CVE-2026-50733

HIGH 8.8

Markdown Preview Enhanced Arbitrary Code Execution via WaveDrom eval()

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

Markdown Preview Enhanced before 0.8.28 parses WaveDrom diagrams by evaluating untrusted markdown content with eval(), allowing arbitrary JavaScript execution. The flaw affects every render path - the live preview (window.eval) and presentation mode plus HTML export (the bundled WaveDrom.ProcessAll()/eva() helpers) - and can also be triggered through a <script type="WaveDrom"> element injected via raw HTML in markdown. When a victim previews or exports a crafted markdown document, an attacker can execute arbitrary code, leading to arbitrary file write. Fixed in 0.8.28 by parsing with JSON5.parse() and sanitizing WaveDrom data scripts to inert strict JSON.

CWE	CWE-95
Vendor	shd101wyy
Product	markdown preview enhanced
Published	Jun 5, 2026
Last Updated	Jun 5, 2026

Stay Ahead of the Next One

Get instant alerts for shd101wyy markdown preview enhanced

Be the first to know when new high vulnerabilities affecting shd101wyy markdown preview enhanced are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

shd101wyy / Markdown Preview Enhanced

0 < 0.8.28

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/shd101wyy/vscode-markdown-preview-enhanced/releases/tag/0.8.28 github.com: https://github.com/shd101wyy/vscode-markdown-preview-enhanced/issues/2315 vulncheck.com: https://www.vulncheck.com/advisories/markdown-preview-enhanced-arbitrary-code-execution-via-wavedrom-eval

Credits

Neo by ProjectDiscovery