Angular Language Service Flaws Enable Remote Code Execution

**Executive Summary:** A high-severity vulnerability in the VS Code Angular Language Service extension (versions before 21.2.4) enables full host compromise via two independent vectors: a JSDoc hover Markdown command injection that can execute attacker-supplied command: URIs when a developer clicks a tooltip link, and an insecure tsdk workspace loading path that silently requires and executes a malicious tsserverlibrary.js on folder open. The advisory includes CVSS v4.0 scoring indicating high impact and recommends immediate update to 21.2.4, auditing and pinning IDE extensions, and treating exposed developer workstations as potentially compromised.