Cross-Site Scripting in Angular Development Platform
CVE-2026-27970

7.6HIGH

Key Information:

Vendor

Angular

Status
Angular
Vendor
CVE Published:
26 February 2026

What is CVE-2026-27970?

Angular, a widely used development platform for building web applications, has a vulnerability in its internationalization (i18n) pipeline that can lead to arbitrary JavaScript execution. This occurs when HTML from translated content is not sufficiently sanitized, allowing malicious script to execute within the application’s context. Typically, the i18n process involves extracting messages from the source application, translating them, and integrating them back into the code. When compromised translation files are unknowingly integrated into an Angular application, they can introduce XSS vulnerabilities. Notably, the risk is heightened if the application lacks robust content security policies (CSPs) or if sanitized messages are not adequately reviewed. Developers are encouraged to apply the latest patches and ensure the security of third-party translations.

Affected Version(s)

angular >= 21.2.0-next.0, < 21.2.0 < 21.2.0-next.0, 21.2.0

angular >= 21.0.0-next.0, < 21.1.6 < 21.0.0-next.0, 21.1.6

angular >= 20.0.0-next.0, < 20.3.17 < 20.0.0-next.0, 20.3.17

References

https://github.com/angular/angular/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/angular/angular/pull/67183
x_refsource_MISC
https://github.com/angular/angular/commit/306f367899dfc2e...
x_refsource_MISC

CVSS V4

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.