CVE-2026-32635
Podatność XSS w Angularze umożliwia atakującym wstrzyknięcie złośliwego skryptu poprzez obejście mechanizmu sanitizacji przy użyciu atrybutów i18n.
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. This vulnerability is fixed in 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20.
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.0 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.1% |
| Opublikowano (NVD) | 2026-03-16 14:19:40 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-30 18:23:13 UTC |
- https://github.com/angular/angular/pull/67541 (security-advisories@github.com) [Issue Tracking, Patch]
- https://github.com/angular/angular/pull/67561 (security-advisories@github.com) [Issue Tracking, Patch]
- https://github.com/angular/angular/security/advisories/GHSA-g93w-mfhg-p222 (security-advisories@github.com) [Vendor Advisory, Mitigation]