CVE-2026-49493 | Markdown Preview Enhanced before 0.8.28 parses Bitfield fenc… | CVSS 8.8 HIGH

Description

Markdown Preview Enhanced before 0.8.28 parses Bitfield fenced code blocks with interpretJS(), which evaluates the block content as code via vm.runInNewContext(), allowing arbitrary code execution. A crafted markdown document containing a malicious bitfield code block executes attacker-controlled code on the server side when the document is rendered or exported. Fixed in 0.8.28 by parsing bitfield register definitions with JSON5.parse(), since they are purely data.

Metadata

CVE ID: CVE-2026-49493
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-05-31 11:54 UTC
Published: 2026-06-05 17:49 UTC
Last updated: 2026-06-09 14:36 UTC
Primary CWE: CWE-94
Improper Control of Generation of Code ('Code Injection')
Vendor / Product: shd101wyy / Markdown Preview Enhanced
Sources: cve.org · NVD

Severity & Metrics

8.8 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
shd101wyy	Markdown Preview Enhanced	—	0 < 0.8.28

Weakness (CWE)

CWE	Source	Description
CWE-94	cna	Improper Control of Generation of Code ('Code Injection')

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.8	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.6	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (2)

Release 0.8.28 https://github.com/shd101wyy/vscode-markdown-preview-enhanced/releases/tag/0.8.28
VulnCheck Advisory: Markdown Preview Enhanced Arbitrary Code Execution via Bitfield interpretJS() https://www.vulncheck.com/advisories/markdown-preview-enhanced-arbitrary-code-execution-via-bitfield-interpretjs