Description
Markdown Preview Enhanced before 0.8.28 parses WaveDrom diagrams by evaluating untrusted markdown content with eval(), allowing arbitrary JavaScript execution. The flaw affects every render path - the live preview (window.eval) and presentation mode plus HTML export (the bundled WaveDrom.ProcessAll()/eva() helpers) - and can also be triggered through a <script type="WaveDrom"> element injected via raw HTML in markdown. When a victim previews or exports a crafted markdown document, an attacker can execute arbitrary code, leading to arbitrary file write. Fixed in 0.8.28 by parsing with JSON5.parse() and sanitizing WaveDrom data scripts to inert strict JSON.
Published: 2026-06-05
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The extension processes WaveDrom diagram descriptions by running them through eval, which lets an attacker inject arbitrary JavaScript into the preview context. The flaw can be triggered from any render path, including the live preview, presentation mode, or when exporting markdown to HTML. Successful exploitation grants the attacker full code execution inside the editor process, potentially allowing arbitrary file writes and other destructive actions on the host system.

Affected Systems

All installations of shd101wyy Markdown Preview Enhanced prior to version 0.8.28 are vulnerable. The vulnerability applies to every render path in the extension, including live preview, presentation mode, and HTML export. The affected CPE is markdown_preview_enhanced_project:markdown_preview_enhanced.

Risk and Exploitability

The CVSS score of 8.6 labels the issue as high severity. No EPSS score is published, and the vulnerability is not yet listed in the CISA KEV catalog. Because the flaw requires the user to open a crafted markdown file that contains a WaveDrom diagram, the most likely attack vector is local file exploitation via the editor. An attacker could place a malicious file on a shared drive or distribute it through phishing, knowing that any user who opens the file in VS Code with the extension will execute the malicious payload.

Generated by OpenCVE AI on June 5, 2026 at 19:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Markdown Preview Enhanced to version 0.8.28 or later, where eval is replaced with a safe JSON5 parser and sandboxing is enforced.
  • If upgrading is not immediately possible, disable the WaveDrom rendering feature or uninstall the extension to eliminate the code path that executes eval.
  • Ensure that the editor environment remains uncompromised by restricting the opening of unknown markdown files and applying the principle of least privilege for the extension.

Generated by OpenCVE AI on June 5, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Shd101wyy
Shd101wyy markdown Preview Enhanced
Vendors & Products Shd101wyy
Shd101wyy markdown Preview Enhanced

Fri, 05 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Markdown Preview Enhanced before 0.8.28 parses WaveDrom diagrams by evaluating untrusted markdown content with eval(), allowing arbitrary JavaScript execution. The flaw affects every render path - the live preview (window.eval) and presentation mode plus HTML export (the bundled WaveDrom.ProcessAll()/eva() helpers) - and can also be triggered through a <script type="WaveDrom"> element injected via raw HTML in markdown. When a victim previews or exports a crafted markdown document, an attacker can execute arbitrary code, leading to arbitrary file write. Fixed in 0.8.28 by parsing with JSON5.parse() and sanitizing WaveDrom data scripts to inert strict JSON.
Title Markdown Preview Enhanced Arbitrary Code Execution via WaveDrom eval()
First Time appeared Markdown Preview Enhanced Project
Markdown Preview Enhanced Project markdown Preview Enhanced
Weaknesses CWE-95
CPEs cpe:2.3:a:markdown_preview_enhanced_project:markdown_preview_enhanced:*:*:*:*:*:*:*:*
Vendors & Products Markdown Preview Enhanced Project
Markdown Preview Enhanced Project markdown Preview Enhanced
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Markdown Preview Enhanced Project Markdown Preview Enhanced
Shd101wyy Markdown Preview Enhanced
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-05T19:03:27.311Z

Reserved: 2026-06-05T16:54:32.159Z

Link: CVE-2026-50733

cve-icon Vulnrichment

Updated: 2026-06-05T19:03:10.502Z

cve-icon NVD

Status : Deferred

Published: 2026-06-05T18:17:34.050

Modified: 2026-06-05T20:17:35.423

Link: CVE-2026-50733

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T22:00:06Z

Weaknesses