CVE-2026-50178
Received Received - Intake
Command Injection in Angular Language Service VS Code Extension

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. the client-side Angular Language Service VS Code extension configures the tooltip Markdown renderer with the isTrusted: true option (located in client/src/client.ts). This setting instructs VS Code to trust all rendered content it receives, which enables active elements such as command: URIs. However, the background Angular Language Server process fails to escape or sanitize brackets, raw links, and control characters from JSDoc strings before forwarding the hover Markdown content (located in server/src/handlers/hover.ts and server/src/text_render.ts). An attacker can leverage this behavior by crafting a project TypeScript or JavaScript file (or a third-party npm package dependency) containing a malicious JSDoc tooltip with an embedded active command link. When a developer hovers over the target symbol to render the tooltip and clicks the malicious link, the IDE executes the command sequence directly on the developer's host machine. Prior to 21.2.4, This vulnerability is fixed in 21.2.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-50178
EUVD
EUVD-2026-38264
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
angular angular_language_service 21.2.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50178 is a high-severity vulnerability in the Angular Language Service VS Code Extension prior to version 21.2.4. The extension configures the tooltip Markdown renderer with the isTrusted: true option, which allows active elements like command: URIs to be executed in VS Code. However, the Angular Language Server does not properly escape or sanitize certain characters in JSDoc strings before rendering hover tooltips.

An attacker can embed a malicious JSDoc tooltip containing an active command link in a TypeScript or JavaScript file or a third-party npm package. When a developer hovers over the symbol and clicks the malicious link, the IDE executes arbitrary commands on the developer's machine, bypassing VS Code's security models.

Impact Analysis

This vulnerability can lead to remote code execution on the developer's machine. If exploited, an attacker can run arbitrary commands through the VS Code IDE by tricking the developer into clicking a malicious link in a tooltip.

Successful exploitation requires the vulnerable extension to be installed, a malicious JSDoc payload present in the workspace, and user interaction (hovering and clicking the link). This can compromise the developer's system, potentially leading to data loss, unauthorized access, or further attacks.

Detection Guidance

Detection of this vulnerability involves identifying if the Angular Language Service VS Code Extension is installed and is a version prior to 21.2.4.

Since the vulnerability is triggered by malicious JSDoc tooltips containing active command links in TypeScript or JavaScript files, scanning your project files for suspicious JSDoc comments with command: URIs can help detect potential exploitation attempts.

There are no specific commands provided in the resources to detect this vulnerability directly on your network or system.

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade the Angular Language Service VS Code Extension to version 21.2.4 or later, where this vulnerability is fixed.

Additionally, avoid opening or interacting with untrusted or suspicious TypeScript or JavaScript files or third-party npm packages that may contain malicious JSDoc tooltips.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50178. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart