CVE-2026-11422
Code Injection in Markdown Preview Enhanced via WaveDrom
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| markdown_preview_enhanced | markdown_preview_enhanced | From 0.8 (inc) to 0.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28. It is a code injection flaw in the WaveDrom rendering pipeline that allows attackers to execute arbitrary JavaScript code. The attack works by embedding malicious content inside a wavedrom fenced code block within a specially crafted Markdown document.
The root cause is the unsanitized passing of wavedrom block content to the window.eval() function in the VS Code webview context. This enables attackers to abuse the extension's message passing mechanism and invoke arbitrary file writes on the local filesystem.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to arbitrary JavaScript execution within the VS Code webview context. This can allow attackers to perform unauthorized actions such as writing arbitrary files to the local filesystem.
Such actions can compromise the integrity and confidentiality of your system and data, potentially leading to further attacks or data loss.