CVE-2026-27970: Angular i18n vulnerable to Cross-Site Scripting
A Cross-site Scripting (XSS) vulnerability has been identified in the Angular internationalization (i18n) pipeline. In ICU messages (International Components for Unicode), HTML from translated content was not properly sanitized and could execute arbitrary JavaScript.
Angular i18n typically involves three steps, extracting all messages from an application in the source language, sending the messages to be translated, and then merging their translations back into the final source code. Translations are frequently handled by contracts with specific partner companies, and involve sending the source messages to a separate contractor before receiving final translations for display to the end user.
If the returned translations have malicious content, it could be rendered into the application and execute arbitrary JavaScript.
References
- angular.dev/best-practices/security
- developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API
- developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
- developer.mozilla.org/en-US/docs/Web/Security/Attacks/XSS
- github.com/advisories/GHSA-prjf-86w9-mfqv
- github.com/angular/angular
- github.com/angular/angular/commit/306f367899dfc2e04238fecd3455547b5d54075d
- github.com/angular/angular/commit/7d58b798c626bb0e4e5f89ca8affdce4f352b232
- github.com/angular/angular/commit/b85830953281ff3a1a77bbfe69019d352d509c93
- github.com/angular/angular/pull/67183
- github.com/angular/angular/security/advisories/GHSA-prjf-86w9-mfqv
- nvd.nist.gov/vuln/detail/CVE-2026-27970
Code Behaviors & Features
Detect and mitigate CVE-2026-27970 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →