HeroDevs
Visit Angular NES Home Page

Angular 18

Comprehensive release notes and changelog for Angular 18, including security patches, bug fixes, and feature updates across all supported versions.

9 Patched Vulnerabilities
VEX Statements

Angular

v18.2.20 - March 27, 2026

Notes

  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@18.2.14-angular-18.2.20
    • @neverendingsupport/angular-common@18.2.14-angular-18.2.20
    • @neverendingsupport/angular-compiler@18.2.14-angular-18.2.20
    • @neverendingsupport/angular-compiler-cli@18.2.14-angular-18.2.20
    • @neverendingsupport/angular-core@18.2.14-angular-18.2.20
    • @neverendingsupport/angular-elements@18.2.14-angular-18.2.20
    • @neverendingsupport/angular-forms@18.2.14-angular-18.2.20
    • @neverendingsupport/angular-language-service@18.2.14-angular-18.2.20
    • @neverendingsupport/angular-localize@18.2.14-angular-18.2.20
    • @neverendingsupport/angular-platform-browser@18.2.14-angular-18.2.20
    • @neverendingsupport/angular-platform-browser-dynamic@18.2.14-angular-18.2.20
    • @neverendingsupport/angular-platform-server@18.2.14-angular-18.2.20
    • @neverendingsupport/angular-router@18.2.14-angular-18.2.20
    • @neverendingsupport/angular-service-worker@18.2.14-angular-18.2.20
    • @neverendingsupport/angular-upgrade@18.2.14-angular-18.2.20

Security Fixes

  • core: Sanitize translated form attributes and attribute bindings with interpolations.
    • This fixes a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2026-32635).
  • compiler: Disallow translations of src attributes in iframes.
    • This fixes a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2026-32635).

v18.2.19 - March 9, 2026

Notes

  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@18.2.14-angular-18.2.19
    • @neverendingsupport/angular-common@18.2.14-angular-18.2.19
    • @neverendingsupport/angular-compiler@18.2.14-angular-18.2.19
    • @neverendingsupport/angular-compiler-cli@18.2.14-angular-18.2.19
    • @neverendingsupport/angular-core@18.2.14-angular-18.2.19
    • @neverendingsupport/angular-elements@18.2.14-angular-18.2.19
    • @neverendingsupport/angular-forms@18.2.14-angular-18.2.19
    • @neverendingsupport/angular-language-service@18.2.14-angular-18.2.19
    • @neverendingsupport/angular-localize@18.2.14-angular-18.2.19
    • @neverendingsupport/angular-platform-browser@18.2.14-angular-18.2.19
    • @neverendingsupport/angular-platform-browser-dynamic@18.2.14-angular-18.2.19
    • @neverendingsupport/angular-platform-server@18.2.14-angular-18.2.19
    • @neverendingsupport/angular-router@18.2.14-angular-18.2.19
    • @neverendingsupport/angular-service-worker@18.2.14-angular-18.2.19
    • @neverendingsupport/angular-upgrade@18.2.14-angular-18.2.19

Security Fixes

  • core: Block creation of sensitive URI attributes from ICU messages.
    • This fixes a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2026-27970).

Breaking Changes

core
  • Block creation of sensitive URI attributes from ICU messages:
    Translators can no longer introduce URI attributes—attribute values are blocked to avoid malicious links, and sanitization now relies on an allowlist of known attributes (still sanitizing URI ones). Translated ICU content keeps only recognized attributes and drops everything else.

v18.2.18 - January 8, 2026

Notes

  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-common@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-compiler@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-compiler-cli@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-core@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-elements@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-forms@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-language-service@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-localize@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-platform-browser@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-platform-browser-dynamic@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-platform-server@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-router@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-service-worker@18.2.14-angular-18.2.18
    • @neverendingsupport/angular-upgrade@18.2.14-angular-18.2.18

Security Fixes

  • core: Sanitize sensitive attributes on SVG script elements.
    • This fixes a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2026-22610).

v18.2.17 - December 9, 2025

Notes

  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-common@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-compiler@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-compiler-cli@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-core@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-elements@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-forms@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-language-service@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-localize@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-platform-browser@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-platform-browser-dynamic@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-platform-server@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-router@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-service-worker@18.2.14-angular-18.2.17
    • @neverendingsupport/angular-upgrade@18.2.14-angular-18.2.17

Security Fixes

  • compiler: Prevent stored XSS via SVG animation attributeName and MathML/SVG URLs.
    • This fixes a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2025-66412).

v18.2.16 - December 2, 2025

Notes

  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-common@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-compiler@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-compiler-cli@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-core@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-elements@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-forms@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-language-service@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-localize@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-platform-browser@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-platform-browser-dynamic@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-platform-server@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-router@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-service-worker@18.2.14-angular-18.2.16
    • @neverendingsupport/angular-upgrade@18.2.14-angular-18.2.16

Security Fixes

  • common: Prevent Cross-Site Request Forgery (XSRF) token leakage to protocol-relative URLs.
    • This fixes a high-severity Information Exposure vulnerability (CVE-2025-66035).

v18.2.15 - September 18, 2025

Notes

  • This release contains no functional change from the OSS Angular v18.2.14.
  • This release mainlines OSS v18.2.14 into NES v18.2.15.
  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-common@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-compiler@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-compiler-cli@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-core@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-elements@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-forms@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-language-service@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-localize@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-platform-browser@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-platform-browser-dynamic@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-platform-server@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-router@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-service-worker@18.2.14-angular-18.2.15
    • @neverendingsupport/angular-upgrade@18.2.14-angular-18.2.15

Security Fixes

  • core: Introduce BootstrapContext for improved server bootstrapping.
    • This fixes a high-severity Information Exposure vulnerability (CVE-2025-59052).

Breaking Changes

core
  • Introduce BootstrapContext for improved server bootstrapping:
    The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector and avoid potential exposure of sensitive data from other sessions.
    In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively, when running in a server environment.
    Before:
    const bootstrap = () => bootstrapApplication(AppComponent, config);

    After:
    const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

v18.2.14 - July 11, 2025

Notes

  • This release contains no functional change from the OSS Angular v18.2.13.
  • This release mainlines OSS v18.2.13 into NES v18.2.14.
  • Full package name(s) and version(s):
    • @neverendingsupport/angular-animations@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-common@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-compiler@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-compiler-cli@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-core@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-elements@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-forms@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-language-service@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-localize@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-platform-browser@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-platform-browser-dynamic@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-platform-server@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-router@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-service-worker@18.2.13-angular-18.2.14
    • @neverendingsupport/angular-upgrade@18.2.13-angular-18.2.14

Angular CLI

v18.2.25 - April 20, 2026

Notes

  • This release contains no functional change from the NES v18.2.24.
  • Fixes an issue where installing NES packages would fail to resolve a dependency on @schematics/angular.
  • Full package name(s) and version(s):
    • @neverendingsupport/angular-build@18.2.21-angular-cli-18.2.25
    • @neverendingsupport/angular-cli@18.2.21-angular-cli-18.2.25
    • @neverendingsupport/angular-create@18.2.21-angular-cli-18.2.25
    • @neverendingsupport/angular-pwa@18.2.21-angular-cli-18.2.25
    • @neverendingsupport/angular-ssr@18.2.21-angular-cli-18.2.25
    • @neverendingsupport/angular-devkit-architect@0.1802.21-angular-cli-18.2.25
    • @neverendingsupport/angular-devkit-architect-cli@0.1802.21-angular-cli-18.2.25
    • @neverendingsupport/angular-devkit-build-angular@18.2.21-angular-cli-18.2.25
    • @neverendingsupport/angular-devkit-build-webpack@0.1802.21-angular-cli-18.2.25
    • @neverendingsupport/angular-devkit-core@18.2.21-angular-cli-18.2.25
    • @neverendingsupport/angular-devkit-schematics@18.2.21-angular-cli-18.2.25
    • @neverendingsupport/angular-devkit-schematics-cli@18.2.21-angular-cli-18.2.25
    • @neverendingsupport/ngtools-webpack@18.2.21-angular-cli-18.2.25

v18.2.24 - April 17, 2026

Notes

  • Full package name(s) and version(s):
    • @neverendingsupport/angular-build@18.2.21-angular-cli-18.2.24
    • @neverendingsupport/angular-cli@18.2.21-angular-cli-18.2.24
    • @neverendingsupport/angular-create@18.2.21-angular-cli-18.2.24
    • @neverendingsupport/angular-pwa@18.2.21-angular-cli-18.2.24
    • @neverendingsupport/angular-ssr@18.2.21-angular-cli-18.2.24
    • @neverendingsupport/angular-devkit-architect@0.1802.21-angular-cli-18.2.24
    • @neverendingsupport/angular-devkit-architect-cli@0.1802.21-angular-cli-18.2.24
    • @neverendingsupport/angular-devkit-build-angular@18.2.21-angular-cli-18.2.24
    • @neverendingsupport/angular-devkit-build-webpack@0.1802.21-angular-cli-18.2.24
    • @neverendingsupport/angular-devkit-core@18.2.21-angular-cli-18.2.24
    • @neverendingsupport/angular-devkit-schematics@18.2.21-angular-cli-18.2.24
    • @neverendingsupport/angular-devkit-schematics-cli@18.2.21-angular-cli-18.2.24
    • @neverendingsupport/ngtools-webpack@18.2.21-angular-cli-18.2.24

Security Fixes

  • ssr: Validate host headers to prevent header-based SSRF.
    • This fixes a critical-severity Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-27739).

