CVE-2026-27970

Name of the Vulnerable Software and Affected Versions Angular versions prior to 21.2.0 Angular versions prior to 21.1.16 Angular versions prior to 20.3.17 Angular versions prior to 19.2.19

Description Angular’s internationalization (i18n) pipeline contains a cross-site scripting issue. HTML within translated content, specifically in International Components for Unicode (ICU) messages, was not adequately sanitized, potentially allowing the execution of arbitrary JavaScript. The Angular i18n process involves extracting messages, translation, and merging translations back into the code. If a translation file (xliff, xtb, etc.) is compromised with malicious content, it could lead to the execution of attacker-controlled JavaScript within the application. Successful exploitation requires compromising the application’s translation file and the application must use Angular i18n, utilize ICU messages, and render these messages without adequate cross-site scripting defenses like a Content Security Policy.

Recommendations Angular versions prior to 21.2.0: Update to version 21.2.0 or later. Angular versions prior to 21.1.16: Update to version 21.1.16 or later. Angular versions prior to 20.3.17: Update to version 20.3.17 or later. Angular versions prior to 19.2.19: Update to version 19.2.19 or later. Review and verify translated content received from untrusted third parties before incorporating it into an Angular application. Enable strict Content Security Policy (CSP) controls to prevent unauthorized JavaScript execution. Enable Trusted Types to enforce proper HTML sanitization.