Markdown Preview Enhanced Arbitrary Code Execution via Bitfield interpretJS()
CVE-2026-49493

8.6HIGH

Key Information:

Vendor: Shd101wyy
Status: Markdown Preview Enhanced
Vendor: CVE Published:; 5 June 2026

What is CVE-2026-49493?

Markdown Preview Enhanced before 0.8.28 parses Bitfield fenced code blocks with interpretJS(), which evaluates the block content as code via vm.runInNewContext(), allowing arbitrary code execution. A crafted markdown document containing a malicious bitfield code block executes attacker-controlled code on the server side when the document is rendered or exported. Fixed in 0.8.28 by parsing bitfield register definitions with JSON5.parse(), since they are purely data.

Affected Version(s)

Markdown Preview Enhanced 0 < 0.8.28

References

https://github.com/shd101wyy/vscode-markdown-preview-enha...

release-notes

https://www.vulncheck.com/advisories/markdown-preview-enh...

third-party-advisory

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 5, 2026
Vulnerability Reserved
May 31, 2026

CVE-2026-49493 Data

JSON

Shd101wyy

What is CVE-2026-49493?

Affected Version(s)

References

CVSS V4

Timeline