CVE-2026-32635 is a Cross-Site Scripting (XSS) vulnerability identified in the Angular compiler and runtime components prior to versions 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20. Angular is a widely used framework for building web applications with TypeScript and JavaScript. The vulnerability specifically occurs when developers use Angular's internationalization (i18n) feature on security-sensitive HTML attributes, such as href on anchor tags, by adding an i18n-<attribute> directive. This usage bypasses Angular's internal sanitization mechanisms designed to prevent injection of malicious code. When combined with data binding to untrusted user-generated input, an attacker can inject arbitrary JavaScript code into the application, leading to XSS attacks. Such attacks can execute malicious scripts in the context of the victim's browser, potentially stealing cookies, session tokens, or performing actions on behalf of the user. The vulnerability does not require authentication but does require user interaction, such as visiting a maliciously crafted page or link. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, partial user interaction, and high impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild yet. The vulnerability is fixed in Angular versions 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, and users are strongly advised to upgrade to these or later versions to mitigate the risk.

The impact of CVE-2026-32635 is significant for organizations using Angular versions affected by this vulnerability. Successful exploitation allows attackers to execute arbitrary scripts in the context of users' browsers, leading to theft of sensitive information such as authentication tokens, personal data, or session cookies. This can result in account takeover, unauthorized actions, and data breaches. Additionally, injected scripts can manipulate the web application’s content or behavior, potentially damaging the application's integrity and availability. Since Angular is widely adopted for enterprise and consumer-facing web applications globally, the vulnerability could affect a broad range of sectors including finance, healthcare, e-commerce, and government services. The requirement for user interaction means phishing or social engineering could be leveraged to trigger the exploit. The high CVSS score reflects the severe confidentiality, integrity, and availability impacts, emphasizing the need for urgent remediation. Failure to patch could expose organizations to reputational damage, regulatory penalties, and operational disruption.

To mitigate CVE-2026-32635, organizations should immediately upgrade Angular to the fixed versions: 22.0.0-next.3, 21.2.4, 20.3.18, or 19.2.20, or later. Developers should audit their codebases for usage of Angular’s internationalization on security-sensitive attributes (e.g., i18n-href) and avoid binding untrusted user input to these attributes. Implement strict input validation and sanitization on all user-generated content before binding it to the DOM, even when using Angular’s built-in mechanisms. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of potential XSS attacks. Conduct thorough security testing, including static and dynamic analysis, focusing on internationalization features and attribute bindings. Educate developers on secure coding practices related to Angular’s i18n features and the risks of bypassing sanitization. Monitor web application logs and user reports for suspicious activity indicative of XSS exploitation attempts. Finally, maintain an up-to-date inventory of Angular versions in use to ensure timely patching of future vulnerabilities.