Markdown Preview Enhanced 0.8.x Code Injection via WaveDrom Rendering
CVE-2026-11422

8.4HIGH

Key Information:

Vendor: Shd101wyy
Status: Markdown Preview Enhanced; Crossnote
Vendor: CVE Published:; 5 June 2026

What is CVE-2026-11422?

Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28 contains a code injection vulnerability in the WaveDrom rendering pipeline that allows attackers to execute arbitrary JavaScript by embedding malicious content in a wavedrom fenced code block within a crafted Markdown document. Attackers can exploit the unsanitized passing of wavedrom block content to window.eval() in the VS Code webview context to abuse the extension's message passing and invoke arbitrary file writes on the local filesystem.

Affected Version(s)

crossnote 0

Markdown Preview Enhanced 0

References

https://github.com/shd101wyy/vscode-markdown-preview-enha...

technical-description

https://github.com/shd101wyy/crossnote/commit/5588ca2121c...

patch

https://github.com/shd101wyy/vscode-markdown-preview-enha...

patch

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 5, 2026
Vulnerability Reserved
Jun 5, 2026

Credit

Neo by ProjectDiscovery

CVE-2026-11422 Data

JSON