CVE-2026-32635 identifies a Cross-Site Scripting (XSS) vulnerability in the Angular framework's compiler and runtime components, specifically affecting versions prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20. Angular is widely used for building web applications with TypeScript and JavaScript. The vulnerability stems from improper neutralization of input during web page generation when Angular's internationalization (i18n) feature is applied to security-sensitive HTML attributes such as href on anchor tags. By adding an i18n-<attribute> binding, Angular bypasses its default sanitization mechanisms, which normally prevent injection of malicious scripts. If an application binds untrusted user-generated data to these internationalized attributes, an attacker can inject arbitrary JavaScript code, leading to XSS attacks. This can result in session hijacking, credential theft, or execution of malicious actions in the context of the victim’s browser. The vulnerability does not require authentication but does require user interaction, such as visiting a maliciously crafted page. The CVSS 4.0 base score is 8.6 (high severity), reflecting network attack vector, low attack complexity, no privileges required, and partial user interaction. The vulnerability affects multiple Angular versions spanning from 17.0.0-next.0 up to but not including the patched releases. No known exploits have been reported in the wild yet. The issue was publicly disclosed on March 13, 2026, and fixed in the specified versions. Developers are advised to upgrade Angular to these patched versions and review their use of i18n attributes to ensure untrusted data is not bound in a way that bypasses sanitization.

This vulnerability poses a significant risk to organizations worldwide that develop and deploy web applications using affected Angular versions. Successful exploitation can lead to execution of arbitrary scripts in users’ browsers, enabling theft of sensitive information such as session tokens, personal data, or credentials. It can also facilitate phishing, unauthorized actions on behalf of users, or distribution of malware. The impact extends to the confidentiality, integrity, and availability of web applications and their users’ data. Given Angular’s widespread adoption in enterprise, government, and consumer-facing applications, the scope of affected systems is broad. Attackers can exploit this vulnerability remotely without authentication, increasing the risk of large-scale attacks. Although no exploits are currently known in the wild, the high severity and ease of exploitation make it a critical issue to address promptly. Organizations failing to patch may face reputational damage, regulatory penalties, and operational disruptions if exploited.

1. Upgrade Angular to the fixed versions: 22.0.0-next.3, 21.2.4, 20.3.18, or 19.2.20 as soon as possible to ensure the vulnerability is patched. 2. Audit all uses of Angular’s internationalization (i18n) attributes, especially those applied to security-sensitive attributes like href, src, or style, to verify that no untrusted user input is bound in a way that bypasses sanitization. 3. Implement strict Content Security Policy (CSP) headers to restrict execution of unauthorized scripts and mitigate impact of potential XSS attacks. 4. Employ input validation and output encoding on all user-generated content before binding it to Angular templates, even when using i18n features. 5. Conduct thorough security testing, including automated scanning and manual code review focused on internationalized attributes and data bindings. 6. Educate developers on the risks of bypassing Angular’s sanitization mechanisms and best practices for secure internationalization. 7. Monitor web application logs and user reports for suspicious activity indicative of XSS exploitation attempts. 8. Consider using runtime application self-protection (RASP) or web application firewalls (WAF) with rules tuned to detect and block XSS payloads targeting Angular applications.