CVE-2026-27970: Angular i18n vulnerable to Cross-Site Scripting (XSS)

Published Feb 26, 2026
·
Updated

A Cross-site Scripting (XSS) vulnerability has been identified in the Angular internationalization (i18n) pipeline. In ICU messages (International Components for Unicode), HTML from translated content was not properly sanitized and could execute arbitrary JavaScript.

Angular i18n typically involves three steps, extracting all messages from an application in the source language, sending the messages to be translated, and then merging their translations back into the final source code. Translations are frequently handled by contracts with specific partner companies, and involve sending the source messages to a separate contractor before receiving final translations for display to the end user.

If the returned translations have malicious content, it could be rendered into the application and execute arbitrary JavaScript.

Impact When successfully exploited, this vulnerability allows for execution of attacker controlled JavaScript in the application origin. Depending on the nature of the application being exploited this could lead to:

- Credential Exfiltration: Stealing sensitive user data stored in page memory, LocalStorage, IndexedDB, or cookies available to JS and sending them to an attacker controlled server. - Page Vandalism: Mutating the page to read or act differently than intended by the developer.

Attach Preconditions

- The attacker must compromise the translation file (xliff, xtb, etc.). - Unlike most XSS vulnerabilities, this one is not exploitable by arbitrary users. An attacker must first compromise an application's translation file before they can escalate privileges into the Angular application client. - The victim application must use Angular i18n. - The victim application must use one or more ICU messages. - The victim application must render an ICU message. - The victim application must not defend against XSS via a safe Content-Security Policy (CSP) or Trusted Types.

Patches - 21.2.0 - 21.1.6 - 20.3.17 - 19.2.19

Workarounds Until the patch is applied, developers should consider:

- Reviewing and verifying translated content received from untrusted third parties before incorporating it in an Angular application. - Enabling strict CSP controls to block unauthorized JavaScript from executing on the page. - Enabling Trusted Types to enforce proper HTML sanitization.

References

- Fix

Other sources

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Versions prior to 21.2.0, 21.1.16, 20.3.17, and 19.2.19 have a cross-Site scripting vulnerability in the Angular internationalization (i18n) pipeline. In ICU messages (International Components for Unicode), HTML from translated content was not properly sanitized and could execute arbitrary JavaScript. Angular i18n typically involves three steps, extracting all messages from an application in the source language, sending the messages to be translated, and then merging their translations back into the final source code. Translations are frequently handled by contracts with specific partner companies, and involve sending the source messages to a separate contractor before receiving final translations for display to the end user. If the returned translations have malicious content, it could be rendered into the application and execute arbitrary JavaScript. When successfully exploited, this vulnerability allows for execution of attacker controlled JavaScript in the application origin. Depending on the nature of the application being exploited this could lead to credential exfiltration and/or page vandalism. Several preconditions apply to the attack. The attacker must compromise the translation file (xliff, xtb, etc.). Unlike most XSS vulnerabilities, this issue is not exploitable by arbitrary users. An attacker must first compromise an application's translation file before they can escalate privileges into the Angular application client. The victim application must use Angular i18n, use one or more ICU messages, render an ICU message, and not defend against XSS via a safe content security policy. Versions 21.2.0, 21.1.6, 20.3.17, and 19.2.19 patch the issue. Until the patch is applied, developers should consider reviewing and verifying translated content received from untrusted third parties before incorporating it in an Angular application, enabling strict CSP controls to block unauthorized JavaScript from executing on the page, and enabling Trusted Types to enforce proper HTML sanitization.

MITRE

Affected Software

14 affected componentsFixes available
npm/@angular/core<19.2.19, >19.2.19<21.1.16, <21.1.16, >21.1.16<21.2.0
angular Angular Node.js<19.2.19
angular Angular Node.js>=20.0.0<20.3.17
angular Angular Node.js>=21.0.0<21.1.6
angular Angular Node.js=21.2.0-next0
angular Angular Node.js=21.2.0-next1
angular Angular Node.js=21.2.0-next2
angular Angular Node.js=21.2.0-next3
angular Angular Node.js=21.2.0-rc0
npm/@angular/core<=18.2.14
npm/@angular/core>=19.0.0-next.0<=19.2.18
19.2.19
npm/@angular/core>=20.0.0-next.0<=20.3.16
20.3.17
npm/@angular/core>=21.0.0-next.0<=21.1.5
21.1.6
npm/@angular/core>=21.2.0-next.0<=21.2.0-rc.0
21.2.0

Remediation

Patch Available

https://github.com/angular/angular/commit/306f367899dfc2e04238fecd3455547b5d54075d

Patch Available

https://github.com/angular/angular/commit/7d58b798c626bb0e4e5f89ca8affdce4f352b232

Patch Available

https://github.com/angular/angular/commit/b85830953281ff3a1a77bbfe69019d352d509c93

Patch Available

https://github.com/angular/angular/pull/67183

Patch Available

https://github.com/angular/angular/security/advisories/GHSA-prjf-86w9-mfqv

Event History

Feb 26, 2026
CVE Published
via MITRE·02:03 AM
Data Sourced
via MITRE·02:03 AM
DescriptionWeakness
Data Sourced
via NVD·02:16 AM
RemedyDescriptionSeverityWeaknessAffected Software
Feb 27, 2026
Advisory Published
via GitHub·06:33 PM
Data Sourced
via GitHub·06:33 PM
DescriptionSeverityWeaknessAffected Software
Jun 28, 58142
Event
via FIRST·12:19 AM
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-27970?

CVE-2026-27970 has been classified as a moderate severity Cross-Site Scripting (XSS) vulnerability.

2

How do I fix CVE-2026-27970?

To fix CVE-2026-27970, upgrade Angular to version 21.2.0 or later, or to versions 21.1.16, 20.3.17, or 19.2.19.

3

What versions of Angular are affected by CVE-2026-27970?

CVE-2026-27970 affects Angular versions prior to 21.2.0, 21.1.16, 20.3.17, and 19.2.19.

4

Can CVE-2026-27970 lead to data theft?

Yes, CVE-2026-27970 can potentially allow attackers to execute arbitrary scripts in the context of the user’s session, which might lead to data theft.

5

Is CVE-2026-27970 specific to any type of application?

CVE-2026-27970 is specific to web applications built using the Angular framework.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203