Angular Core v20.3.18 Patches Critical XSS Vulnerability in i18n Bindings (CVE-2026-32635)

A critical security flaw in the Angular framework has been patched, exposing applications using internationalization (i18n) to cross-site scripting (XSS) attacks. The vulnerability, tracked as CVE-2026-32635 and GHSA-g93w-mfhg-p222, resides within the Angular runtime's handling of i18n attribute bindings. This specific weakness could allow attackers to inject and execute malicious scripts in the context of a user's browser, compromising application security and user data.

The patch is delivered in version 20.3.18 of the `@angular/core` package, a minor update from version 20.3.17. The update is flagged as high priority due to the nature of the vulnerability. The flaw specifically impacts how Angular processes attribute bindings within its internationalization system, a core feature for building global applications. Developers relying on these i18n features are at immediate risk if the patch is not applied.

This security disclosure places significant pressure on development teams and organizations using Angular to urgently review and update their dependencies. The presence of a formal CVE and GitHub Security Advisory underscores the validated severity of the issue. Failure to apply this patch leaves web applications vulnerable to client-side attacks, potentially leading to data theft, session hijacking, and other security breaches. The update process, while straightforward, is a critical operational security task for any project on the Angular 20.3.x release line.