CVE-2026-49493: Improper Control of Generation of Code ('Code Injection') in shd101wyy Markdown Preview Enhanced
Markdown Preview Enhanced before 0.8.28 parses Bitfield fenced code blocks with interpretJS(), which evaluates the block content as code via vm.runInNewContext(), allowing arbitrary code execution. A crafted markdown document containing a malicious bitfield code block executes attacker-controlled code on the server side when the document is rendered or exported. Fixed in 0.8.28 by parsing bitfield register definitions with JSON5.parse(), since they are purely data.
AI Analysis
Technical Summary
Markdown Preview Enhanced prior to version 0.8.28 improperly controls code generation by evaluating Bitfield fenced code blocks as executable code using interpretJS() and vm.runInNewContext(). This allows an attacker to craft a markdown document containing malicious bitfield code blocks that execute arbitrary code on the server side during rendering or export. The vulnerability is resolved in version 0.8.28 by switching to JSON5.parse() for parsing bitfield register definitions, eliminating code execution risk.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary code on the server processing the markdown document, potentially leading to full system compromise or unauthorized actions. The vulnerability requires no privileges and no user interaction other than rendering or exporting the crafted markdown. The high CVSS score (8.6) reflects the network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Upgrade to Markdown Preview Enhanced version 0.8.28 or later, where the vulnerability is fixed by replacing code evaluation with safe JSON5 parsing. Since this is a client-side application, users should ensure they do not render or export untrusted markdown documents with vulnerable versions. Patch status is not explicitly confirmed in the vendor advisory, but the fix is documented in version 0.8.28 release notes. Check the vendor's official channels for the latest updates and apply the official fix.
CVE-2026-49493: Improper Control of Generation of Code ('Code Injection') in shd101wyy Markdown Preview Enhanced
Description
Markdown Preview Enhanced before 0.8.28 parses Bitfield fenced code blocks with interpretJS(), which evaluates the block content as code via vm.runInNewContext(), allowing arbitrary code execution. A crafted markdown document containing a malicious bitfield code block executes attacker-controlled code on the server side when the document is rendered or exported. Fixed in 0.8.28 by parsing bitfield register definitions with JSON5.parse(), since they are purely data.
CVSS v4.0
Score 8.6high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Markdown Preview Enhanced prior to version 0.8.28 improperly controls code generation by evaluating Bitfield fenced code blocks as executable code using interpretJS() and vm.runInNewContext(). This allows an attacker to craft a markdown document containing malicious bitfield code blocks that execute arbitrary code on the server side during rendering or export. The vulnerability is resolved in version 0.8.28 by switching to JSON5.parse() for parsing bitfield register definitions, eliminating code execution risk.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary code on the server processing the markdown document, potentially leading to full system compromise or unauthorized actions. The vulnerability requires no privileges and no user interaction other than rendering or exporting the crafted markdown. The high CVSS score (8.6) reflects the network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Upgrade to Markdown Preview Enhanced version 0.8.28 or later, where the vulnerability is fixed by replacing code evaluation with safe JSON5 parsing. Since this is a client-side application, users should ensure they do not render or export untrusted markdown documents with vulnerable versions. Patch status is not explicitly confirmed in the vendor advisory, but the fix is documented in version 0.8.28 release notes. Check the vendor's official channels for the latest updates and apply the official fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-05-31T11:54:34.993Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a23130ee29bf47b50a3f1ee
Added to database: 6/5/2026, 6:18:54 PM
Last enriched: 6/5/2026, 6:33:31 PM
Last updated: 6/5/2026, 8:12:08 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.