Angular VS Code Language Service Flaw Enables RCE via Malicious JSDoc Hover Links
A high-severity vulnerability in the Angular Language Service extension for Visual Studio Code, tracked as CVE-2026-50178, allows remote code execution when malicious JSDoc content is rendered inside hover tooltips. The flaw stems from the extension treating tooltip Markdown as trusted while the Angular Language Server forwards insufficiently sanitized JSDoc-derived content, including brackets, raw links, and control characters. An attacker can embed a crafted command: URI in a project file or a third-party npm dependency so that, when a developer hovers over the affected symbol and clicks the link, VS Code executes commands on the developer’s host machine.
The issue affects Angular.ng-template versions prior to 21.2.4 and can bypass normal Restricted Mode and Workspace Trust protections in VS Code. GitHub’s advisory says the bug was discovered and reported by CodeMender from Google DeepMind, and the published CVSS 4.0 base score is 8.7. Users are advised to upgrade the extension to version 21.2.4 or later to remediate the vulnerability.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-50178 entry published with high severity rating
A CVE entry for the Angular Language Service extension flaw was published as CVE-2026-50178 with a CVSS 4.0 base score of 8.7, rated High. The entry describes the same command-injection path via trusted Markdown hover rendering and notes the issue is fixed in version 21.2.4.
Angular fixes flaw in Angular.ng-template version 21.2.4
The advisory states the issue affects Angular.ng-template versions before 21.2.4 and advises users to upgrade to version 21.2.4 or later. This identifies version 21.2.4 as the fix for the vulnerability.
Angular discloses VS Code extension RCE vulnerability
Angular published a security advisory for a remote code execution flaw in the VS Code Angular Language Service extension caused by unsanitized JSDoc hover content being rendered as trusted Markdown. The advisory states that a crafted command URI in project files or third-party npm dependencies could execute code if a developer clicked the link in a hover tooltip.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2026-50178 - Angular: Remote Code Execution via JSDoc Hover Command Injection in VS Code Angular Language Service Extension
cvefeed.io
Open sourceRemote Code Execution via JSDoc Hover Command Injection in VS Code Angular Language Service Extension · Advisory · angular/angular · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Angular VS Code extension flaw enabled zero-click code execution from malicious workspaces
Angular disclosed a high-severity arbitrary code execution flaw in the VS Code Angular Language Service extension (`Angular.ng-template`) that allowed a malicious repository to run code on a developer’s machine when the folder was opened in VS Code. The issue, tracked as **`CVE-2026-49241`**, affected versions prior to **`21.2.4`** and stemmed from the extension reading a workspace-configured `typescript.tsdk` path from `.vscode/settings.json` without honoring VS Code Workspace Trust or requiring user approval. That path was then passed to the background Node.js language server, which loaded `tsserverlibrary.js` from an attacker-controlled location, creating a zero-click path to host compromise and effectively bypassing VS Code Restricted Mode. Angular fixed the vulnerability in version **`21.2.4`** through two hardening changes: blocking workspace-level TypeScript SDK loading in untrusted workspaces and requiring explicit confirmation before loading a workspace-level SDK in trusted ones, with approval stored locally in secure workspace state. A second change disables the language server and related command registration until workspace trust is granted, preventing silent execution in restricted environments. The vulnerability was reported by **CodeMender from Google DeepMind** and is listed with a **CVSS 4.0 score of 8.7** as remotely exploitable.
Jun 22, 2026
Stored XSS Vulnerability in Angular via SVG and MathML Bypass
A high-severity vulnerability, tracked as CVE-2025-66412, has been discovered in the Angular framework, allowing stored cross-site scripting (XSS) attacks through SVG animation, SVG URL, and MathML attributes. The flaw exists in the Angular Template Compiler, where the internal security schema fails to properly classify certain URL-holding attributes as requiring strict URL security, enabling attackers to inject malicious scripts that bypass Angular's built-in sanitization. This vulnerability affects Angular versions prior to 21.0.2, 20.3.15, and 19.2.17, and has been addressed in these subsequent releases. Attackers exploiting this vulnerability can persistently inject malicious JavaScript into web applications built with vulnerable Angular versions, potentially compromising user data and session integrity. Organizations using Angular are strongly advised to update to the fixed versions to mitigate the risk of exploitation. The vulnerability is remotely exploitable and has been rated as high severity, with a CVSS 4.0 score of 8.5, underscoring the urgency for prompt remediation.
Mar 21, 2026
Critical Vulnerabilities in Popular VS Code Extensions Enable Local File Theft and Code Execution
Security researchers at **OX Security** disclosed multiple vulnerabilities across widely used Microsoft Visual Studio Code extensions—**Live Server**, **Code Runner**, **Markdown Preview Enhanced**, and **Microsoft Live Preview**—with combined installs reported at **125–128 million**. The issues enable attacks ranging from **local file exfiltration** to **arbitrary code/JavaScript execution**, and highlight how a single vulnerable or malicious extension can be leveraged for broader compromise and potential lateral movement in developer environments. Reported flaws include **CVE-2025-65717** (Live Server; CVSS 9.1) enabling local file theft by luring a developer to a malicious site while the extension’s local server is running (e.g., `localhost:5500`), **CVE-2025-65716** (Markdown Preview Enhanced; CVSS 8.8) allowing arbitrary JavaScript execution via a crafted `.md` file with subsequent local port enumeration and exfiltration, and **CVE-2025-65715** (Code Runner; CVSS 7.8) enabling code execution by tricking users into modifying `settings.json`. Separate reporting on **Microsoft Live Preview** describes a **one-click reflected XSS** and unauthenticated request abuse against the extension’s local development server to enumerate and exfiltrate sensitive files (e.g., `.env`, API keys, source code); this Live Preview issue was reported as patched in version **0.4.16** via input sanitization (e.g., an `escapeHTML` function), while other extension issues were described as **unpatched** at the time of reporting.
Mar 21, 2026