Angular Compiler v21.2.7 Patches Critical XSS Vulnerability in i18n Attribute Bindings (CVE-2026-32635)

A critical security flaw in the Angular framework has been patched, exposing applications using internationalization (i18n) to cross-site scripting (XSS) attacks. The vulnerability, tracked as CVE-2026-32635 and GHSA-g93w-mfhg-p222, was present in the `@angular/compiler` package. This update, moving from version 21.1.3 to 21.2.7, is a mandatory security fix for any project utilizing Angular's i18n features for attribute bindings.

The vulnerability specifically resides in how Angular processes i18n translations for HTML attributes. Under certain conditions, maliciously crafted translation data could bypass Angular's built-in sanitization, allowing an attacker to inject and execute arbitrary JavaScript code in a user's browser. This represents a direct threat to application security and user data integrity. The patch in version 21.2.7 corrects the sanitization logic to properly neutralize unsafe input in these scenarios.

This is a high-priority update for development and security teams. The flaw affects a core framework component used in virtually all Angular applications with multilingual support. Failure to apply this patch leaves applications vulnerable to client-side attacks where user input or external translation files are involved. The update is now available via standard package managers, and teams should prioritize merging this dependency update to mitigate the immediate security risk.