CP
cyberpings
VulnerabilitiesHIGH

Angular XSS Vulnerability - Exposes Thousands of Web Apps

CSCyber Security News
CVE-2026-32635@angular/compiler@angular/coreXSSinternationalization
🎯

Basically, a flaw in Angular lets bad actors inject harmful scripts into websites.

Quick Summary

A critical XSS vulnerability in Angular has been discovered, affecting thousands of web applications. This flaw allows attackers to inject harmful scripts, risking user data and sessions. Developers must act quickly to patch their applications or implement strict data sanitization measures.

What Happened

A serious Cross-Site Scripting (XSS) vulnerability has been identified in the popular Angular framework. This flaw, tracked as CVE-2026-32635, affects key packages like @angular/compiler and @angular/core. The vulnerability arises from how Angular processes internationalization (i18n) for sensitive HTML attributes. While Angular typically sanitizes inputs to prevent code injection, this protection can be bypassed under specific conditions.

When developers enable internationalization for attributes like href or src, they may inadvertently expose their applications to attacks. If untrusted user data is bound to these attributes, attackers can inject malicious scripts, leading to severe consequences for users and applications alike.

Who's Affected

This vulnerability impacts countless enterprise and consumer web applications that rely on Angular. Given Angular's widespread usage, the potential attack surface is massive. Applications running vulnerable versions of Angular, particularly those binding unsanitized user input to sensitive attributes, are at risk.

The affected versions include:

  • 22.0.0-next.0 to below 22.0.0-next.3
  • 21.0.0-next.0 to 21.2.4
  • 20.0.0-next.0 to 20.3.18
  • 19.0.0-next.0 to 19.2.20
  • 17.0.0-next.0 to 18.2.14 (no patch available)

What Data Was Exposed

Exploiting this vulnerability can lead to various security risks, including:

  • Session Hijacking: Attackers can steal session cookies and authentication tokens, gaining unauthorized access to user accounts.
  • Data Exfiltration: Malicious scripts can capture sensitive user data and send it to external servers without detection.
  • Unauthorized Actions: Attackers may force applications to perform destructive actions on behalf of users, compromising application integrity.

What You Should Do

To protect your applications, it's crucial to upgrade to a patched version of Angular as soon as possible. If immediate upgrades aren't feasible, developers should ensure that any data bound to vulnerable attributes originates only from trusted sources. Additionally, using Angular's DomSanitizer to manually sanitize inputs can help mitigate risks, even if the internationalization bypass occurs. By implementing these measures, developers can significantly reduce the likelihood of successful attacks.

🔒 Pro insight: The exploitation of this XSS vulnerability highlights the need for developers to rigorously validate and sanitize user inputs, especially in internationalized contexts.

Original article from

Cyber Security News · Abinaya

Read Full Article

Share

Related Pings

CRITICALVulnerabilities

Vulnerabilities in Schneider Electric SCADAPack - Urgent Alert

Schneider Electric has revealed a critical vulnerability in its SCADAPack RTUs. This flaw could allow unauthorized access, risking system integrity and safety. Immediate updates are essential for protection.

CISA Advisories·
HIGHVulnerabilities

Vulnerability in Schneider Electric EcoStruxure IT Software

Schneider Electric has revealed a serious vulnerability in its EcoStruxure IT Data Center Expert software. This flaw could allow hackers to access sensitive information. Users must act quickly to apply the necessary patches or mitigations to secure their systems.

CISA Advisories·
HIGHVulnerabilities

CODESYS Vulnerabilities - Critical Flaws in Festo Suite

Critical vulnerabilities have been discovered in CODESYS within Festo Automation Suite. Users must upgrade to the latest versions to avoid severe risks. Stay secure by applying updates promptly.

CISA Advisories·
HIGHVulnerabilities

Siemens SICAM SIAPP SDK - Multiple Vulnerabilities Found

Siemens has identified multiple vulnerabilities in its SICAM SIAPP SDK. Users are urged to update to version 2.1.7 to avoid potential disruptions. This is crucial for maintaining operational integrity in critical manufacturing sectors.

CISA Advisories·
HIGHVulnerabilities

AWS Bedrock AgentCore - Critical Sandbox Bypass Vulnerability

A serious flaw in AWS Bedrock's Sandbox mode allows attackers to create covert C2 channels and exfiltrate sensitive data. Users must transition to VPC mode for better security.

Cyber Security News·
HIGHVulnerabilities

Vulnerability - UK Companies House Exposed Millions of Firms

A critical vulnerability at Companies House exposed sensitive data of millions of firms. This flaw allowed unauthorized access to company records, raising significant data protection concerns. Companies are urged to verify their details and report any issues.

SecurityWeek·