CVE-2026-32635: Angular vulnerable to XSS in i18n attribute bindings
A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular’s ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular’s built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script.
The following example illustrates the issue:
<a href="{{maliciousUrl}}" i18n-href>Click me</a>
The following attributes have been confirmed to be vulnerable:
actionbackgroundcitecodebasedataformactionhrefitemtypelongdescpostersrcxlink:href
References
- github.com/advisories/GHSA-g93w-mfhg-p222
- github.com/angular/angular
- github.com/angular/angular/commit/224e60ecb1b90115baa702f1c06edc1d64d86187
- github.com/angular/angular/commit/78dea55351fb305b33a919c43a6b363137eca166
- github.com/angular/angular/commit/8630319f74c9575a21693d875cc7d5252516146d
- github.com/angular/angular/commit/ed2d324f9cc12aab6cfa0569ef10b73243a62c65
- github.com/angular/angular/pull/67541
- github.com/angular/angular/pull/67561
- github.com/angular/angular/security/advisories/GHSA-g93w-mfhg-p222
- nvd.nist.gov/vuln/detail/CVE-2026-32635
Code Behaviors & Features
Detect and mitigate CVE-2026-32635 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →