High-Severity XSS Flaw in Angular i18n Turns Language Files into Backdoors

A newly security flaw was found in the widely used Angular web building platform. Identified as CVE-2026-27970 (and rated as a high-severity 7.6), this vulnerability shows how hackers could easily hide malicious code inside standard translation files, turning a routine language update into a dangerous backdoor to steal sensitive user data.

The vulnerability lies in Angular’s “internationalization” (i18n) pipeline. When developers want to support multiple languages, they use a format called “ICU messages” to handle complex translations (like dealing with plurals or gendered nouns).

Normally, web frameworks like Angular are very strict about “sanitizing” or cleaning up any data that gets displayed on a screen, ensuring that no malicious computer code is accidentally run. However, researchers discovered that Angular was failing to properly sanitize HTML hidden inside these translated ICU messages.

If a hacker manages to compromise the translation files (usually handled by external contractors), they can secretly inject malicious JavaScript into the seemingly harmless translated text. When the app loads the translation for the user, it accidentally executes the hacker’s code. This type of attack is known as Cross-Site Scripting (XSS).

Because the malicious code is executed directly in the victim’s web browser, the attacker gains massive control over the user’s session.

The official advisory highlights two primary dangers:

• Credential Exfiltration (Data Theft): The attacker’s code can silently scrape sensitive user data stored in the browser’s memory, cookies, or local storage. This means passwords, session tokens, and personal information can be funneled directly to a hacker’s server.
• Page Vandalism: The attacker can mutate the webpage, changing how it looks or acts, potentially tricking the user into handing over even more information.

Unlike typical XSS attacks where a hacker might just type bad code into a public comment section, this attack has strict preconditions. The attacker must first compromise the application’s actual translation files (like .xliff or .xtb files) at the source or during transit from the contractor.

Furthermore, the attack will only work if the developers failed to implement standard modern security shields, such as a strict Content-Security Policy (CSP) or Trusted Types, which are designed to block unauthorized scripts from running.

The Angular team has released security patches to fix this sanitization blind spot. Developers should upgrade their environments to one of the following safe versions:

• 21.2.0
• 21.1.6
• 20.3.17
• 19.2.19

If patching right away isn’t possible, security experts strongly advise developers to manually review any translated content received from third parties, and to enable strict Content-Security Policies (CSP) to stop rogue code in its tracks.