Cross-Site Scripting Vulnerability in Angular Runtime and Compiler
CVE-2026-32635
What is CVE-2026-32635?
CVE-2026-32635 is a serious cross-site scripting (XSS) vulnerability found in the Angular development platform, which is widely used for building mobile and desktop web applications using TypeScript and JavaScript. This vulnerability arises when security-sensitive attributes, such as the "href" attribute on anchor tags, are combined with Angular's feature of internationalizing attributes. When this combination occurs, it bypasses Angular’s built-in sanitization mechanisms, making it possible for an attacker to inject malicious scripts through data bindings that contain untrusted user-generated content. The potential for exploitation is particularly concerning because it can lead to significant security breaches, affecting user data and application integrity. The vulnerability has been addressed in specific updated versions of Angular, marking the importance of maintaining version control to ensure security.
Potential impact of CVE-2026-32635
-
Data Breaches: The successful exploitation of this vulnerability could allow attackers to execute scripts that access sensitive user information, potentially leading to data theft or leakage of private information.
-
Loss of Trust: Applications affected by this XSS vulnerability could suffer reputational damage if users are exposed to malicious scripts, resulting in a loss of trust and potentially impacting user engagement and overall business operations.
-
Application Integrity Compromise: Attackers could exploit this vulnerability to manipulate application behavior or redirect users to malicious sites, compromising the integrity and functionality of the application itself.
Affected Version(s)
compiler >= 22.0.0-next.0, < 22.0.0-next.3 < 22.0.0-next.0, 22.0.0-next.3
compiler >= 21.0.0-next.0, < 21.2.4 < 21.0.0-next.0, 21.2.4
compiler >= 20.0.0-next.0, < 20.3.18 < 20.0.0-next.0, 20.3.18