CVE-2026-11422
Markdown Preview Enhanced 0.8.x Code Injection via WaveDrom Rendering
CVSS Score
7.1
EPSS Score
0.0%
EPSS Percentile
5th
Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28 contains a code injection vulnerability in the WaveDrom rendering pipeline that allows attackers to execute arbitrary JavaScript by embedding malicious content in a wavedrom fenced code block within a crafted Markdown document. Attackers can exploit the unsanitized passing of wavedrom block content to window.eval() in the VS Code webview context to abuse the extension's message passing and invoke arbitrary file writes on the local filesystem.
| CWE | CWE-95 |
| Vendor | shd101wyy |
| Product | markdown preview enhanced |
| Published | Jun 5, 2026 |
| Last Updated | Jun 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for shd101wyy markdown preview enhanced
Be the first to know when new high vulnerabilities affecting shd101wyy markdown preview enhanced are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
shd101wyy / Markdown Preview Enhanced
0 < 0.8.27
shd101wyy / crossnote
0 < 0.9.28
References
github.com: https://github.com/shd101wyy/vscode-markdown-preview-enhanced/issues/2315 github.com: https://github.com/shd101wyy/crossnote/commit/5588ca2121c3da43fe331575dc5cf4ef347b91ee github.com: https://github.com/shd101wyy/vscode-markdown-preview-enhanced/commit/dcd80281c986293b93d9f1af34ced64dcb230c77 vulncheck.com: https://www.vulncheck.com/advisories/markdown-preview-enhanced-x-code-injection-via-wavedrom-rendering
Credits
๐ Neo by ProjectDiscovery