目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%

CVE-2026-27970— Angular 跨站脚本漏洞

AI 预测 7.4 利用难度: 困难 EPSS 0.47% · P37

影响版本矩阵 5

厂商产品版本范围状态
angularangular>= 21.2.0-next.0, < 21.2.0affected
>= 21.0.0-next.0, < 21.1.6affected
>= 20.0.0-next.0, < 20.3.17affected
>= 19.0.0-next.0, < 19.2.19affected
<= 18.2.14affected
获取后续新漏洞提醒登录后订阅

一、 漏洞 CVE-2026-27970 基础信息

漏洞信息

对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
Angular i18n vulnerable to Cross-Site Scripting (XSS)
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Versions prior to 21.2.0, 21.1.16, 20.3.17, and 19.2.19 have a cross-Site scripting vulnerability in the Angular internationalization (i18n) pipeline. In ICU messages (International Components for Unicode), HTML from translated content was not properly sanitized and could execute arbitrary JavaScript. Angular i18n typically involves three steps, extracting all messages from an application in the source language, sending the messages to be translated, and then merging their translations back into the final source code. Translations are frequently handled by contracts with specific partner companies, and involve sending the source messages to a separate contractor before receiving final translations for display to the end user. If the returned translations have malicious content, it could be rendered into the application and execute arbitrary JavaScript. When successfully exploited, this vulnerability allows for execution of attacker controlled JavaScript in the application origin. Depending on the nature of the application being exploited this could lead to credential exfiltration and/or page vandalism. Several preconditions apply to the attack. The attacker must compromise the translation file (xliff, xtb, etc.). Unlike most XSS vulnerabilities, this issue is not exploitable by arbitrary users. An attacker must first compromise an application's translation file before they can escalate privileges into the Angular application client. The victim application must use Angular i18n, use one or more ICU messages, render an ICU message, and not defend against XSS via a safe content security policy. Versions 21.2.0, 21.1.6, 20.3.17, and 19.2.19 patch the issue. Until the patch is applied, developers should consider reviewing and verifying translated content received from untrusted third parties before incorporating it in an Angular application, enabling strict CSP controls to block unauthorized JavaScript from executing on the page, and enabling Trusted Types to enforce proper HTML sanitization.
来源: 美国国家漏洞数据库 NVD
CVSS Information
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
Angular 跨站脚本漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
Angular是Angular开源的一个开发平台。用于使用 Typescript / JavaScript 和其他语言构建移动和桌面 Web 应用程序。 Angular 21.2.0之前版本、21.1.16之前版本、20.3.17之前版本和19.2.19之前版本存在跨站脚本漏洞,该漏洞源于Angular国际化管道中HTML清理不当,可能导致跨站脚本攻击。
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD

受影响产品

厂商产品影响版本CPE订阅
angularangular >= 21.2.0-next.0, < 21.2.0 -

二、漏洞 CVE-2026-27970 的公开POC

#POC 描述源链接神龙链接
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC

三、漏洞 CVE-2026-27970 的情报信息

登录查看更多情报信息。

IV. Related Vulnerabilities

V. Comments for CVE-2026-27970

暂无评论


发表评论