Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Markdown Preview Enhanced before 0.8.28 opens external files and links from the preview through a shell and does not validate untrusted inputs taken from the markdown document - the diagram filename attribute, imported file paths, and the latex_engine code-chunk attribute. On Windows, a crafted markdown document can inject operating system commands that execute when the document is previewed. Fixed in 0.8.28 by passing these inputs as literal arguments instead of through a shell and validating them before use.
AnalysisAI
Remote code execution in Markdown Preview Enhanced before 0.8.28 on Windows allows attackers to inject OS commands through crafted markdown documents that abuse the diagram filename attribute, imported file paths, or the latex_engine code-chunk attribute, all of which were passed through a shell without validation. Exploitation requires the victim to preview the malicious document (UI:A), and no public exploit identified at time of analysis, though VulnCheck-published advisory details and a tagged fix release make weaponization straightforward.
Technical ContextAI
Markdown Preview Enhanced is a popular VS Code/Atom extension (shd101wyy/vscode-markdown-preview-enhanced per the CPE cpe:2.3:a:shd101wyy:markdown_preview_enhanced) that renders markdown with extended diagram, LaTeX, and import features. The root cause is CWE-78 (OS Command Injection): the extension invoked the OS shell to open external files/links and forwarded user-controlled values - diagram filename attributes, @import file paths, and the latex_engine attribute on code chunks - directly into shell command strings. On Windows, cmd.exe metacharacters embedded in those attributes are interpreted by the shell rather than treated as filename literals. The 0.8.28 release fixes this by spawning child processes with arguments passed as a literal argv array and by validating the inputs before use, and it also bundles unrelated fixes for eval()-based RCE in the WaveDrom and Bitfield renderers via crossnote 0.9.29.
RemediationAI
Vendor-released patch: upgrade Markdown Preview Enhanced to 0.8.28 or later (https://github.com/shd101wyy/vscode-markdown-preview-enhanced/releases/tag/0.8.28), which spawns child processes with literal argv arrays and validates the diagram filename, @import paths, and latex_engine attributes before use; the bundled crossnote 0.9.29 upgrade also closes the related WaveDrom and Bitfield eval()/vm.runInNewContext RCE paths. Until the upgrade is rolled out, compensating controls for Windows users include disabling automatic preview on file open and refusing to preview markdown from untrusted sources (mail attachments, third-party PRs, cloned repos), which preserves editing but loses on-save preview; reviewing markdown as plain text via a non-rendering editor view eliminates the sink at the cost of formatting fidelity; and on managed fleets, restricting the extension via VS Code extension allow/deny policies removes the attack surface entirely at the cost of the feature. Cross-reference the VulnCheck advisory at https://www.vulncheck.com/advisories/markdown-preview-enhanced-os-command-injection-in-external-file-and-link-opening for indicators.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34868
GHSA-3vxg-8vgp-994w