CVE-2026-32635: High-Severity XSS Flaw in Angular Core Bypasses Sanitization

A high-severity Cross-Site Scripting (XSS) vulnerability has been identified in the Angular development platform, exposing applications to potential code injection attacks. The flaw, tracked as CVE-2026-32635, resides in the Angular runtime and compiler. It allows attackers to bypass the framework's built-in sanitization mechanism when an application uses a security-sensitive attribute, such as `href` on an anchor tag, in conjunction with Angular's internationalization feature. Specifically, enabling i18n for a sensitive attribute by adding an `i18n-<attribute>` name creates the vulnerability, leaving affected applications open to exploitation.

The vulnerability impacts all versions of Angular prior to the patched releases: 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20. The finding was flagged by the Trivy scanner during a deep dependency scan of the `closenow.ai` project's `package-lock.json` file. This is not an isolated incident but a systemic flaw in a core framework used by millions of web applications globally. The CWE classification (CWE-79) confirms this as a classic improper neutralization of input during web page generation.

This discovery places immediate pressure on development teams to audit and upgrade their Angular dependencies. The risk is particularly acute for applications that utilize Angular's i18n features on user-controlled or dynamic attributes. Failure to patch could lead to unauthorized script execution in users' browsers, compromising session data and enabling further attacks. The availability of fixed versions across multiple major release lines signals the critical nature of this security update, requiring prompt action from maintainers of both commercial and open-source projects built on Angular.