Improper Input Validation in Angular Language Service VS Code Extension
CVE-2026-50178

8.7HIGH

Key Information:

Vendor: Angular
Status: Angular; Angular.ng-template
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-50178?

The Angular Language Service for Visual Studio Code contains a flaw that allows an attacker to execute commands on a developer's host machine. This occurs due to the extension trusting all content it receives for rendering Markdown, paired with improper handling of potentially harmful input. Specifically, this vulnerability arises when an attacker crafts a malicious JSDoc tooltip containing an active command link within a TypeScript or JavaScript file or through a third-party npm package. Upon hovering over the symbol and interacting with the tooltip, the IDE executes the command, leading to potential execution of arbitrary commands. The issue has been resolved in version 21.2.4.

Affected Version(s)

angular < 21.2.4

Angular.ng-template < 21.2.4

References

https://github.com/angular/angular/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 3, 2026

CVE-2026-50178 Data

JSON