CVE-2026-50733
Deferred Deferred - Pending Action
Arbitrary JavaScript Execution in Markdown Preview Enhanced via WaveDrom Diagrams

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: VulnCheck

Description
Markdown Preview Enhanced before 0.8.28 parses WaveDrom diagrams by evaluating untrusted markdown content with eval(), allowing arbitrary JavaScript execution. The flaw affects every render path - the live preview (window.eval) and presentation mode plus HTML export (the bundled WaveDrom.ProcessAll()/eva() helpers) - and can also be triggered through a <script type="WaveDrom"> element injected via raw HTML in markdown. When a victim previews or exports a crafted markdown document, an attacker can execute arbitrary code, leading to arbitrary file write. Fixed in 0.8.28 by parsing with JSON5.parse() and sanitizing WaveDrom data scripts to inert strict JSON.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-06-27
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-25
NVD
CVE-2026-50733
EUVD
EUVD-2026-34870
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
shd101wyy markdown_preview_enhanced to 0.8.28 (exc)
shd101wyy markdown_preview_enhanced 0.8.28
shd101wyy markdown_preview_enhanced From 0.8.0 (inc) to 0.8.28 (exc)
microsoft visual_studio_code 1.122.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Markdown Preview Enhanced before version 0.8.28 contains a critical vulnerability where it parses WaveDrom diagrams by evaluating untrusted markdown content using eval(), which allows arbitrary JavaScript execution.

This flaw affects every render path including live preview, presentation mode, and HTML export, and can also be triggered through a <script type="WaveDrom"> element injected via raw HTML in markdown.

When a user previews or exports a specially crafted markdown document, an attacker can execute arbitrary code within the VS Code webview context.

The vulnerability arises from unsafe use of eval() on user-controlled input, preservation of <script type="WaveDrom"> tags by sanitizers, and unconditional execution of WaveDrom rendering without requiring explicit script execution permission.

This arbitrary code execution can access the VS Code API and perform malicious actions such as arbitrary file writes on the victim's filesystem.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary JavaScript code when a victim previews or exports a crafted markdown document.

The attacker can exploit this to perform arbitrary file writes on the victim's filesystem, including overwriting sensitive files such as SSH authorized keys.

Such actions can lead to persistent remote access to the victim's machine, compromising system integrity and confidentiality.

Detection Guidance

Detection of this vulnerability involves identifying the use of vulnerable versions of Markdown Preview Enhanced (before 0.8.28) or Visual Studio Code versions 1.122.1 with the affected extension version 0.8.27.

Since the vulnerability is triggered by opening markdown files containing WaveDrom fenced code blocks that are evaluated with unsafe eval(), you can detect suspicious activity by monitoring for execution of JavaScript code originating from markdown preview processes or unusual file write operations initiated by the extension.

Specific commands to detect vulnerable software versions or suspicious files include:

  • Check the installed version of Markdown Preview Enhanced extension in VS Code: `code --list-extensions --show-versions | grep markdown-preview-enhanced`
  • Check VS Code version: `code --version`
  • Search for markdown files containing WaveDrom code blocks: `grep -r --include='*.md' '```wavedrom' /path/to/markdown/files`
  • Monitor file system for unexpected writes by VS Code or the extension, for example using auditd or filesystem monitoring tools.

Note that no direct network detection commands are provided in the resources, as the vulnerability is local to the markdown rendering and file system access within the VS Code environment.

Mitigation Strategies

The primary mitigation step is to upgrade Markdown Preview Enhanced to version 0.8.28 or later, where the vulnerability is fixed by replacing unsafe eval() calls with JSON5.parse() and sanitizing WaveDrom scripts.

Additionally, ensure that Visual Studio Code is updated to a version that is compatible with the fixed extension version.

Avoid opening or previewing untrusted markdown files containing WaveDrom diagrams until the update is applied.

Consider disabling script execution in the Markdown Preview Enhanced extension if possible, or configure it to not execute scripts automatically.

Monitor and restrict file system permissions to prevent unauthorized file writes by the extension or VS Code processes.

Compliance Impact

The vulnerability allows arbitrary JavaScript execution leading to arbitrary file writes, including overwriting sensitive files such as SSH authorized keys, which can result in persistent remote access to the victim's machine.

Such unauthorized code execution and potential data manipulation or exfiltration could lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require safeguarding sensitive data and ensuring system integrity.

Therefore, exploitation of this vulnerability could compromise compliance with these standards by exposing sensitive information or enabling unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50733. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart