CVE-2026-32635: High-Severity XSS Flaw in Angular Compiler Bypasses Sanitization

A critical security vulnerability in the Angular development platform exposes applications to cross-site scripting (XSS) attacks. The flaw, tracked as CVE-2026-32635, resides in the Angular runtime and compiler. It allows attackers to bypass the framework's built-in sanitization mechanism when an application uses a security-sensitive HTML attribute—such as `href` on an anchor tag—in conjunction with Angular's internationalization feature. Specifically, enabling i18n for that sensitive attribute by adding an `i18n-<attribute>` name creates the dangerous bypass.

The vulnerability affects all versions of the `@angular/compiler` package prior to the patched releases: 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20. The finding was identified by the Trivy scanner during a deep dependency scan of the `closenow.ai` project's `package-lock.json` file, classifying it with a HIGH severity rating. This CWE-79 type flaw means unpatched applications could allow malicious actors to inject and execute scripts in a user's browser context, potentially leading to data theft or session hijacking.

This discovery places immediate pressure on development teams using affected Angular versions to apply the available patches. The risk is particularly acute for applications that utilize Angular's i18n features on user-controlled or dynamic content within security-sensitive attributes. Organizations must audit their dependencies and upgrade to the secure versions to mitigate the exposure before this vulnerability can be exploited in the wild.