CVE-2026-49492
Command Injection in Markdown Preview Enhanced
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shd101wyy | markdown_preview_enhanced | to 0.8.28 (exc) |
| shd101wyy | vscode_markdown_preview_enhanced | 0.8.28 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-49492 is a high-severity OS command injection vulnerability affecting Markdown Preview Enhanced versions before 0.8.28. The vulnerability arises because the software opens external files and links from the markdown preview through a shell without validating untrusted inputs. These inputs include diagram filename attributes, imported file paths, and the latex_engine code-chunk attribute.
On Windows systems, an attacker can craft a malicious markdown document that injects operating system commands. These commands execute automatically when the document is previewed, potentially allowing arbitrary command execution.
The issue was fixed in version 0.8.28 by passing these inputs as literal arguments instead of through a shell and by validating them before use.
How can this vulnerability impact me? :
This vulnerability can have serious impacts if you use Markdown Preview Enhanced on Windows. An attacker can execute arbitrary operating system commands on your machine simply by getting you to preview a specially crafted markdown document.
Such command execution could lead to unauthorized access, data theft, system compromise, or further malware installation, depending on the commands injected.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when a crafted markdown document is previewed in Markdown Preview Enhanced versions before 0.8.28 on Windows systems, leading to OS command injection.
Detection involves identifying if vulnerable versions of Markdown Preview Enhanced are in use and if any markdown documents with suspicious external file references, diagram filenames, imported file paths, or latex_engine code-chunk attributes are being previewed.
There are no specific commands provided in the available resources to detect exploitation attempts or presence of this vulnerability on your system or network.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Markdown Preview Enhanced to version 0.8.28 or later, where this vulnerability is fixed.
The fix involves passing untrusted inputs as literal arguments instead of through a shell and validating them before use, preventing OS command injection.
Until the upgrade is applied, avoid previewing untrusted markdown documents that contain external file references, diagram filenames, imported file paths, or latex_engine code-chunk attributes, especially on Windows systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute arbitrary operating system commands on Windows systems by previewing crafted markdown documents, which can lead to unauthorized access or control over affected systems.
Such unauthorized command execution could potentially lead to data breaches or compromise of sensitive information, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive data.
However, the provided information does not explicitly describe the direct impact on compliance with these standards or any specific regulatory consequences.