{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32635", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-12T15:29:36.559Z", "datePublished": "2026-03-13T20:58:12.554Z", "dateUpdated": "2026-03-17T03:55:33.785Z"}, "containers": {"cna": {"title": "Angular has XSS in i18n attribute bindings", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/angular/angular/security/advisories/GHSA-g93w-mfhg-p222", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/angular/angular/security/advisories/GHSA-g93w-mfhg-p222"}, {"name": "https://github.com/angular/angular/pull/67541", "tags": ["x_refsource_MISC"], "url": "https://github.com/angular/angular/pull/67541"}, {"name": "https://github.com/angular/angular/pull/67561", "tags": ["x_refsource_MISC"], "url": "https://github.com/angular/angular/pull/67561"}], "affected": [{"vendor": "@angular", "product": "compiler", "versions": [{"version": ">= 22.0.0-next.0, < 22.0.0-next.3", "status": "affected"}, {"version": ">= 21.0.0-next.0, < 21.2.4", "status": "affected"}, {"version": ">= 20.0.0-next.0, < 20.3.18", "status": "affected"}, {"version": ">= 17.0.0.next.0, < 19.2.20", "status": "affected"}]}, {"vendor": "@angular", "product": "core", "versions": [{"version": ">= 22.0.0-next.0, < 22.0.0-next.3", "status": "affected"}, {"version": ">= 21.0.0-next.0, < 21.2.4", "status": "affected"}, {"version": ">= 20.0.0-next.0, < 20.3.18", "status": "affected"}, {"version": ">= 17.0.0.next.0, < 19.2.20", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T20:58:12.554Z"}, "descriptions": [{"lang": "en", "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. This vulnerability is fixed in 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20."}], "source": {"advisory": "GHSA-g93w-mfhg-p222", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-32635"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T03:55:33.785Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32635", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T15:29:00.270619Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T15:31:34.969Z"}}], "cna": {"title": "Angular has XSS in i18n attribute bindings", "source": {"advisory": "GHSA-g93w-mfhg-p222", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "@angular", "product": "compiler", "versions": [{"status": "affected", "version": ">= 22.0.0-next.0, < 22.0.0-next.3"}, {"status": "affected", "version": ">= 21.0.0-next.0, < 21.2.4"}, {"status": "affected", "version": ">= 20.0.0-next.0, < 20.3.18"}, {"status": "affected", "version": ">= 17.0.0.next.0, < 19.2.20"}]}, {"vendor": "@angular", "product": "core", "versions": [{"status": "affected", "version": ">= 22.0.0-next.0, < 22.0.0-next.3"}, {"status": "affected", "version": ">= 21.0.0-next.0, < 21.2.4"}, {"status": "affected", "version": ">= 20.0.0-next.0, < 20.3.18"}, {"status": "affected", "version": ">= 17.0.0.next.0, < 19.2.20"}]}], "references": [{"url": "https://github.com/angular/angular/security/advisories/GHSA-g93w-mfhg-p222", "name": "https://github.com/angular/angular/security/advisories/GHSA-g93w-mfhg-p222", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/angular/angular/pull/67541", "name": "https://github.com/angular/angular/pull/67541", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/angular/angular/pull/67561", "name": "https://github.com/angular/angular/pull/67561", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. This vulnerability is fixed in 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T20:58:12.554Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32635", "state": "PUBLISHED", "dateUpdated": "2026-03-17T03:55:33.785Z", "dateReserved": "2026-03-12T15:29:36.559Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-13T20:58:12.554Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:angular:angular_cli:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA2F5BE6-6AF7-43BB-89EF-0670E30165E9", "versionEndExcluding": "19.2.0", "versionStartIncluding": "17.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:angular:angular_cli:*:*:*:*:*:*:*:*", "matchCriteriaId": "2112F98F-52FA-42F9-874F-D8DA0AB67859", "versionEndIncluding": "20.3.18", "versionStartIncluding": "20.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:angular:angular_cli:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC4EA7F1-EFC7-4009-9432-69293D3F80D3", "versionEndExcluding": "21.2.4", "versionStartIncluding": "21.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:angular:angular_cli:22.0.0:next0:*:*:*:*:*:*", "matchCriteriaId": "33D19930-FFB9-411A-9BA8-A4F861A45FCE", "vulnerable": true}, {"criteria": "cpe:2.3:a:angular:angular_cli:22.0.0:next1:*:*:*:*:*:*", "matchCriteriaId": "5568C723-9BBD-4188-BA3C-3B0E3CB2786C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. This vulnerability is fixed in 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20."}, {"lang": "es", "value": "Angular es una plataforma de desarrollo para construir aplicaciones web m\u00f3viles y de escritorio usando TypeScript/JavaScript y otros lenguajes. Antes de las versiones 22.0.0-next.3, 21.2.4, 20.3.18 y 19.2.20, se ha identificado una vulnerabilidad de cross-site scripting (XSS) en el tiempo de ejecuci\u00f3n y el compilador de Angular. Ocurre cuando la aplicaci\u00f3n utiliza un atributo sensible a la seguridad (por ejemplo, href en una etiqueta de anclaje) junto con la capacidad de Angular para internacionalizar atributos. Habilitar la internacionalizaci\u00f3n para el atributo sensible a\u00f1adiendo i18n- omite el mecanismo de saneamiento integrado de Angular, lo que, cuando se combina con un enlace de datos a datos no confiables generados por el usuario, puede permitir a un atacante inyectar un script malicioso. Esta vulnerabilidad est\u00e1 corregida en las versiones 22.0.0-next.3, 21.2.4, 20.3.18 y 19.2.20."