Home

Description

Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28 contains a code injection vulnerability in the WaveDrom rendering pipeline that allows attackers to execute arbitrary JavaScript by embedding malicious content in a wavedrom fenced code block within a crafted Markdown document. Attackers can exploit the unsanitized passing of wavedrom block content to window.eval() in the VS Code webview context to abuse the extension's message passing and invoke arbitrary file writes on the local filesystem.

PUBLISHED Reserved 2026-06-05 | Published 2026-06-05 | Updated 2026-06-08 | Assigner VulnCheck




HIGH: 7.1CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

HIGH: 8.4CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Product status

Default status
affected

Any version before 0.8.27
affected

Default status
affected

Any version before 0.9.28
affected

Credits

Neo by ProjectDiscovery reporter

References

github.com/...y/vscode-markdown-preview-enhanced/issues/2315 exploit

github.com/...y/vscode-markdown-preview-enhanced/issues/2315 technical-description

github.com/...ommit/5588ca2121c3da43fe331575dc5cf4ef347b91ee patch

github.com/...ommit/dcd80281c986293b93d9f1af34ced64dcb230c77 patch

www.vulncheck.com/...x-code-injection-via-wavedrom-rendering third-party-advisory

cve.org (CVE-2026-11422)

nvd.nist.gov (CVE-2026-11422)

Download JSON