CVE-2026-50178— Angular: Remote Code Execution via JSDoc Hover Command Injection in VS Code Angular Language Service Extension
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-50178
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Angular: Remote Code Execution via JSDoc Hover Command Injection in VS Code Angular Language Service Extension
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. the client-side Angular Language Service VS Code extension configures the tooltip Markdown renderer with the isTrusted: true option (located in client/src/client.ts). This setting instructs VS Code to trust all rendered content it receives, which enables active elements such as command: URIs. However, the background Angular Language Server process fails to escape or sanitize brackets, raw links, and control characters from JSDoc strings before forwarding the hover Markdown content (located in server/src/handlers/hover.ts and server/src/text_render.ts). An attacker can leverage this behavior by crafting a project TypeScript or JavaScript file (or a third-party npm package dependency) containing a malicious JSDoc tooltip with an embedded active command link. When a developer hovers over the target symbol to render the tooltip and clicks the malicious link, the IDE executes the command sequence directly on the developer's host machine. Prior to 21.2.4, This vulnerability is fixed in 21.2.4.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| angular | angular | < 21.2.4 | - | |
| angular | Angular.ng-template | < 21.2.4 | - |
II. Public POCs for CVE-2026-50178
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-50178
请登录查看更多情报信息。
Other References for CVE-2026-50178 (1)
Same Patch Batch · angular · 2026-06-22 · 17 CVEs total
| CVE-2026-52725 | Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (X | |
| CVE-2026-54265 | Angular: Two-Way Property Binding Sanitization Bypass (XSS) | |
| CVE-2026-54268 | Angular: Denial of Service (DoS) via OOM in Date Formatting (formatDate) | |
| CVE-2026-54266 | Angular: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Dat | |
| CVE-2026-54264 | Angular: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker | |
| CVE-2026-54267 | Angular Client Hydration DOM Clobbering & Response-Cache Poisoning | |
| CVE-2026-49241 | Angular: Multiple Remote Code Execution Vulnerabilities in Angular Language Service VS Cod | |
| CVE-2026-50171 | Angular: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo) | |
| CVE-2026-50169 | Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities | |
| CVE-2026-50557 | Angular: Template and Attribute Namespace Sanitization Bypass (XSS) | |
| CVE-2026-50168 | Angular: URL Parser Differential in @angular/platform-server leading to SSRF Allowlist Byp | |
| CVE-2026-50556 | Angular: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scriptin | |
| CVE-2026-50555 | Angular: Improper Neutralization of Input During Web Page Generation ('Cross-site Scriptin | |
| CVE-2026-50184 | Angular: Request Credential & Cache Policy Stripping in Angular Service Worker | |
| CVE-2026-50170 | Angular: Information Leak via Default Caching of Credentialed Requests in HttpTransferCach | |
| CVE-2026-46417 | Angular: SSRF via Hostname Hijacking in @angular/platform-server |
IV. Related Vulnerabilities
Same product: angular
- CVE-2026-50171
Angular: Denial of Service (DoS) via OOM in Number Formattin - CVE-2026-50184
Angular: Request Credential & Cache Policy Stripping in Angu - CVE-2026-50169
Angular Service Worker Policy-Bypass & Credential-Stripping - CVE-2026-46417
Angular: SSRF via Hostname Hijacking in @angular/platform-se - CVE-2026-50168
Angular: URL Parser Differential in @angular/platform-server
Same vendor: angular
- CVE-2026-50171
Angular: Denial of Service (DoS) via OOM in Number Formattin - CVE-2026-50184
Angular: Request Credential & Cache Policy Stripping in Angu - CVE-2026-50169
Angular Service Worker Policy-Bypass & Credential-Stripping - CVE-2026-46417
Angular: SSRF via Hostname Hijacking in @angular/platform-se - CVE-2026-50168
Angular: URL Parser Differential in @angular/platform-server
Same weakness: CWE-79
- CVE-2026-57656
WordPress Hester Core plugin <= 1.1.8 - Cross Site Scripting - CVE-2026-57651
WordPress Ghost Kit plugin <= 3.6.0 - Cross Site Scripting ( - CVE-2026-57650
WordPress Magazine Blocks plugin <= 1.8.3 - Cross Site Scrip - CVE-2026-57638
WordPress Fluent Booking plugin <= 2.1.0 - Cross Site Script - CVE-2026-57629
WordPress StatCounter plugin <= 2.1.1 - Cross Site Scripting
V. Comments for CVE-2026-50178
No comments yet