Crossnote
Monthly
Arbitrary JavaScript execution in the Markdown Preview Enhanced VS Code extension (0.8.x, bundling crossnote 0.9.28) is triggered when a victim opens or previews a crafted Markdown document containing a malicious wavedrom fenced code block. The WaveDrom rendering pipeline passes block contents directly to window.eval() inside the VS Code webview, letting an attacker abuse the extension's message-passing channel to write arbitrary files to the victim's local filesystem. Vendor patches were released on 2026-06-05; no public exploit was identified at time of analysis and the CVE is not listed in CISA KEV.
Arbitrary JavaScript execution in the Markdown Preview Enhanced VS Code extension (0.8.x, bundling crossnote 0.9.28) is triggered when a victim opens or previews a crafted Markdown document containing a malicious wavedrom fenced code block. The WaveDrom rendering pipeline passes block contents directly to window.eval() inside the VS Code webview, letting an attacker abuse the extension's message-passing channel to write arbitrary files to the victim's local filesystem. Vendor patches were released on 2026-06-05; no public exploit was identified at time of analysis and the CVE is not listed in CISA KEV.