Skip to content

[S360] Fix CVE-2026-27970, CVE-2026-32635: Update @angular/core and @angular/compiler to 21.2.5#2539

Open
lucygramley wants to merge 1 commit intomainfrom
s360/CVE-2026-27970-CVE-2026-32635-angular
Open

[S360] Fix CVE-2026-27970, CVE-2026-32635: Update @angular/core and @angular/compiler to 21.2.5#2539
lucygramley wants to merge 1 commit intomainfrom
s360/CVE-2026-27970-CVE-2026-32635-angular

Conversation

@lucygramley
Copy link
Copy Markdown
Contributor

@lucygramley lucygramley commented Mar 30, 2026

S360 Security Fix

S360 KPI: [SFI-ES5.2] 1ES Open Source Vulnerabilities
Severity: High
S360 Due Date: 2026-05-30 / 2026-06-14

CVEs Addressed

  • CVE-2026-27970: @angular/core 21.0.7 - XSS via unsanitized i18n content (fixed >=21.2.0)
  • CVE-2026-32635: @angular/core and @angular/compiler 21.0.7 - XSS in i18n attribute bindings (fixed >=21.2.4)

File: /Nodejs/Tests/MockProjects/NodeAppWithAngularTests/package-lock.json

What Changed

  • Updated @angular/core from 21.0.7 to 21.2.5
  • Updated @angular/compiler from 21.0.7 to 21.2.5
  • Fixed corrupted lodash@4.17.23 integrity hash

@lucygramley
Fix CVE-2026-27970, CVE-2026-32635: Update @angular/core and @angular…
0f99f07 
…/compiler to 21.2.5

Update @angular/core from 21.0.7 to 21.2.5 and @angular/compiler from 21.0.7 to 21.2.5
in NodeAppWithAngularTests to address XSS vulnerabilities in the Angular i18n pipeline.

- CVE-2026-27970: XSS via unsanitized HTML in translated content (fixed in >=21.2.0)
- CVE-2026-32635: XSS in i18n attribute bindings (fixed in >=21.2.4)
- Fixed corrupted lodash@4.17.23 integrity hash in lockfile

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lucygramley