High-Severity Angular XSS Flaw Bypasses Built-In Sanitization

A significant security vulnerability has been unearthed in the Angular runtime and compiler, potentially exposing thousands of web applications to Cross-Site Scripting (XSS) attacks. The flaw, tracked as CVE-2026-32635, carries a high-severity CVSS score of 8.6 and targets the framework’s internationalization (i18n) mechanism.

Angular is widely respected for its built-in security features, which automatically sanitize data to prevent malicious scripts from executing in a user’s browser. However, this newfound vulnerability creates a “blind spot” in that shield.

The issue occurs when a developer uses a security-sensitive attribute—such as href on an anchor tag or src on an image—and simultaneously marks that attribute for internationalization using the i18n- prefix. Researchers discovered that enabling i18n for these attributes effectively bypasses Angular’s sanitization logic.

As the technical report explains:

“Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular’s built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script“.

When an attacker successfully exploits this flaw by binding a malicious URL (like javascript:alert(1)) to an internationalized attribute, they gain the ability to execute arbitrary code within the context of the application’s domain.

The consequences for users can be devastating:

• Session Hijacking: Attackers can steal sensitive session cookies and authentication tokens to take over user accounts.
• Data Exfiltration: Malicious scripts can capture and transmit private user data to attacker-controlled servers.
• Unauthorized Actions: The attacker can perform actions on behalf of the victim, such as changing passwords or making unauthorized purchases.

The vulnerability is not limited to just links. A wide array of attributes have been confirmed as vulnerable, including action, src, data, formaction, longdesc, and poster.

For an application to be at risk, three conditions must be met:

1. The app must use a vulnerable version of Angular.
2. Unsanitized user input must be bound to one of the sensitive attributes.
3. That specific attribute must be marked for internationalization.

The Angular team has moved quickly to address the issue, releasing patches across several major versions.

• Patched Versions: 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20.

Immediate Security Actions:

• Update Now: Developers should upgrade to the latest patched version of Angular immediately.
• Sanitize Manually: If you cannot update right away, use Angular’s DomSanitizer to explicitly clean any data before binding it to attributes.
• Avoid Untrusted Input: Ensure that data bound to internationalized attributes is never sourced directly from untrusted user input, such as URL parameters or third-party APIs.