cvedb.io
CVE-2026-49241
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2026-06-22T16:16:36.310 · Last modified 2026-06-26T03:47:27.227

Summary

The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. Prior to 21.2.4, the client-side Angular Language Service VS Code extension reads the custom TypeScript SDK paths typescript.tsdk and js/ts.tsdk.path directly from workspace configurations (.vscode/settings.json) without verifying VS Code Workspace Trust state or asking for user consent (located in client/src/client.ts). The client-side extension then passes the parsed settings path as a command-line argument (--tsdk) to the background Node.js language server process. During server initialization, the background language server resolves and dynamically imports (via standard Node.js require()) the module library tsserverlibrary.js relative to the workspace-specified custom directory path

Affected products

angular — angular_language_service

Does this affect you?

Add your gear to cvedb and we'll alert you only when angular ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.