UBUNTU-CVE-2026-49241

Source
https://ubuntu.com/security/CVE-2026-49241
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49241.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-49241
Upstream
Published
2026-06-22T16:16:00Z
Modified
2026-06-29T13:56:50.905843762Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. Prior to 21.2.4, the client-side Angular Language Service VS Code extension reads the custom TypeScript SDK paths typescript.tsdk and js/ts.tsdk.path directly from workspace configurations (.vscode/settings.json) without verifying VS Code Workspace Trust state or asking for user consent (located in client/src/client.ts). The client-side extension then passes the parsed settings path as a command-line argument (--tsdk) to the background Node.js language server process. During server initialization, the background language server resolves and dynamically imports (via standard Node.js require()) the module library tsserverlibrary.js relative to the workspace-specified custom directory path. An attacker can exploit this behavior by committing a repository containing a local malicious tsserverlibrary.js script inside a custom folder, and a crafted .vscode/settings.json file pointing to that folder. When a developer opens the repository folder in VS Code, the extension automatically attempts to initialize and load the server, which dynamically resolves, loads, and executes the malicious script silently in the background. This vulnerability is fixed in 21.2.4.

References

Affected packages

Ubuntu:22.04:LTS
angular.js

Package

Name
angular.js
Purl
pkg:deb/ubuntu/angular.js?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.8.2-2
1.8.2-2ubuntu0.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjs-angularjs",
            "binary_version": "1.8.2-2ubuntu0.1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49241.json"
Ubuntu:24.04:LTS
angular.js

Package

Name
angular.js
Purl
pkg:deb/ubuntu/angular.js?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.8.3-1
1.8.3-1ubuntu0.24.04.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjs-angularjs",
            "binary_version": "1.8.3-1ubuntu0.24.04.1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49241.json"
Ubuntu:25.10
angular.js

Package

Name
angular.js
Purl
pkg:deb/ubuntu/angular.js?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.8.3-1
1.8.3-3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjs-angularjs",
            "binary_version": "1.8.3-3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49241.json"
Ubuntu:26.04:LTS
angular.js

Package

Name
angular.js
Purl
pkg:deb/ubuntu/angular.js?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.8.3-3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjs-angularjs",
            "binary_version": "1.8.3-3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49241.json"
Ubuntu:Pro:16.04:LTS
angular.js

Package

Name
angular.js
Purl
pkg:deb/ubuntu/angular.js?arch=source&distro=esm-infra%2Fxenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.2.28-1ubuntu2
1.2.28-1ubuntu2+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjs-angularjs",
            "binary_version": "1.2.28-1ubuntu2+esm1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49241.json"
Ubuntu:Pro:18.04:LTS
angular.js

Package

Name
angular.js
Purl
pkg:deb/ubuntu/angular.js?arch=source&distro=esm-infra%2Fbionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.5.10-1
1.5.10-1ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjs-angularjs",
            "binary_version": "1.5.10-1ubuntu0.1~esm1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49241.json"
Ubuntu:Pro:20.04:LTS
angular.js

Package

Name
angular.js
Purl
pkg:deb/ubuntu/angular.js?arch=source&distro=esm-apps%2Ffocal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.5.10-1
1.7.9-1
1.7.9-1ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjs-angularjs",
            "binary_version": "1.7.9-1ubuntu0.1~esm1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-49241.json"