}], "id": "CVE-2026-32635", "lastModified": "2026-04-30T18:23:13.413", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-16T14:19:40.753", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/angular/angular/pull/67541"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/angular/angular/pull/67561"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://github.com/angular/angular/security/advisories/GHSA-g93w-mfhg-p222"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "@angular/core: @angular/compiler: Angular has XSS in i18n attribute bindings", "id": "2447515", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447515"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-79", "details": ["A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-32635", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "ceph", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "intel-cmt-cat", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "dotnet5.0-build-reference-packages", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "intel-cmt-cat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "mozjs60", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "ceph", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "intel-cmt-cat", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "io.apicurio-apicurito", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "io.syndesis-syndesis-parent", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-kf-notebook-controller-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-notebook-controller-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-03-13T20:58:12Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32635\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32635\nhttps://github.com/angular/angular/pull/67541\nhttps://github.com/angular/angular/pull/67561\nhttps://github.com/angular/angular/security/advisories/GHSA-g93w-mfhg-p222"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[22.0.0-next.0,22.0.0-next.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[21.0.0-next.0,21.2.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[20.0.0-next.0,20.3.18)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[17.0.0.next.0,19.2.20)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "core", "source": "cna", "vendor": "@angular"}, "product": "angular", "vendor": "angular"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[22.0.0-next.0,22.0.0-next.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[21.0.0-next.0,21.2.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[20.0.0-next.0,20.3.18)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[17.0.0.next.0,19.2.20)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "compiler", "source": "cna", "vendor": "@angular"}, "product": "compiler", "vendor": "angular"}], "analysis": {"en": {"generated_at": "2026-03-17T01:51:53.014802+00:00", "value": {"mitigation_remediation": ["Upgrade to Angular 22.0.0-next.3 or later, 21.2.4 or later, 20.3.18 or later, or 19.2.20 or later"], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting via i18n attribute bindings"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the Angular runtime and compiler packages (@angular:compiler, @angular:core). It affects all releases before 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20. Users running any of these older versions should assess whether the application renders sensitive attributes that are bound to user data and have i18n enabled.", "description_and_impact": "Angular allows developers to internationalize attribute values with the i18n- attribute syntax. For security\u2011sensitive attributes such as href, the framework normally sanitizes bound values to prevent script execution. However, when an attribute is internationalized, Angular\u2019s sanitization is bypassed. If the bound value originates from untrusted user\u2011generated data, an attacker can inject malicious JavaScript that executes in the context of the affected web page, leading to credential theft, defacement, or further exploitation. The flaw is a classic CWE\u201179 cross\u2011site scripting weakness. This attack can occur entirely on the client side and does not require any server\u2011side code changes.", "risk_and_exploitability": "The CVSS base score for this issue is 8.6, indicating high severity, but the EPSS score of less than 1% suggests a low probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a malicious user or content provider to supply the vulnerable input to the application, typically via a crafted URL or form input that binds to a sensitive attribute such as href. Once the client browser renders the page, the injected script runs with the user\u2019s privileges."}}}}, "created": "2026-03-16T09:22:55.869441+00:00", "updated": "2026-03-23T13:39:31.026352+00:00", "vendors": ["angular", "angular$PRODUCT$angular", "angular$PRODUCT$compiler"]}