Markdown Preview Enhanced Arbitrary Code Execution via WaveDrom eval()
CVE-2026-50733

8.6HIGH

Key Information:

Vendor: Shd101wyy
Status: Markdown Preview Enhanced
Vendor: CVE Published:; 5 June 2026

What is CVE-2026-50733?

Markdown Preview Enhanced before 0.8.28 parses WaveDrom diagrams by evaluating untrusted markdown content with eval(), allowing arbitrary JavaScript execution. The flaw affects every render path - the live preview (window.eval) and presentation mode plus HTML export (the bundled WaveDrom.ProcessAll()/eva() helpers) - and can also be triggered through a element injected via raw HTML in markdown. When a victim previews or exports a crafted markdown document, an attacker can execute arbitrary code, leading to arbitrary file write. Fixed in 0.8.28 by parsing with JSON5.parse() and sanitizing WaveDrom data scripts to inert strict JSON.

Affected Version(s)

Markdown Preview Enhanced 0 < 0.8.28

References

https://github.com/shd101wyy/vscode-markdown-preview-enha...

release-notes

https://github.com/shd101wyy/vscode-markdown-preview-enha...

issue-tracking

https://www.vulncheck.com/advisories/markdown-preview-enh...

third-party-advisory

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 5, 2026
Vulnerability Reserved
Jun 5, 2026

Credit

Neo by ProjectDiscovery

CVE-2026-50733 Data

JSON

Shd101wyy

What is CVE-2026-50733?

Affected Version(s)

References

CVSS V4

Timeline

Credit