18.2.23 (NES) - October, 2025

Notes

  • This release contains no functional change from the OSS Angular CLI v18.2.21.
  • This release mainlines OSS v18.2.21 into NES v18.2.23.
  • Full package names and versions:
    • @neverendingsupport/angular-build@18.2.21-angular-cli-18.2.23
    • @neverendingsupport/angular-cli@18.2.21-angular-cli-18.2.23
    • @neverendingsupport/angular-create@18.2.21-angular-cli-18.2.23
    • @neverendingsupport/angular-pwa@18.2.21-angular-cli-18.2.23
    • @neverendingsupport/angular-ssr@18.2.21-angular-cli-18.2.23
    • @neverendingsupport/angular-devkit-architect@0.1802.21-angular-cli-18.2.23
    • @neverendingsupport/angular-devkit-architect-cli@0.1802.21-angular-cli-18.2.23
    • @neverendingsupport/angular-devkit-build-angular@18.2.21-angular-cli-18.2.23
    • @neverendingsupport/angular-devkit-build-webpack@0.1802.21-angular-cli-18.2.23
    • @neverendingsupport/angular-devkit-core@18.2.21-angular-cli-18.2.23
    • @neverendingsupport/angular-devkit-schematics@18.2.21-angular-cli-18.2.23
    • @neverendingsupport/angular-devkit-schematics-cli@18.2.21-angular-cli-18.2.23
    • @neverendingsupport/ngtools-webpack@18.2.21-angular-cli-18.2.23

Breaking Changes

@angular/ssr
  • The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.
    • This fixes a high-severity Information Exposure vulnerability (CVE-2025-59052).

    Before:
    const bootstrap = () => bootstrapApplication(AppComponent, config);

    After:
    const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

18.2.22 (NES) - August, 2025

Notes

  • Fixed build issues: updated peer dependency version numbers
  • Full package names and versions:
    • @neverendingsupport/angular-build@18.2.20-angular-cli-18.2.22
    • @neverendingsupport/angular-cli@18.2.20-angular-cli-18.2.22
    • @neverendingsupport/angular-create@18.2.20-angular-cli-18.2.22
    • @neverendingsupport/angular-pwa@18.2.20-angular-cli-18.2.22
    • @neverendingsupport/angular-ssr@18.2.20-angular-cli-18.2.22
    • @neverendingsupport/angular-devkit-architect@0.1802.20-angular-cli-18.2.22
    • @neverendingsupport/angular-devkit-architect-cli@0.1802.20-angular-cli-18.2.22
    • @neverendingsupport/angular-devkit-build-angular@18.2.20-angular-cli-18.2.22
    • @neverendingsupport/angular-devkit-build-webpack@0.1802.20-angular-cli-18.2.22
    • @neverendingsupport/angular-devkit-core@18.2.20-angular-cli-18.2.22
    • @neverendingsupport/angular-devkit-schematics@18.2.20-angular-cli-18.2.22
    • @neverendingsupport/angular-devkit-schematics-cli@18.2.20-angular-cli-18.2.22
    • @neverendingsupport/ngtools-webpack@18.2.20-angular-cli-18.2.22

18.2.21 (NES) - July, 2025

Notes

  • This release contains no functional change from the OSS Angular CLI v18.2.20.
  • This release mainlines OSS v18.2.20 into NES v18.2.21.
  • Full package names and versions:
    • @neverendingsupport/angular-build@18.2.20-angular-cli-18.2.21
    • @neverendingsupport/angular-cli@18.2.20-angular-cli-18.2.21
    • @neverendingsupport/angular-create@18.2.20-angular-cli-18.2.21
    • @neverendingsupport/angular-pwa@18.2.20-angular-cli-18.2.21
    • @neverendingsupport/angular-ssr@18.2.20-angular-cli-18.2.21
    • @neverendingsupport/angular-devkit-architect@0.1802.20-angular-cli-18.2.21
    • @neverendingsupport/angular-devkit-architect-cli@0.1802.20-angular-cli-18.2.21
    • @neverendingsupport/angular-devkit-build-angular@18.2.20-angular-cli-18.2.21
    • @neverendingsupport/angular-devkit-build-webpack@0.1802.20-angular-cli-18.2.21
    • @neverendingsupport/angular-devkit-core@18.2.20-angular-cli-18.2.21
    • @neverendingsupport/angular-devkit-schematics@18.2.20-angular-cli-18.2.21
    • @neverendingsupport/angular-devkit-schematics-cli@18.2.20-angular-cli-18.2.21
    • @neverendingsupport/ngtools-webpack@18.2.20-angular-cli-18.2.21