CVE-2026-50178 Angular Language Service VS Code Extension RCE

Disclosed on May 28, 2026, CVE-2026-50178 is a High-severity Remote Code Execution vulnerability in the VS Code Angular Language Service extension (Angular.ng-template). CVSS v4 score: 8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). Every version of the extension prior to 21.2.4 is affected. The patch is available in version 21.2.4, released the same day as the advisory. The vulnerability was discovered and reported by CodeMender from Google DeepMind and disclosed via the GitHub Security Advisory GHSA-q94j-3wj3-4xcm.

To be clear about scope: CVE-2026-50178 affects the VS Code extension, not the Angular framework, and it falls outside HeroDevs' NES coverage. We're covering it anyway because it illustrates two things that matter to teams running EOL Angular. First, the attack surface around an Angular application extends beyond the framework into the tooling developers touch every day. Second, organizations that defer framework upgrades tend to defer tooling updates for the same reasons (resource constraints, change-control friction, fear of breakage), which means the teams with the most framework exposure often carry the most tooling exposure too.

Running Angular on an unsupported version? See NES for Angular for security patches on EOL versions the Angular team no longer maintains.

‍

What is CVE-2026-50178?

CVE-2026-50178 is a command injection vulnerability (CWE-79, CWE-94) in the VS Code Angular Language Service extension. The extension renders JSDoc tooltips using VS Code's Markdown renderer, configured with the isTrusted: true flag in client/src/client.ts. That flag instructs VS Code to treat all rendered content as trusted, enabling active elements including command: URIs.

The problem is in the server-side component. The Angular Language Server, in server/src/handlers/hover.ts and server/src/text_render.ts, forwards JSDoc strings to the renderer without escaping brackets, raw links, or control characters. An attacker who can place a malicious JSDoc comment anywhere in the project's TypeScript or JavaScript source, including inside a third-party npm dependency, can embed an active command: URI in the tooltip payload. When the developer hovers over the annotated symbol in VS Code and clicks the rendered link, the IDE executes the attacker's command directly on the developer's host machine.

This is not a conventional web XSS. The execution context is the developer's local machine, running under the developer's OS-level permissions.

‍

Severity and exploit conditions

The attack requires three things to be true simultaneously:

1. The victim has the Angular.ng-template extension installed and active, at a version prior to 21.2.4.
2. The developer opens a workspace containing a TypeScript or JavaScript file (or an installed npm package) with a crafted JSDoc comment embedding a command: URI.
3. The developer hovers over the annotated symbol in VS Code and clicks the active link in the rendered tooltip.

The interactive click requirement (UI:P in the CVSS v4 vector) raises the bar modestly compared to a zero-click exploit. In practice, developers routinely hover over symbols to review JSDoc documentation during code review, dependency exploration, and IDE-assisted refactoring. The scenario is realistic in any workflow involving third-party packages or code from external contributors.

‍

The vulnerability class: developer tooling as an attack surface

CVE-2026-50178 fits a well-established and underappreciated attack class: targeting the developer's workstation rather than the production application. Developer tools are a high-value target precisely because of what they have access to.

A successful exploit against a developer machine can yield:

Credential and secret exfiltration. Developer machines typically store SSH private keys, AWS credential files, .env configurations, database connection strings, and CI/CD secrets. A single command invocation can exfiltrate all of these.

Supply chain injection. An attacker with write access to the developer's source tree can modify code before it reaches version control. This is one step removed from a full supply chain compromise.

Lateral movement into CI/CD. Developer machines often have authenticated access to GitHub, CI systems, and package registries. Commands executed under the developer's identity can push code, trigger builds, and publish packages.

Workspace Trust bypass. The advisory notes explicitly that the exploit succeeds despite VS Code's Restricted Mode. VS Code's Workspace Trust model is one of the primary defenses against malicious project files; CVE-2026-50178 bypasses it for the Angular Language Service extension.

‍

What an attacker can do

A crafted JSDoc payload in a project file or npm dependency, once triggered, executes arbitrary shell commands under the developer's OS user account. Specific consequences include:

• Credential file exfiltration - reading ~/.aws/credentials, ~/.ssh/id_rsa, .env files, and browser-stored tokens
• Code tampering -  inserting backdoors into source files before the developer commits them
• Package registry poisoning - using the developer's authenticated npm session to publish modified package versions
• Persistent access - installing cron jobs, launchd agents, or systemd services that survive the IDE session
• Reconnaissance - enumerating the developer's filesystem, network configuration, and environment variables to inform follow-on attacks

‍

Who is affected?

‍

Note: CVE-2026-50178 is scoped to the VS Code extension (Angular.ng-template), not to the Angular framework itself. Teams running Angular 18 or earlier on their application may also be running unpatched tooling for the same reason: extension updates are often deferred in the same organizations that defer framework upgrades. The Angular framework EOL situation is a separate and compounding problem covered in the Related CVEs section below.

‍

Mitigation guidance

‍

The bigger pattern - Angular vulnerabilities are accelerating

CVE-2026-50178 is not an isolated event. It is part of a measurable increase in Angular-ecosystem vulnerability disclosures over the past 12 months. Each of the following affected EOL Angular versions as well as current ones:

CVE-2026-27970 -  Cross-Site Scripting in Angular's i18n ICU message pipeline. Affects every Angular version ever released. Only versions 19 through 21 received upstream patches. Angular 18 and earlier have no fix from the open source project.

CVE-2026-22610 - XSS via SVG <script> element attribute bindings in @angular/core. Affects applications binding user-controlled data to href or xlink:href on SVG script elements.

CVE-2025-66412, CVE-2025-66035, CVE-2025-59052 - A batch of three vulnerabilities disclosed together covering stored XSS, XSRF token leakage via protocol-relative URLs, and SSR state leakage under concurrent load.

The rate at which these vulnerabilities are being found is itself significant. It reflects a broader industry dynamic: as AI-assisted security research tools mature, the throughput of vulnerability discovery is increasing faster than the throughput of remediation. The Angular security advisory page has seen more disclosures in the past six months than in the previous two years combined. Organizations that assume a low historical CVE rate will persist into the future are working from an outdated model.

This has a direct implication for teams on EOL versions. When you are running Angular 18 or earlier:

• You receive no upstream patches from the Angular team, regardless of severity.
• Your exposure compounds with every new CVE disclosed against your version range.
• The tooling your developers use may also be lagging, as CVE-2026-50178 demonstrates.

‍

Taking action

CVE-2026-50178 patches cleanly, update the VS Code extension to 21.2.4. If your developers have auto-updates enabled and VS Code running, they may already be protected. Verify by checking the installed version in VS Code's Extensions panel.

The harder problem is the framework itself. If your organization is running Angular on an EOL version, the pace of new CVE disclosures means the gap between "when we need to act" and "when we already needed to act" is closing faster than it has at any point in Angular's history.

NES for Angular delivers backported security patches for Angular v4 through v19, covering CVEs including CVE-2026-27970, CVE-2026-22610, and the 2025 batch disclosures, on versions the Angular team no longer maintains. If migration is not immediately viable, NES closes the remediation gap while your team plans the upgrade on its own timeline.

The vulnerability cadence is not slowing down. The question is whether your security posture is keeping pace with it.