CVE-2026-49493

HIGH 8.8

Markdown Preview Enhanced Arbitrary Code Execution via Bitfield interpretJS()

CVSS Score

8.8

EPSS Score

0.1%

EPSS Percentile

21th

Markdown Preview Enhanced before 0.8.28 parses Bitfield fenced code blocks with interpretJS(), which evaluates the block content as code via vm.runInNewContext(), allowing arbitrary code execution. A crafted markdown document containing a malicious bitfield code block executes attacker-controlled code on the server side when the document is rendered or exported. Fixed in 0.8.28 by parsing bitfield register definitions with JSON5.parse(), since they are purely data.

CWE	CWE-94
Vendor	shd101wyy
Product	markdown preview enhanced
Published	Jun 5, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for shd101wyy markdown preview enhanced

Be the first to know when new high vulnerabilities affecting shd101wyy markdown preview enhanced are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

shd101wyy / Markdown Preview Enhanced

0 < 0.8.28

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/shd101wyy/vscode-markdown-preview-enhanced/releases/tag/0.8.28 vulncheck.com: https://www.vulncheck.com/advisories/markdown-preview-enhanced-arbitrary-code-execution-via-bitfield-interpretjs