Which versions of Markdown Preview Enhanced are affected by EUVD-2026-34916?

Markdown Preview Enhanced VS Code extension (version 0.8.x) contains a vulnerability allowing arbitrary file operations on developer workstations through malicious Markdown documents.. A patch is available.

How to fix or mitigate EUVD-2026-34916?

Within 24 hours: Identify all VS Code installations using Markdown Preview Enhanced (version 0.8.x) across the organization. Within 7 days: Update to the latest patched release through the VS Code marketplace (patch issued 2026-06-05). Within 30 days: Audit development systems for unauthorized file modifications and verify patch deployment across all affected installations.

Markdown Preview Enhanced EUVD-2026-34916

Q: What is the CVSS score of EUVD-2026-34916?

EUVD-2026-34916 has a CVSS 4.0 base score of 8.4 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-11422 HIGH

Eval Injection (CWE-95)

2026-06-05 VulnCheck

GHSA-m48c-hxqg-4j76

Code Injection RCE Markdown Preview Enhanced Crossnote

8.4

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.4 HIGH

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Updated

Jun 05, 2026 - 21:28 vuln.today

v3 (cvss_changed)

Analysis Updated

Jun 05, 2026 - 21:28 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Jun 05, 2026 - 21:22 vuln.today

cvss_changed

CVSS changed

Jun 05, 2026 - 21:22 NVD

7.1 (HIGH) 8.4 (HIGH)

Source Code Evidence Fetched

Jun 05, 2026 - 21:15 vuln.today

Analysis Generated

Jun 05, 2026 - 21:15 vuln.today

DescriptionCVE.org

Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28 contains a code injection vulnerability in the WaveDrom rendering pipeline that allows attackers to execute arbitrary JavaScript by embedding malicious content in a wavedrom fenced code block within a crafted Markdown document. Attackers can exploit the unsanitized passing of wavedrom block content to window.eval() in the VS Code webview context to abuse the extension's message passing and invoke arbitrary file writes on the local filesystem.

AnalysisAI

Arbitrary JavaScript execution in the Markdown Preview Enhanced VS Code extension (0.8.x, bundling crossnote 0.9.28) is triggered when a victim opens or previews a crafted Markdown document containing a malicious wavedrom fenced code block. The WaveDrom rendering pipeline passes block contents directly to window.eval() inside the VS Code webview, letting an attacker abuse the extension's message-passing channel to write arbitrary files to the victim's local filesystem. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: Identify all VS Code installations using Markdown Preview Enhanced (version 0.8.x) across the organization. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-34916 vulnerability details – vuln.today

Back