core-17.3.4.tgz: 3 vulnerabilities (highest severity is: 8.1) #100
Description
Vulnerable Library - core-17.3.4.tgz
Library home page: https://registry.npmjs.org/@angular/core/-/core-17.3.4.tgz
Path to dependency file: /UI/package.json
Path to vulnerable library: /UI/package.json
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (core version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2026-27970 |  High |
8.1 | core-17.3.4.tgz | Direct | @angular/core - 20.3.17,@angular/core - 19.2.19,@angular/core - 21.1.6,https://github.com/angular/angular.git - v21.2.0,https://github.com/angular/angular.git - v20.3.17,https://github.com/angular/angular.git - v19.2.19,https://github.com/angular/angular.git - v21.1.5 | ❌ |
| CVE-2026-32635 | High |
8.0 | core-17.3.4.tgz | Direct | https://github.com/angular/angular.git - v22.0.0-next.2,https://github.com/angular/angular.git - v20.3.18,https://github.com/angular/angular.git - v21.2.3,https://github.com/angular/angular.git - v19.2.20 | ❌ |
| CVE-2026-22610 | High |
8.0 | core-17.3.4.tgz | Direct | angular - 20.3.16,angular - 21.0.7,angular - 19.2.18,https://github.com/angular/angular.git - v19.2.18,https://github.com/angular/angular.git - v20.3.16,https://github.com/angular/angular.git - v21.1.0-rc.0,https://github.com/angular/angular.git - v21.0.7 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-27970
Vulnerable Library - core-17.3.4.tgz
Library home page: https://registry.npmjs.org/@angular/core/-/core-17.3.4.tgz
Path to dependency file: /UI/package.json
Path to vulnerable library: /UI/package.json
Dependency Hierarchy:
- ❌ core-17.3.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Versions prior to 21.2.0, 21.1.16, 20.3.17, and 19.2.19 have a cross-Site scripting vulnerability in the Angular internationalization (i18n) pipeline. In ICU messages (International Components for Unicode), HTML from translated content was not properly sanitized and could execute arbitrary JavaScript. Angular i18n typically involves three steps, extracting all messages from an application in the source language, sending the messages to be translated, and then merging their translations back into the final source code. Translations are frequently handled by contracts with specific partner companies, and involve sending the source messages to a separate contractor before receiving final translations for display to the end user. If the returned translations have malicious content, it could be rendered into the application and execute arbitrary JavaScript. When successfully exploited, this vulnerability allows for execution of attacker controlled JavaScript in the application origin. Depending on the nature of the application being exploited this could lead to credential exfiltration and/or page vandalism. Several preconditions apply to the attack. The attacker must compromise the translation file (xliff, xtb, etc.). Unlike most XSS vulnerabilities, this issue is not exploitable by arbitrary users. An attacker must first compromise an application's translation file before they can escalate privileges into the Angular application client. The victim application must use Angular i18n, use one or more ICU messages, render an ICU message, and not defend against XSS via a safe content security policy. Versions 21.2.0, 21.1.6, 20.3.17, and 19.2.19 patch the issue. Until the patch is applied, developers should consider reviewing and verifying translated content received from untrusted third parties before incorporating it in an Angular application, enabling strict CSP controls to block unauthorized JavaScript from executing on the page, and enabling Trusted Types to enforce proper HTML sanitization.
Publish Date: 2026-02-26
URL: CVE-2026-27970
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-prjf-86w9-mfqv
Release Date: 2026-02-26
Fix Resolution: @angular/core - 20.3.17,@angular/core - 19.2.19,@angular/core - 21.1.6,https://github.com/angular/angular.git - v21.2.0,https://github.com/angular/angular.git - v20.3.17,https://github.com/angular/angular.git - v19.2.19,https://github.com/angular/angular.git - v21.1.5
Step up your Open Source Security Game with Mend here
CVE-2026-32635
Vulnerable Library - core-17.3.4.tgz
Library home page: https://registry.npmjs.org/@angular/core/-/core-17.3.4.tgz
Path to dependency file: /UI/package.json
Path to vulnerable library: /UI/package.json
Dependency Hierarchy:
- ❌ core-17.3.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n- name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. This vulnerability is fixed in 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20.
Publish Date: 2026-03-13
URL: CVE-2026-32635
CVSS 3 Score Details (8.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-13
Fix Resolution: https://github.com/angular/angular.git - v22.0.0-next.2,https://github.com/angular/angular.git - v20.3.18,https://github.com/angular/angular.git - v21.2.3,https://github.com/angular/angular.git - v19.2.20
Step up your Open Source Security Game with Mend here
CVE-2026-22610
Vulnerable Library - core-17.3.4.tgz
Library home page: https://registry.npmjs.org/@angular/core/-/core-17.3.4.tgz
Path to dependency file: /UI/package.json
Path to vulnerable library: /UI/package.json
Dependency Hierarchy:
- ❌ core-17.3.4.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.
Publish Date: 2026-01-10
URL: CVE-2026-22610
CVSS 3 Score Details (8.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-jrmj-c5cx-3cw6
Release Date: 2026-01-10
Fix Resolution: angular - 20.3.16,angular - 21.0.7,angular - 19.2.18,https://github.com/angular/angular.git - v19.2.18,https://github.com/angular/angular.git - v20.3.16,https://github.com/angular/angular.git - v21.1.0-rc.0,https://github.com/angular/angular.git - v21.0.7
Step up your Open Source Security Game with Mend here