CVE-2026-49492

HIGH 8.8

Markdown Preview Enhanced OS Command Injection in External File and Link Opening

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

Markdown Preview Enhanced before 0.8.28 opens external files and links from the preview through a shell and does not validate untrusted inputs taken from the markdown document - the diagram filename attribute, imported file paths, and the latex_engine code-chunk attribute. On Windows, a crafted markdown document can inject operating system commands that execute when the document is previewed. Fixed in 0.8.28 by passing these inputs as literal arguments instead of through a shell and validating them before use.

CWE	CWE-78
Vendor	shd101wyy
Product	markdown preview enhanced
Published	Jun 5, 2026
Last Updated	Jun 8, 2026

Stay Ahead of the Next One

Get instant alerts for shd101wyy markdown preview enhanced

Be the first to know when new high vulnerabilities affecting shd101wyy markdown preview enhanced are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

shd101wyy / Markdown Preview Enhanced

0 < 0.8.28

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/shd101wyy/vscode-markdown-preview-enhanced/releases/tag/0.8.28 vulncheck.com: https://www.vulncheck.com/advisories/markdown-preview-enhanced-os-command-injection-in-external-file-and-link-opening

Credits

byte16384