Main Vulnerability Database Vulnerabilities #VU123274

#VU123274 Cross-site scripting in Angular - CVE-2026-27970

Published: February 26, 2026

Vulnerability identifier: #VU123274

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2026-27970

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Angular

Software vendor:
Google

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the Angular internationalization (i18n) pipeline. A remote attacker can pass specially crafted ICU messages to the application and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Remediation

Install updates from vendor's website.

External links

https://github.com/angular/angular/security/advisories/GHSA-prjf-86w9-mfqv
https://github.com/angular/angular/pull/67183

#VU123274 Cross-site scripting in Angular - CVE-2026-27970

Description

Remediation

External links

Please verify you're human