CVE-2026-32635

Name of the Vulnerable Software and Affected Versions Angular versions prior to 22.0.0-next.3 Angular versions prior to 21.2.4 Angular versions prior to 20.3.18 Angular versions prior to 19.2.20

Description A Cross-Site Scripting (XSS) issue exists in the Angular runtime and compiler. It occurs when an application uses a security-sensitive attribute combined with Angular's attribute internationalization capability. By adding the i18n-<attribute> name to a sensitive attribute, the framework's built-in sanitization mechanism is bypassed. When this is combined with data binding to untrusted user-generated data, an attacker can inject and execute malicious scripts in the user's browser, potentially leading to session hijacking, credential theft, and data exfiltration. Vulnerable attributes include action, background, cite, codebase, data, formaction, href, itemtype, longdesc, poster, src, and xlink:href.

Recommendations Update to version 22.0.0-next.3. Update to version 21.2.4. Update to version 20.3.18. Update to version 19.2.20. As a temporary workaround, ensure that any data bound to sensitive attributes is not sourced from untrusted user input or is not marked for internationalization. Alternatively, explicitly sanitize attributes by passing them through the DomSanitizer function.