PatchSiren cyber security CVE debrief

CVE-2026-49241 Angular CVE debrief

The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. Prior to 21.2.4, the client-side Angular Language Service VS Code extension reads custom TypeScript SDK paths directly from workspace configurations without verifying VS Code Workspace Trust state or asking for user consent. An attacker can exploit this behavior by committing a repository containing a local malicious script inside a custom folder and a crafted .vscode/settings.json file pointing to that folder. When a developer opens the repository folder in VS Code, the extension automatically attempts to initialize and load the server, which dynamically resolves, loads, and executes the malicious script silently in the background. This vulnerability is fixed in 21.2.4.

Vendor: Angular
Product: Angular Language Service
CVSS: HIGH 8.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-22
Original CVE updated: 2026-06-26
Advisory published: 2026-06-22
Advisory updated: 2026-06-26

Who should care

Developers using the Angular Language Service VS Code Extension, especially those working with Angular templates, should be aware of this vulnerability. Users of VS Code with the Angular Language Service Extension installed are also affected. It is recommended to update to version 21.2.4 or later to mitigate this vulnerability.

Technical summary

The vulnerability exists in the client-side Angular Language Service VS Code extension, which reads custom TypeScript SDK paths from workspace configurations (.vscode/settings.json) without proper verification or user consent. The extension passes these paths as command-line arguments to the background Node.js language server process. During server initialization, the language server dynamically imports a module library relative to the workspace-specified custom directory path. An attacker can exploit this by crafting a malicious script and a .vscode/settings.json file that points to the malicious script, allowing for silent execution in the background when a developer opens the repository folder in VS Code.

Defensive priority

High priority should be given to updating the Angular Language Service VS Code Extension to version 21.2.4 or later. Developers should exercise caution when working with untrusted repositories and verify the integrity of workspace configurations.

Recommended defensive actions

Update the Angular Language Service VS Code Extension to version 21.2.4 or later.
Verify the integrity of workspace configurations (.vscode/settings.json) before opening a repository in VS Code.
Exercise caution when working with untrusted repositories.
Monitor for suspicious activity in the VS Code environment.
Consider implementing additional security measures, such as Workspace Trust, to mitigate similar vulnerabilities.

Evidence notes

The CVE-2026-49241 vulnerability was published on June 22, 2026, and modified on June 26, 2026. The vulnerability has a CVSS score of 8.7 and is classified as HIGH severity. The affected product is the Angular Language Service, and the vulnerability is fixed in version 21.2.4.

Official resources

CVE-2026-49241 CVE record
CVE.org
CVE-2026-49241 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Issue Tracking
Source reference
[email protected] - Issue Tracking
Mitigation or vendor reference
[email protected] - Vendor Advisory

This article is AI-assisted and based on the supplied source corpus.