Skip to main content

Markdown Preview Enhanced EUVD-2026-34870

| CVE-2026-50733 HIGH
Eval Injection (CWE-95)
2026-06-05 VulnCheck GHSA-j39p-jf99-v5w8
Code Injection RCE Markdown Preview Enhanced
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Patch available
Jun 05, 2026 - 20:02 EUVD
Source Code Evidence Fetched
Jun 05, 2026 - 18:42 vuln.today
Analysis Generated
Jun 05, 2026 - 18:42 vuln.today
CVSS changed
Jun 05, 2026 - 18:22 NVD
8.8 (HIGH) 8.6 (HIGH)

DescriptionCVE.org

Markdown Preview Enhanced before 0.8.28 parses WaveDrom diagrams by evaluating untrusted markdown content with eval(), allowing arbitrary JavaScript execution. The flaw affects every render path - the live preview (window.eval) and presentation mode plus HTML export (the bundled WaveDrom.ProcessAll()/eva() helpers) - and can also be triggered through a <script type="WaveDrom"> element injected via raw HTML in markdown. When a victim previews or exports a crafted markdown document, an attacker can execute arbitrary code, leading to arbitrary file write. Fixed in 0.8.28 by parsing with JSON5.parse() and sanitizing WaveDrom data scripts to inert strict JSON.

AnalysisAI

Remote code execution in the Markdown Preview Enhanced extension (versions before 0.8.28) allows attackers to run arbitrary JavaScript when a victim previews or exports a crafted markdown document containing a WaveDrom diagram. The flaw stems from the renderer evaluating untrusted markdown content with eval() across every render path - live preview, presentation mode, and HTML export - and can also be triggered via raw HTML <script type="WaveDrom"> injection. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Author markdown with malicious WaveDrom block
Delivery
Deliver via repo, PR, or shared docs
Exploit
Victim opens preview or exports HTML
Execution
eval() executes attacker JavaScript
Persist
Arbitrary code runs in extension host
Impact
Arbitrary file write on developer workstation
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Victim must have Markdown Preview Enhanced (shd101wyy) prior to 0.8.28 installed in VS Code (or the legacy Atom build) and must take one of these actions on attacker-supplied markdown: open the live preview pane, switch to presentation mode, or run HTML export. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H indicates network-reachable, low-complexity, unauthenticated exploitation that requires active user interaction (opening or previewing a malicious markdown file) with high impact to confidentiality, integrity, and availability of the victim host. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker commits a markdown file containing a crafted ```wavedrom fenced block (or a raw <script type="WaveDrom"> element) into a public repository, documentation bundle, or pull request, with the WaveDrom 'source' field carrying JavaScript payload instead of legitimate signal-definition JSON. A developer clones the repo and opens the file in VS Code with Markdown Preview Enhanced installed, or clicks Preview/Export-to-HTML; eval() runs the attacker payload in the extension host context, yielding arbitrary code execution and the arbitrary file write noted in the description. …
Remediation Vendor-released patch: upgrade Markdown Preview Enhanced to 0.8.28 or later, which replaces eval() with JSON5.parse() in the live preview and normalizes every WaveDrom data script to inert strict JSON in the HTML sanitizer so downstream eval/ProcessAll cannot execute attacker-controlled code; the same release also fixes the parallel Bitfield interpretJS() eval-injection. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Disable Markdown Preview Enhanced extension across all developer workstations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-34870 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy