← Back
2026-06-22 15:20CVE-2026-50178GitHub_M
PUBLISHED5.2CWE-79CWE-94

Angular: Remote Code Execution via JSDoc Hover Command Injection in VS Code Angular Language Service Extension

The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. the client-side Angular Language Service VS Code extension configures the tooltip Markdown renderer with the isTrusted: true option (located in client/src/client.ts). This setting instructs VS Code to trust all rendered content it receives, which enables active elements such as command: URIs. However, the background Angular Language Server process fails to escape or sanitize brackets, raw links, and control characters from JSDoc strings before forwarding the hover Markdown content (located in server/src/handlers/hover.ts and server/src/text_render.ts). An attacker can leverage this behavior by crafting a project TypeScript or JavaScript file (or a third-party npm package dependency) containing a malicious JSDoc tooltip with an embedded active command link. When a developer hovers over the target symbol to render the tooltip and clicks the malicious link, the IDE executes the command sequence directly on the developer's host machine. Prior to 21.2.4, This vulnerability is fixed in 21.2.4.

Problem type

Affected products

angular

angular

< 21.2.4 - AFFECTED

Angular.ng-template

< 21.2.4 - AFFECTED

References

https://github.com/angular/angular/security/advisories/GHSA-q94j-3wj3-4xcm

https://github.com/angular/angular/security/advisories/GHSA-q94j-3wj3-4xcm

x_refsource_CONFIRM

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-50178
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-50178",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-06-22T16:04:50.886Z",
    "dateReserved": "2026-06-03T22:05:13.644Z",
    "datePublished": "2026-06-22T15:20:39.800Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-06-22T15:20:39.800Z"
      },
      "title": "Angular: Remote Code Execution via JSDoc Hover Command Injection in VS Code Angular Language Service Extension",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. the client-side Angular Language Service VS Code extension configures the tooltip Markdown renderer with the isTrusted: true option (located in client/src/client.ts). This setting instructs VS Code to trust all rendered content it receives, which enables active elements such as command: URIs. However, the background Angular Language Server process fails to escape or sanitize brackets, raw links, and control characters from JSDoc strings before forwarding the hover Markdown content (located in server/src/handlers/hover.ts and server/src/text_render.ts). An attacker can leverage this behavior by crafting a project TypeScript or JavaScript file (or a third-party npm package dependency) containing a malicious JSDoc tooltip with an embedded active command link. When a developer hovers over the target symbol to render the tooltip and clicks the malicious link, the IDE executes the command sequence directly on the developer's host machine. Prior to 21.2.4,  This vulnerability is fixed in 21.2.4."
        }
      ],
      "affected": [
        {
          "vendor": "angular",
          "product": "angular",
          "versions": [
            {
              "version": "< 21.2.4",
              "status": "affected"
            }
          ]
        },
        {
          "vendor": "angular",
          "product": "Angular.ng-template",
          "versions": [
            {
              "version": "< 21.2.4",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
              "cweId": "CWE-79",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')",
              "cweId": "CWE-94",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/angular/angular/security/advisories/GHSA-q94j-3wj3-4xcm",
          "name": "https://github.com/angular/angular/security/advisories/GHSA-q94j-3wj3-4xcm",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        }
      ],
      "metrics": [
        {}
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-06-22T16:04:50.886Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}