Bug 2447515 (CVE-2026-32635) - CVE-2026-32635 @angular/core: @angular/compiler: Angular has XSS in i18n attribute bindings
Summary: CVE-2026-32635 @angular/core: @angular/compiler: Angular has XSS in i18n attr...
Keywords:
Status: NEW
Alias: CVE-2026-32635
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2448089 2448090 2448091 2448092 2448093 2448094 2448095 2448096 2448097 2448098 2448099 2448100 2448101
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-13 22:01 UTC by OSIDB Bzimport
Modified: 2026-03-16 16:36 UTC (History)
21 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-13 22:01:46 UTC 
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. This vulnerability is fixed in 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20.
Note You need to log in before you can comment on or make changes to this bug.