Angular Framework Exposed: Critical XSS Vulnerability in i18n Attribute Bindings (CVE-2026-32635)

A critical security flaw has been exposed in the widely-used Angular web framework, posing a direct threat to applications that rely on its internationalization features. The vulnerability, tracked as CVE-2026-32635 and GHSA-g93w-mfhg-p222, is a Cross-Site Scripting (XSS) weakness within the Angular runtime's handling of i18n attribute bindings. This type of flaw allows attackers to inject and execute malicious scripts in the context of a user's browser, potentially leading to data theft, session hijacking, or complete account compromise.

The vulnerability resides in the `@angular/core` package, specifically affecting versions prior to the patched release 21.2.7. The issue stems from improper sanitization or validation of user-provided data within internationalized attribute bindings. This creates a vector where untrusted input can bypass Angular's built-in security mechanisms and be rendered as executable code. The flaw was identified and addressed by the Angular security team, prompting the release of version 21.2.7 to remediate the risk.

This discovery triggers immediate and widespread pressure on development teams globally. Any organization using Angular for web applications with i18n functionality must urgently assess their dependency versions and apply the security patch. Failure to update leaves applications open to exploitation, with the potential for significant data breaches and reputational damage. The incident underscores the persistent security scrutiny required for foundational web frameworks and the critical importance of automated dependency management tools in responding to such threats.