CVE-2026-11422
Awaiting Analysis Awaiting Analysis - Queue
Code Injection in Markdown Preview Enhanced via WaveDrom

Publication date: 2026-06-05

Last updated on: 2026-06-08

Assigner: VulnCheck

Description
Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28 contains a code injection vulnerability in the WaveDrom rendering pipeline that allows attackers to execute arbitrary JavaScript by embedding malicious content in a wavedrom fenced code block within a crafted Markdown document. Attackers can exploit the unsanitized passing of wavedrom block content to window.eval() in the VS Code webview context to abuse the extension's message passing and invoke arbitrary file writes on the local filesystem.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-08
Generated
2026-06-27
AI Q&A
2026-06-06
EPSS Evaluated
2026-06-25
NVD
CVE-2026-11422
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
markdown_preview_enhanced markdown_preview_enhanced From 0.8 (inc) to 0.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28. It is a code injection flaw in the WaveDrom rendering pipeline that allows attackers to execute arbitrary JavaScript code. The attack works by embedding malicious content inside a wavedrom fenced code block within a specially crafted Markdown document.

The root cause is the unsanitized passing of wavedrom block content to the window.eval() function in the VS Code webview context. This enables attackers to abuse the extension's message passing mechanism and invoke arbitrary file writes on the local filesystem.

Impact Analysis

Exploitation of this vulnerability can lead to arbitrary JavaScript execution within the VS Code webview context. This can allow attackers to perform unauthorized actions such as writing arbitrary files to the local filesystem.

Such actions can compromise the integrity and confidentiality of your system and data, potentially leading to further attacks or data loss.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11422. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart