GrepRules
Sign inPublish rule
Explore/cve-2026-27970-angular-unvalidated-icu-attributes

CVE-2026-27970: Angular Unvalidated Icu Attributes

HTML attributes parsed from ICU messages without bindings bypass validation and are unconditionally added to the DOM. This can allow attackers to inject malicious attributes (e.g., javascript: URIs) into translations.

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0TS
greprules fetch cve-2026-27970-angular-unvalidated-icu-attributes --engine opengrep

Description

HTML attributes parsed from ICU messages without bindings bypass validation and are unconditionally added to the DOM. This can allow attackers to inject malicious attributes (e.g., javascript: URIs) into translations.

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Quality signals
146 downloads0 direct146 via packs
· 0 stars · Quality score 77How quality works
Included packs
2 packs