The vulnerability lies in the parsing of Bitfield fenced code blocks in Markdown Preview Enhanced before version 0.8.28. The extension’s interpretJS() function evaluates the content of these blocks using vm.runInNewContext(), treating the block body as executable JavaScript. Because the block is parsed as code, an attacker can embed arbitrary JavaScript that will run on the machine when the markdown file is rendered or exported, potentially gaining full control of that system. This is a classic code injection flaw classified as CWE‑94, meaning the attacker can run any code allowed by the host environment.

The flaw affects users of the Markdown Preview Enhanced extension developed by shd101wyy. Any installation of a version earlier than 0.8.28 is vulnerable. The extension is available for the VSCode editor and can be installed from the visual studio marketplace. Devices running any operating system that hosts the VSCode editor with the affected extension are impacted.

The CVSS score of 8.6 indicates a high severity. EPSS is not available, so the likelihood of exploitation is uncertain, but the fact that the extension parses arbitrary content means that only a moderately skilled attacker needs a document to be opened on the target machine. The vulnerability is not listed in the CISA KEV catalog, so no active exploitation reports are public yet, but the potential remains for targeted attacks or abuse via malicious documents shared through collaboration tools.