CVE-2026-49492

HIGH

Markdown Preview Enhanced OS Command Injection in External File and Link Opening

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-49492. PoCs published by byte16384.

AI-analyzed exploit summary The repository contains a markdown file with a deceptive mailto link that attempts to execute 'calc.exe' via a crafted email address, which is a social engineering tactic rather than a legitimate PoC. No actual exploit code or technical details about CVE-2026-49492 are provided.

Description

Markdown Preview Enhanced before 0.8.28 opens external files and links from the preview through a shell and does not validate untrusted inputs taken from the markdown document - the diagram filename attribute, imported file paths, and the latex_engine code-chunk attribute. On Windows, a crafted markdown document can inject operating system commands that execute when the document is previewed. Fixed in 0.8.28 by passing these inputs as literal arguments instead of through a shell and validating them before use.

Exploits (1)

github SUSPICIOUS

by byte16384 · poc

https://github.com/byte16384/CVE-2026-49492-PoC

View Code ZIP pw:eip

The repository contains a markdown file with a deceptive mailto link that attempts to execute 'calc.exe' via a crafted email address, which is a social engineering tactic rather than a legitimate PoC. No actual exploit code or technical details about CVE-2026-49492 are provided.

Classification

Suspicious 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

Prerequisites: user interaction to click the link

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Jun 11, 2026 Full analysis →

References (2)

Core 2

Core References

Release Notes release-notes

Release 0.8.28

https://github.com/shd101wyy/vscode-markdown-preview-enhanced/releases/tag/0.8.28

Third Party Advisory third-party-advisory

VulnCheck Advisory: Markdown Preview Enhanced OS Command Injection in External File and Link Opening

https://www.vulncheck.com/advisories/markdown-preview-enhanced-os-command-injection-in-external-file-and-link-opening

Scores

CVSS v3 8.8

EPSS 0.0027

EPSS Percentile 19.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

shd101wyy/Markdown Preview Enhanced < 0.8.28

Published Jun 05, 2026

Tracked Since Jun 06, 2026