.11","19.2.12","19.2.13","19.2.14","19.2.15","19.2.16","19.2.17","19.2.2","19.2.3","19.2.4","19.2.5","19.2.6","19.2.7","19.2.8","19.2.9","20.0.0-next.0","20.0.0-next.1","20.0.0-next.2","20.0.0-next.3","20.0.0-next.4","20.0.0-next.5","20.0.0-next.6","20.0.0-next.7","20.0.0-next.8","20.1.0-next.0","20.1.0-next.1","20.1.0-next.2","20.1.0-next.3","20.2.0","20.2.0-next.0","20.2.0-next.1","20.2.0-next.2","20.2.0-next.3","20.2.0-next.4","20.2.0-next.5","20.2.0-next.6","20.2.0-rc.0","20.2.0-rc.1","20.2.1","20.2.2","20.2.3","20.2.4","20.3.0","20.3.0-rc.0","20.3.1","20.3.10","20.3.11","20.3.12","20.3.13","20.3.14","20.3.15","20.3.2","20.3.3","20.3.4","20.3.5","20.3.6","20.3.7","20.3.8","20.3.9","21.0.0-next.0","21.0.0-next.1","21.0.0-next.2","21.0.0-next.3","21.0.0-next.4","21.0.0-next.5","21.0.0-next.6","21.0.0-next.7","21.0.0-next.8","21.1.0-next.0","21.1.0-next.1","v19.2.18","v19.2.19","v20.3.16","v20.3.17","v21.1.0-next.2","v21.1.0-next.3","v21.1.0-next.4","v21.2.0","v21.2.0-next.0","v21.2.0-next.1","v21.2.0-next.2","v21.2.0-next.3","v21.2.0-rc.0","v21.2.1","v21.2.2","v21.2.3","v22.0.0-next.0","v22.0.0-next.1","v22.0.0-next.2","vsix-21.2.0","vsix-21.2.1","vsix-21.2.2","vsix-21.2.3","zone.js-0.13.2","zone.js-0.13.3","zone.js-0.14.0","zone.js-0.14.1","zone.js-0.14.10","zone.js-0.14.2","zone.js-0.14.3","zone.js-0.14.4","zone.js-0.14.5","zone.js-0.14.6","zone.js-0.14.7","zone.js-0.14.8","zone.js-0.15.0","zone.js-0.15.1","zone.js-0.16.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32635.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}