Client-Side Vulnerability in Angular Language Service Extension for VS Code
CVE-2026-49241

8.7HIGH

Key Information:

Vendor

Angular

Status
Angular
Vendor
CVE Published:
22 June 2026

What is CVE-2026-49241?

The Angular Language Service Extension for Visual Studio Code (VS Code) allows for rich editing features when developing Angular templates. Prior to version 21.2.4, the extension poses a risk by accessing custom TypeScript SDK paths directly from workspace configurations without confirming the Workspace Trust state or obtaining user consent. This occurs in the client-side extension, which sends these settings as command-line arguments to a backend Node.js language server. If a malicious actor places a harmful script within a custom directory specified in the settings, the extension can silently execute this script when a user opens the project in VS Code, making it a seamless target for exploitation. This critical issue was addressed in the update to version 21.2.4.

Affected Version(s)

angular < 21.2.4

References

https://github.com/angular/angular/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/angular/angular/pull/68857
x_refsource_MISC
https://github.com/angular/angular/pull/68886
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.