High-Severity RCE Vulnerability in Angular VS Code Extension Discovered

A critical vulnerability, CVE-2026-50178, in the Angular Language Service extension for Visual Studio Code allows remote code execution through malicious JSDoc hover links. The flaw arises from the extension trusting tooltip Markdown while the Angular Language Server inadequately sanitizes JSDoc content. Attackers can exploit this by embedding crafted command URIs in project files or npm dependencies, leading to execution on the developer's machine when the link is clicked. This issue affects Angular.ng-template versions prior to 21.2.4, which is the fixed version. The vulnerability has a CVSS score of 8.7 and was reported by CodeMender from Google DeepMind. Users are strongly advised to upgrade to version 21.2.4 or later to mitigate the risk.

Key Points: • CVE-2026-50178 allows RCE via malicious JSDoc links in VS Code Angular extension. • The vulnerability affects Angular.ng-template versions before 21.2.4, with a CVSS score of 8.7. • Users must upgrade to version 21.2.4 or later to remediate this high-severity flaw.