CVE-2026-27970: Angular i18n ICU Flaw Opens Door to Hidden Cross-Site Scripting via Translation Files

Aegiron 10 mins0

CVE-2026-27970 – Angular Internationalization (i18n) ICU Message XSS

CVE: CVE-2026-27970
Product: Angular (i18n pipeline)
CVSS v4: 7.6 (High)
CVSS v3.1: 6.1 (Medium)
Severity: High potential impact (but requires specific conditions)
Exploitability: Exploitable only when an attacker can insert malicious content into translation files consumed by the application
Exploit availability: No widely published public exploit code (proof-of-concept) as of current advisories

What This Vulnerability Is

Angular’s internationalization system lets developers extract text from applications for translation and then merge translated text back into the app. In certain message formats called ICU messages, HTML content was not fully cleaned (sanitized) before being inserted into the page. Because of this, if a translation file has malicious HTML or script, a browser can execute that content as real code. When it executes, the attacker’s code runs in the context of the website and can perform actions as the user would expect legitimate script to behave.

This is a classic Cross-Site Scripting (XSS) issue, but it isn’t like many XSS bugs where a user just visits a link and gets exploited. Instead, it requires the translation content itself to be tampered with first.

Why It Matters

When this vulnerability is activated under the right conditions, an attacker could cause a victim’s browser to run JavaScript they control, inside the application’s origin. This means attacker code could try to:

  • Read session cookies or tokens (depending on app protections)
  • Manipulate page content (deface interface, inject UI elements)
  • Interact with elements at the user’s privilege level
  • Exfiltrate sensitive data to an external server

Because it runs in the same origin, the browser treats the script just like application code.

Preconditions for Exploitation

This is not a generic remote attack that any external user can trigger. For exploitation to work, all of these must be true:

  1. The application uses Angular’s i18n pipeline for translations.
  2. The application includes one or more ICU messages that actually get rendered by users.
  3. Translation files (such as .xliff, .xtb) are compromised or contain attacker-controlled content.
  4. The application does not have defenses such as strict Content Security Policy that blocks execution of injected scripts.

Because translation files are often managed outside the core app (sent to translators, merged from external repos, etc.), this gives attackers a supply-chain angle — the translation delivery pipeline becomes a risk point.

How It Could Be Exploited

  1. Translation content is extracted from the Angular app and sent for translation.
  2. The attacker manages to replace or alter a translation file with malicious markup — perhaps by attacking the translation vendor, their repository, or a CI system that merges translations.
  3. The modified translation contains HTML/JavaScript such as: <img src=x onerror=”someMaliciousFunction()”> or <script>attackerPayload()</script>
  4. When a user loads a page that renders that ICU message, Angular inserts the translated text into the DOM without safely encoding it, so the browser executes it.
  5. The script runs in the context of the app’s origin.

This differs from normal XSS where user input is reflected or stored on a server — here the path is through the translation workflow and message rendering engine.

Detecting Behavior & Indicators

Because there’s no trivial remote PoC, defenders look for signs that translation content is being misused or that scripts are running where they shouldn’t.

What To Monitor

1. Translation File Integrity

  • Track changes to .xliff, .xlf, .xtb, .json translation files in version control / CI logs
  • Alert on unexpected changes or large diffs introducing <, > characters

2. CSP Violations

  • If you have a Content Security Policy that disallows inline scripts and external script loads, monitor your CSP report endpoints
  • Inline script execution attempts often show as CSP violation reports

3. Browser Errors / Client Logs

  • Monitoring client telemetry (error logs, analytics) for unexpected script execution or console errors that reference unusual code

4. CI / Pipeline Alerts

  • Alert if translation files are modified outside of expected review cycles
  • Record who/what made each change

Detection Rules & Queries

The following examples can help you find signs of unexpected translation content or script injection attempts. Adapt them to your log system:

File Scanning / CI Rule (shell snippet)

Scan translation files for script tags or event handlers:

grep -E -n "<script|on[a-z]+=" translations/*.xliff

SIEM / Log Query Patterns

Example: Elasticsearch (KQL)

path:("*.xliff" OR "*.xlf" OR "*.xtb") AND 
(message:"<script" OR message:"onerror=" OR message:"onclick=")

Example: Generic Log Query

source:"build_logs" AND match:("<script" OR "onerror=")

These rules are intended to help you flag malicious or unexpected strings before they reach production bundles.

What You Can Do Right Now

Apply the Patch

Update Angular to a fixed version. Versions that address this issue include:

  • 19.2.19 or later
  • 20.3.17 or later
  • 21.1.16 or later
  • 21.2.0 or later

Actual patch details and releases are at the official GitHub advisory link.

Strengthen Defenses

  • Enable a strict Content Security Policy that disallows inline script execution
  • Use Trusted Types where possible to reduce the risk of DOM injection
  • Validate or escape HTML in translation content before it reaches the client

Review Translation Practices

  • Treat translation files like code: review, version control, signing where possible
  • Restrict who or what can commit changes to those files

Summary

CVE-2026-27970 is a cross-site scripting vulnerability that arises when Angular’s internationalization system fails to clean HTML inside translated ICU messages. It doesn’t let attackers execute code simply by visiting a vulnerable page — they must first insert malicious content into a translation file that the application uses. With the right conditions and without proper protections like CSP, that malicious content can run script inside users’ browsers.

This vulnerability illustrates how even seemingly safe data (translated text) can become dangerous if HTML content isn’t treated with the same care as user input or other dynamic content.

Fix / Patch link:
https://github.com/angular/angular/security/advisories/GHSA-prjf-86w9-mfqv

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.