{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/angular/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["angular","xss","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA cross-site scripting (XSS) vulnerability has been identified in the Angular framework, specifically affecting versions prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20. The vulnerability stems from the interaction between security-sensitive attributes (e.g., href) and Angular\u0026rsquo;s internationalization features. When internationalization is enabled for such attributes using \u003ccode\u003ei18n-name\u003c/code\u003e, the built-in sanitization mechanisms can be bypassed. This can be exploited by injecting malicious scripts through data bindings that handle untrusted, user-generated data. Successful exploitation allows an attacker to execute arbitrary code within the context of the affected application\u0026rsquo;s domain. Immediate patching is strongly advised.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Angular application using a vulnerable version (prior to 22.0.0-next.3, 21.2.4, 20.3.18, or 19.2.20).\u003c/li\u003e\n\u003cli\u003eThe attacker locates an input field or URL parameter that allows the injection of user-controlled data into an \u003ccode\u003ehref\u003c/code\u003e attribute (or another security-sensitive attribute).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing JavaScript code. The payload leverages the \u003ccode\u003ei18n-name\u003c/code\u003e attribute in conjunction with data binding to bypass sanitization.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious payload into the targeted input field or URL parameter.\u003c/li\u003e\n\u003cli\u003eThe victim user interacts with the application, triggering the rendering of the malicious payload within the vulnerable attribute.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code executes within the victim\u0026rsquo;s browser, operating under the security context of the Angular application\u0026rsquo;s domain.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to perform actions such as stealing session cookies or authentication tokens (session hijacking).\u003c/li\u003e\n\u003cli\u003eThe attacker can then exfiltrate sensitive data or perform unauthorized actions on behalf of the user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability allows attackers to execute arbitrary code within the context of the vulnerable Angular application. This can lead to session hijacking, enabling attackers to impersonate users and access their data. Data exfiltration is also possible, allowing attackers to steal sensitive information such as personal data or financial details. Furthermore, attackers can perform unauthorized actions on behalf of the user, potentially leading to financial loss, reputational damage, or other adverse consequences. The CCB strongly recommends immediate patching.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Angular installations to versions 22.0.0-next.3, 21.2.4, 20.3.18, or 19.2.20 to remediate the vulnerability as per the vendor advisory (\u003ca href=\"https://github.com/angular/angular/security/advisories/GHSA-g93w-mfhg-p222\"\u003ehttps://github.com/angular/angular/security/advisories/GHSA-g93w-mfhg-p222\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads. This can provide an additional layer of defense against exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable and review web server access logs for suspicious activity and potential XSS attempts. Analyze logs for unusual URL parameters or POST data containing script-like syntax.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-17T19:19:33Z","date_published":"2026-03-17T19:19:33Z","id":"/briefs/2026-03-angular-xss/","summary":"A cross-site scripting (XSS) vulnerability exists in Angular versions prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, allowing attackers to execute arbitrary code within the context of the vulnerable application, potentially leading to session hijacking, data exfiltration, and unauthorized actions.","title":"Angular Cross-Site Scripting (XSS) Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-angular-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Angular","version":"https://jsonfeed.org/version/1.1"}