Skip to main content

Markdown Preview Enhanced CVE-2026-49493

| EUVD-2026-34869 HIGH
Code Injection (CWE-94)
2026-06-05 VulnCheck GHSA-m5v2-jw65-jh59
Code Injection RCE Markdown Preview Enhanced
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Patch available
Jun 05, 2026 - 20:02 EUVD
Source Code Evidence Fetched
Jun 05, 2026 - 18:44 vuln.today
Analysis Generated
Jun 05, 2026 - 18:44 vuln.today
CVSS changed
Jun 05, 2026 - 18:22 NVD
8.8 (HIGH) 8.6 (HIGH)

DescriptionCVE.org

Markdown Preview Enhanced before 0.8.28 parses Bitfield fenced code blocks with interpretJS(), which evaluates the block content as code via vm.runInNewContext(), allowing arbitrary code execution. A crafted markdown document containing a malicious bitfield code block executes attacker-controlled code on the server side when the document is rendered or exported. Fixed in 0.8.28 by parsing bitfield register definitions with JSON5.parse(), since they are purely data.

AnalysisAI

Arbitrary code execution in Markdown Preview Enhanced (shd101wyy) before 0.8.28 lets a crafted markdown document run attacker-controlled JavaScript when rendered or exported, because Bitfield fenced code blocks were evaluated through interpretJS() / vm.runInNewContext() instead of being parsed as data. CVSS 4.0 scores this 8.6 with network vector and active user interaction; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft markdown with malicious bitfield block
Delivery
Deliver via repo, PR, or attachment
Exploit
Victim opens preview or exports document
Execution
interpretJS calls vm.runInNewContext
Persist
Arbitrary JS executes in extension host
Impact
Steal source/credentials or pivot
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to have Markdown Preview Enhanced (vscode-markdown-preview-enhanced) at a version below 0.8.28 installed and to actively render or export a markdown document supplied by the attacker - the CVSS UI:A flag corresponds to the victim invoking the 'Open Preview' command or one of the HTML/PDF/Presentation export paths. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A, VC/VI/VA:H, SC/SI/SA:N) describes a network-reachable, low-complexity, unauthenticated bug with full confidentiality, integrity, and availability impact on the vulnerable component, but it explicitly requires Active user interaction - a victim must open or export a malicious markdown document. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker commits a README.md or design-doc markdown file containing a malicious ```bitfield fenced block whose body is a JavaScript payload rather than a register definition. A developer clones the repo and opens the preview in VS Code (or exports the document to HTML/PDF), at which point interpretJS() evaluates the payload via vm.runInNewContext() and runs arbitrary code in the extension host process - leading to local file theft, source-code exfiltration, or a foothold for further compromise. …
Remediation Vendor-released patch: upgrade Markdown Preview Enhanced to 0.8.28 or later (which pulls in crossnote 0.9.29), per the release at https://github.com/shd101wyy/vscode-markdown-preview-enhanced/releases/tag/0.8.28 and the VulnCheck advisory at https://www.vulncheck.com/advisories/markdown-preview-enhanced-arbitrary-code-execution-via-bitfield-interpretjs. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit organization for Markdown Preview Enhanced (shd101wyy) installations before version 0.8.28; disable the extension or restrict usage to internally-verified documents only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49493 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy