CVE-2026-49241

Home/CVE/The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. Prior to 21.2.4

CVE

↯ PDF report

The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. Prior to 21.2.4

The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. Prior to 21.2.4, the client-side Angular Language Service VS Code extension reads the custom TypeScript SDK paths typescript.tsdk and js/ts.tsdk.path directly from workspace configurations (.vscode/settings.json) without verifying VS Code Workspace Trust state or asking for user consent (located in client/src/client.ts). The client-side extension then passes the parsed settings path as a command-line argument (--tsdk) to the background Node.js language server process.

During server initialization, the background language server resolves and dynamically imports (via standard Node.js require()) the module library tsserverlibrary.js relative to the workspace-specified custom directory path. An attacker can exploit this behavior by committing a repository containing a local malicious tsserverlibrary.js script inside a custom folder, and a crafted .vscode/settings.json file pointing to that folder. When a developer opens the repository folder in VS Code, the extension automatically attempts to initialize and load the server, which dynamically resolves, loads, and executes the malicious script silently in the background.

This vulnerability is fixed in 21.2.4.

Monitor

⚠ NVD has not scored this CVE yet - manual triage required (common for recent CVEs)

No Sigma yet — build one → YARA rules0

Look this up elsewhere - one-click external pivots

NVD CVE.org CISA Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

▸ How to read a CVE - triage first, then detect and patch

This page is every public fact about CVE-2026-49241, cross-linked. Its job is to answer one question fast - does this need my attention now? - and then hand you the two things you do about it. Here is how an analyst reads it.

Triage: should I act now? Four signals, and they are not interchangeable:

CVSSseverity - how bad it is IF exploited, 0-10. A high CVSS alone is not urgency; a flaw can be a perfect 10 and never actually be attacked. EPSSprobability - a model’s estimate of the chance it is exploited in the next 30 days, 0-1. This is the “will it actually happen” signal. CISA KEVconfirmed - it is being exploited in the wild right now. The strongest signal on the page; KEV beats any score. Weaponisedavailability - public exploits / PoCs, and especially Metasploit modules rated Excellent / Great. Reliable, packaged exploit code means low-skill attackers can use it today.

How they combine: KEV, or a dependable Metasploit module, means patch now regardless of CVSS. High CVSS + low EPSS + no exploit is real but not an emergency - schedule it. Low CVSS but KEV-listed still gets patched now. The verdict above already weighed these for you; this is how it got there.

Then what - two workflows:

Detectwhen you cannot patch today, follow this CVE to the ATT&CK techniques it enables, then Build a SIEM detection (the green button) - author a rule, test it in Atomic, deploy it. That buys visibility while the patch waits. PatchAffected products / packages tell you if you are exposed; Fixed versions by distribution and Vendor advisories give the exact version that closes it.

Reading order for the panels below: verdict + badges, then Public exploits / Metasploit (is it weaponised), then ATT&CK techniques + Sigma / IDS rules (can I detect it), then Affected products / packages + Fixed versions (am I exposed, what patches it), then Threat actors / IOCs (who uses it), then Scoring & timeline / references (the evidence).

◆

ATT&CK techniques

Techniques this CVE enables. Pills with a solid outline are high confidence - named directly in ATT&CK or Nuclei, or human-curated by CTID; the rest are inferred from the weakness type using MITRE's CVE Mapping Methodology and the CWE → CAPEC chain. Broad, generic-weakness guesses are filtered out. A small N× marks a technique that N independent sources agree on.

T1027.006 · HTML Smuggling T1027.009 · Embedded Payloads T1059 · Command and Scripting Interpreter T1059.007 · JavaScript T1072 · Software Deployment Tools T1185 · Browser Session Hijacking T1195.001 · Compromise Software Dependencies and Development Tools T1195.002 · Compromise Software Supply Chain T1564.009 · Resource Forking T1574 · Hijack Execution Flow T1574.001 · DLL T1574.004 · Dylib Hijacking T1574.007 · Path Interception by PATH Environment Variable T1574.008 · Path Interception by Search Order Hijacking T1574.009 · Path Interception by Unquoted Path

▤ Build a SIEM detection for these techniques

▤

CAPEC attack patterns

Attack patterns this CVE enables - the bridge from weakness to ATT&CK technique.

CAPEC-CAPEC-184 · Software Integrity Attack CAPEC-CAPEC-185 · Malicious Software Download CAPEC-CAPEC-186 · Malicious Software Update CAPEC-CAPEC-187 · Malicious Automated Software Update via Redirection CAPEC-CAPEC-209 · XSS Using MIME Type Mismatch CAPEC-CAPEC-242 · Code Injection CAPEC-CAPEC-35 · Leverage Executable Code in Non-Executable Files CAPEC-CAPEC-38 · Leveraging/Manipulating Configuration File Search Paths CAPEC-CAPEC-471 · Search Order Hijacking CAPEC-CAPEC-533 · Malicious Manual Software Update CAPEC-CAPEC-538 · Open-Source Library Manipulation CAPEC-CAPEC-588 · DOM-Based XSS

⬡

Weakness Classification

CWE-427Uncontrolled Search Path Element
CWE-494Download of Code Without Integrity Check
CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94Improper Control of Generation of Code ('Code Injection')

▤

Related CVEs

CVEs linked to this one by a shared weakness (CWE) or affected product - joins on data already in the engine, with the reason shown per row. Not a guess.

CVE-2005-0457 Opera 7.54 and earlier on Gentoo Linux uses an insecure path for plugins, which ... same CWE-427 CVE-2013-0725 ERDAS ER Viewer 13.0 has dwmapi.dll and irml.dll libraries arbitrary code execut... same CWE-427 HIGH CVE-2014-8393 DLL Hijacking vulnerability in CorelDRAW X7, Corel Photo-Paint X7, Corel PaintSh... 2 same CWE-427 HIGH CVE-2015-1014 A successful exploit of these vulnerabilities requires the local user to load a ... same CWE-427 HIGH CVE-2001-1125 Symantec LiveUpdate before 1.6 does not use cryptography to ensure the integrity... same CWE-494 CRITICAL CVE-2002-0671 Pingtel xpressa SIP-based voice-over-IP phone 1.2.5 through 1.2.7.4 downloads ph... same CWE-494 CRITICAL CVE-2008-3438 Apple Mac OS X does not properly verify the authenticity of updates, which allow... same CWE-494 HIGH CVE-2008-3324 The PartyGaming PartyPoker client program 121/120 does not properly verify the a... same CWE-494 HIGH

🔗

References & Sources

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

https://github.com/angular/angular/pull/68857

https://github.com/angular/angular/pull/68886

https://github.com/angular/angular/security/advisories/GHSA-ccq4-xmxr-8hcq