Description
Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28 contains a code injection vulnerability in the WaveDrom rendering pipeline that allows attackers to execute arbitrary JavaScript by embedding malicious content in a wavedrom fenced code block within a crafted Markdown document. Attackers can exploit the unsanitized passing of wavedrom block content to window.eval() in the VS Code webview context to abuse the extension's message passing and invoke arbitrary file writes on the local filesystem.
Published: 2026-06-05
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A code injection flaw exists in the WaveDrom rendering path of Markdown Preview Enhanced 0.8.x when used with crossnote 0.9.28. The flaw allows an attacker to inject malicious content into a fenced WaveDrom block inside a Markdown file. The unfiltered block content is passed to window.eval() in the VS Code webview context, enabling the execution of arbitrary JavaScript. Through the extension’s message passing system the attacker can issue file‑write commands on the local file system, compromising application integrity and confidentiality.

Affected Systems

The vulnerability affects users of the Markdown Preview Enhanced extension for Visual Studio Code, specifically version 0.8.x, and the crossnote engine version 0.9.28 that provides the rendering functionality.

Risk and Exploitability

The CVSS base score of 8.4 indicates high severity, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploitation. Attackers can exploit this weakness by creating or modifying a Markdown document containing a malicious WaveDrom block, then opening the file in VS Code with the vulnerable extension installed. The exploit requires the user to be running the VS Code instance that hosts the extension, a typical privilege level for developers and end‑users.

Generated by OpenCVE AI on June 5, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Markdown Preview Enhanced extension to the latest available release, which removes the insecure eval usage in the WaveDrom rendering pipeline.
  • If an upgrade is not yet available, uninstall or disable the vulnerable extension and avoid opening untrusted Markdown files that contain WaveDrom blocks until a fix is released.
  • Configure VS Code to restrict inline script execution in webviews—for example, disable eval calls or enforce a strict content security policy—to mitigate potential JavaScript injection.

Generated by OpenCVE AI on June 5, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 07 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Shd101wyy
Shd101wyy crossnote
Shd101wyy markdown Preview Enhanced
Vendors & Products Shd101wyy
Shd101wyy crossnote
Shd101wyy markdown Preview Enhanced

Fri, 05 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28 contains a code injection vulnerability in the WaveDrom rendering pipeline that allows attackers to execute arbitrary JavaScript by embedding malicious content in a wavedrom fenced code block within a crafted Markdown document. Attackers can exploit the unsanitized passing of wavedrom block content to window.eval() in the VS Code webview context to abuse the extension's message passing and invoke arbitrary file writes on the local filesystem.
Title Markdown Preview Enhanced 0.8.x Code Injection via WaveDrom Rendering
Weaknesses CWE-95
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Shd101wyy Crossnote Markdown Preview Enhanced
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T16:13:44.203Z

Reserved: 2026-06-05T20:01:11.442Z

Link: CVE-2026-11422

cve-icon Vulnrichment

Updated: 2026-06-08T13:09:55.271Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-05T21:16:29.177

Modified: 2026-06-08T15:16:39.280

Link: CVE-2026-11422

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T11:15:44Z

Weaknesses
  • CWE-95

    Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')