Angular Compiler Security Patch: Critical XSS Vulnerability (CVE-2026-32635) in Runtime

A critical security flaw in the Angular framework's core compiler and runtime has been patched, exposing countless web applications to potential cross-site scripting (XSS) attacks. The vulnerability, tracked as CVE-2026-32635, resides in how Angular handles security-sensitive HTML attributes, such as `href` on anchor tags. This weakness could allow attackers to inject and execute malicious scripts, compromising user data and application integrity.

The issue was addressed in version 21.2.4 of the `@angular/compiler` package, released as a security update from version 21.2.2. The patch was delivered via a standard dependency update pull request, flagged with a [SECURITY] tag, and is now being propagated through automated tools like Renovate. The vulnerability advisory (GHSA-g93w-mfhg-p222) originates directly from the Angular security team, confirming the severity and official nature of the fix.

This patch is not a routine feature update but a mandatory security remediation. Any Angular application that has not been updated to version 21.2.4 or later remains vulnerable. The flaw's presence in the runtime and compiler—core components responsible for rendering application views—means the attack surface is broad, affecting a vast ecosystem of enterprise and consumer web apps built on the popular framework. Development teams must prioritize applying this update to mitigate the immediate risk of client-side code injection.