{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "22.0.0-next.0" }, { "fixed": "22.0.0-next.3" } ] }, "events": [ { "introduced": "62676269d207db80576052d080b756e938be97ea" }, { "fixed": "4cbc1a1d87e2b2a5d9447bb74ca26bc2d83f16ec" } ], "repo": "https://github.com/angular/angular", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "21.0.0-next.0" }, { "fixed": "21.2.4" } ] }, "events": [ { "introduced": "a0ee6bdfe4102357dd231bcf02f5ff4d44fb585c" }, { "fixed": "8017617fd96c2e891b181aca1e6038ba6268bd4c" } ], "repo": "https://github.com/angular/angular", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "20.0.0-next.0" }, { "fixed": "20.3.18" } ] }, "events": [ { "introduced": "ab2ee22c3d1a80b7ffe2c74c988dbd2503305b70" }, { "fixed": "cef3164f97c3b9308d3d9b9893e1487558696f5a" } ], "repo": "https://github.com/angular/angular", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "17.0.0.next.0" }, { "fixed": "19.2.20" } ] }, "events": [ { "introduced": "77504f18afd4ff0bacf35599ab4f85892cc92048" }, { "fixed": "2c51d98dd4ed3cc0ad427e2e2b26f3434785ae19" } ], "repo": "https://github.com/angular/angular", "type": "GIT" } ] } ], "aliases": [ "GHSA-g93w-mfhg-p222" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-79" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32635.json" }, "details": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-\u003cattribute\u003e name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. This vulnerability is fixed in 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20.", "id": "CVE-2026-32635", "modified": "2026-04-01T23:09:45.139491665Z", "published": "2026-03-13T20:58:12.554Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32635.json" }, { "type": "ADVISORY", "url": "https://github.com/angular/angular/security/advisories/GHSA-g93w-mfhg-p222" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32635" }, { "type": "FIX", "url": "https://github.com/angular/angular/pull/67541" }, { "type": "FIX", "url": "https://github.com/angular/angular/pull/67561" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "type": "CVSS_V4" } ], "summary": "Angular has XSS in i18n attribute bindings" }