Markdown Preview Enhanced versions prior to 0.8.28 parse WaveDrom diagrams by evaluating untrusted markdown content with JavaScript eval(), enabling arbitrary code execution. This vulnerability affects multiple rendering paths including live preview (window.eval), presentation mode, and HTML export via bundled WaveDrom helpers. Attackers can inject malicious <script type="WaveDrom"> elements through raw HTML in markdown, triggering arbitrary JavaScript execution and arbitrary file writes upon rendering. The vulnerability is addressed in version 0.8.28 by switching to JSON5.parse() for parsing and sanitizing WaveDrom scripts to inert strict JSON, eliminating the use of eval().

Successful exploitation allows an attacker to execute arbitrary JavaScript code in the context of the Markdown Preview Enhanced application without privileges or user interaction beyond previewing or exporting a crafted markdown document. This can lead to arbitrary file writes and potentially other malicious actions within the user's environment. The CVSS 4.0 base score is 8.6 (high), reflecting network attack vector, low attack complexity, no privileges required, user interaction needed, and high impact on confidentiality, integrity, and availability.

A fix is available in Markdown Preview Enhanced version 0.8.28, which replaces the unsafe eval()-based parsing with JSON5.parse() and sanitizes WaveDrom data scripts. Users should upgrade to version 0.8.28 or later to remediate this vulnerability. Since no vendor advisory is provided, users should verify the update from official sources. Until upgraded, avoid previewing or exporting untrusted markdown documents containing WaveDrom diagrams.