CVE-2026-11422
Awaiting Analysis Awaiting Analysis - Queue

Code Injection in Markdown Preview Enhanced via WaveDrom

Vulnerability report for CVE-2026-11422, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-05

Last updated on: 2026-06-08

Assigner: VulnCheck

Description

Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28 contains a code injection vulnerability in the WaveDrom rendering pipeline that allows attackers to execute arbitrary JavaScript by embedding malicious content in a wavedrom fenced code block within a crafted Markdown document. Attackers can exploit the unsanitized passing of wavedrom block content to window.eval() in the VS Code webview context to abuse the extension's message passing and invoke arbitrary file writes on the local filesystem.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-05
Last Modified
2026-06-08
Generated
2026-07-17
AI Q&A
2026-06-06
EPSS Evaluated
2026-07-15
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
markdown_preview_enhanced markdown_preview_enhanced From 0.8 (inc) to 0.9 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28. It is a code injection flaw in the WaveDrom rendering pipeline that allows attackers to execute arbitrary JavaScript code. The attack works by embedding malicious content inside a wavedrom fenced code block within a specially crafted Markdown document.

The root cause is the unsanitized passing of wavedrom block content to the window.eval() function in the VS Code webview context. This enables attackers to abuse the extension's message passing mechanism and invoke arbitrary file writes on the local filesystem.

Impact Analysis

Exploitation of this vulnerability can lead to arbitrary JavaScript execution within the VS Code webview context. This can allow attackers to perform unauthorized actions such as writing arbitrary files to the local filesystem.

Such actions can compromise the integrity and confidentiality of your system and data, potentially leading to further attacks or data loss.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11422. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart