CVE-2026-49492
Deferred Deferred - Pending Action
Command Injection in Markdown Preview Enhanced

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: VulnCheck

Description
Markdown Preview Enhanced before 0.8.28 opens external files and links from the preview through a shell and does not validate untrusted inputs taken from the markdown document - the diagram filename attribute, imported file paths, and the latex_engine code-chunk attribute. On Windows, a crafted markdown document can inject operating system commands that execute when the document is previewed. Fixed in 0.8.28 by passing these inputs as literal arguments instead of through a shell and validating them before use.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-06-27
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-25
NVD
CVE-2026-49492
EUVD
EUVD-2026-34868
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
shd101wyy markdown_preview_enhanced to 0.8.28 (exc)
shd101wyy vscode_markdown_preview_enhanced 0.8.28
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49492 is a high-severity OS command injection vulnerability affecting Markdown Preview Enhanced versions before 0.8.28. The vulnerability arises because the software opens external files and links from the markdown preview through a shell without validating untrusted inputs. These inputs include diagram filename attributes, imported file paths, and the latex_engine code-chunk attribute.

On Windows systems, an attacker can craft a malicious markdown document that injects operating system commands. These commands execute automatically when the document is previewed, potentially allowing arbitrary command execution.

The issue was fixed in version 0.8.28 by passing these inputs as literal arguments instead of through a shell and by validating them before use.

Impact Analysis

This vulnerability can have serious impacts if you use Markdown Preview Enhanced on Windows. An attacker can execute arbitrary operating system commands on your machine simply by getting you to preview a specially crafted markdown document.

Such command execution could lead to unauthorized access, data theft, system compromise, or further malware installation, depending on the commands injected.

Detection Guidance

This vulnerability occurs when a crafted markdown document is previewed in Markdown Preview Enhanced versions before 0.8.28 on Windows systems, leading to OS command injection.

Detection involves identifying if vulnerable versions of Markdown Preview Enhanced are in use and if any markdown documents with suspicious external file references, diagram filenames, imported file paths, or latex_engine code-chunk attributes are being previewed.

There are no specific commands provided in the available resources to detect exploitation attempts or presence of this vulnerability on your system or network.

Mitigation Strategies

The primary mitigation step is to upgrade Markdown Preview Enhanced to version 0.8.28 or later, where this vulnerability is fixed.

The fix involves passing untrusted inputs as literal arguments instead of through a shell and validating them before use, preventing OS command injection.

Until the upgrade is applied, avoid previewing untrusted markdown documents that contain external file references, diagram filenames, imported file paths, or latex_engine code-chunk attributes, especially on Windows systems.

Compliance Impact

The vulnerability allows attackers to execute arbitrary operating system commands on Windows systems by previewing crafted markdown documents, which can lead to unauthorized access or control over affected systems.

Such unauthorized command execution could potentially lead to data breaches or compromise of sensitive information, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive data.

However, the provided information does not explicitly describe the direct impact on compliance with these standards or any specific regulatory consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49492. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart