CVE-2026-32635
critical
CVSS v3
9.0
CVSS v4 NEW
8.6
VIR risk
9.0
Description
Angular vulnerable to XSS in i18n attribute bindings
Predictions
Exploit likelihood
93%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | undetermined | |
| debian | sid | undetermined | |
| debian | bullseye | undetermined | |
| debian | forky | undetermined | |
| debian | trixie | undetermined | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| npm | @angular/core | >=22.0.0-next.0,<22.0.0-next.3 | 22.0.0-next.3 |
| npm | @angular/core | >=21.0.0-next.0,<21.2.4 | 21.2.4 |
| npm | @angular/core | >=20.0.0-next.0.0.0,<20.3.18 | 20.3.18 |
| npm | @angular/core | >=19.0.0-next.0,<19.2.20 | 19.2.20 |
| npm | @angular/core | >=17.0.0-next.0,<=18.2.14 | |
| npm | @angular/compiler | >=22.0.0-next.0,<22.0.0-next.3 | 22.0.0-next.3 |
| npm | @angular/compiler | >=21.0.0-next.0,<21.2.4 | 21.2.4 |
| npm | @angular/compiler | >=20.0.0-next.0.0.0,<20.3.18 | 20.3.18 |
| npm | @angular/compiler | >=19.0.0-next.0,<19.2.20 | 19.2.20 |
| npm | @angular/compiler | >=17.0.0-next.0,<=18.2.14 | |
| NPM | @angular/compiler | >= 17.0.0-next.0, <= 18.2.14 | |
| NPM | @angular/compiler | >= 19.0.0-next.0, < 19.2.20 | 19.2.20 |
| NPM | @angular/core | >= 17.0.0-next.0, <= 18.2.14 | |
| NPM | @angular/core | >= 19.0.0-next.0, < 19.2.20 | 19.2.20 |
| NPM | @angular/compiler | >= 20.0.0-next.0.0.0, < 20.3.18 | 20.3.18 |
| NPM | @angular/compiler | >= 21.0.0-next.0, < 21.2.4 | 21.2.4 |
| NPM | @angular/compiler | >= 22.0.0-next.0, < 22.0.0-next.3 | 22.0.0-next.3 |
| NPM | @angular/core | >= 20.0.0-next.0.0.0, < 20.3.18 | 20.3.18 |
| NPM | @angular/core | >= 21.0.0-next.0, < 21.2.4 | 21.2.4 |
| NPM | @angular/core | >= 22.0.0-next.0, < 22.0.0-next.3 | 22.0.0-next.3 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| angular | angular_cli | {"startIncluding":"17.0.0","endExcluding":"19.2.0"} | 19.2.0 |
| angular | angular_cli | 22.0.0 | |
References
- https://security-tracker.debian.org/tracker/CVE-2026-32635
- https://github.com/angular/angular/pull/67541
- https://github.com/angular/angular/pull/67561
- https://github.com/angular/angular/security/advisories/GHSA-g93w-mfhg-p222
- https://nvd.nist.gov/vuln/detail/CVE-2026-32635
- https://github.com/angular/angular/commit/224e60ecb1b90115baa702f1c06edc1d64d86187
- https://github.com/angular/angular/commit/78dea55351fb305b33a919c43a6b363137eca166
- https://github.com/angular/angular/commit/8630319f74c9575a21693d875cc7d5252516146d
- https://github.com/angular/angular/commit/ed2d324f9cc12aab6cfa0569ef10b73243a62c65
- https://github.com/angular/angular
- https://github.com/advisories/GHSA-g93w-mfhg-p222
CWEs
CWE-79
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.