Angular Core Security Patch: Critical XSS Vulnerability in i18n Module (CVE-2026-27970)

A critical security vulnerability in Angular's internationalization (i18n) module exposes applications to cross-site scripting (XSS) attacks. The flaw, tracked as CVE-2026-27970 and GHSA-prjf-86w9-mfqv, is present in versions prior to 21.2.0 of the @angular/core package. This is not a theoretical risk; the vulnerability is actively exploitable, allowing attackers to inject and execute malicious scripts in the context of a user's browser session.

The issue stems from a weakness in how Angular processes i18n translations. The vulnerability can be triggered when an application uses certain i18n features, potentially enabling attackers to bypass Angular's built-in sanitization defenses. The Angular team has released version 21.2.0 to patch this security hole. The update is marked as a minor version bump, but its primary purpose is to address this critical security flaw, making it an urgent priority for all development teams.

This vulnerability places millions of web applications built with Angular at immediate risk. Any organization using Angular with i18n features must prioritize applying this patch. Failure to update leaves applications open to data theft, session hijacking, and other malicious activities. The patch is available via standard package managers, and automated dependency management tools like Renovate are already flagging the required update. The presence of a formal CVE and GitHub Security Advisory underscores the severity and the need for swift action to mitigate this widespread security exposure.