CVE-2026-11422

HIGH

Markdown Preview Enhanced 0.8.x Code Injection via WaveDrom Rendering

Title source: cna

Description

Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28 contains a code injection vulnerability in the WaveDrom rendering pipeline that allows attackers to execute arbitrary JavaScript by embedding malicious content in a wavedrom fenced code block within a crafted Markdown document. Attackers can exploit the unsanitized passing of wavedrom block content to window.eval() in the VS Code webview context to abuse the extension's message passing and invoke arbitrary file writes on the local filesystem.

References (4)

Core 4

Core References

Technical Description technical-description

https://github.com/shd101wyy/vscode-markdown-preview-enhanced/issues/2315

Patch patch

https://github.com/shd101wyy/crossnote/commit/5588ca2121c3da43fe331575dc5cf4ef347b91ee

View Patch ZIP pw:eip

Patch patch

https://github.com/shd101wyy/vscode-markdown-preview-enhanced/commit/dcd80281c986293b93d9f1af34ced64dcb230c77

View Patch ZIP pw:eip

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/markdown-preview-enhanced-x-code-injection-via-wavedrom-rendering

Scores

CVSS v3 7.1

EPSS 0.0016

EPSS Percentile 5.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-95

Status published

Products (2)

shd101wyy/crossnote < 0.9.28

shd101wyy/Markdown Preview Enhanced < 0.8.27

Published Jun 05, 2026

Tracked Since Jun 06, 2026