CVE-2026-50733
Arbitrary JavaScript Execution in Markdown Preview Enhanced via WaveDrom Diagrams
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shd101wyy | markdown_preview_enhanced | to 0.8.28 (exc) |
| shd101wyy | markdown_preview_enhanced | 0.8.28 |
| shd101wyy | markdown_preview_enhanced | From 0.8.0 (inc) to 0.8.28 (exc) |
| microsoft | visual_studio_code | 1.122.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary JavaScript execution leading to arbitrary file writes, including overwriting sensitive files such as SSH authorized keys, which can result in persistent remote access to the victim's machine.
Such unauthorized code execution and potential data manipulation or exfiltration could lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require safeguarding sensitive data and ensuring system integrity.
Therefore, exploitation of this vulnerability could compromise compliance with these standards by exposing sensitive information or enabling unauthorized access.
Can you explain this vulnerability to me?
Markdown Preview Enhanced before version 0.8.28 contains a critical vulnerability where it parses WaveDrom diagrams by evaluating untrusted markdown content using eval(), which allows arbitrary JavaScript execution.
This flaw affects every render path including live preview, presentation mode, and HTML export, and can also be triggered through a <script type="WaveDrom"> element injected via raw HTML in markdown.
When a user previews or exports a specially crafted markdown document, an attacker can execute arbitrary code within the VS Code webview context.
The vulnerability arises from unsafe use of eval() on user-controlled input, preservation of <script type="WaveDrom"> tags by sanitizers, and unconditional execution of WaveDrom rendering without requiring explicit script execution permission.
This arbitrary code execution can access the VS Code API and perform malicious actions such as arbitrary file writes on the victim's filesystem.
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary JavaScript code when a victim previews or exports a crafted markdown document.
The attacker can exploit this to perform arbitrary file writes on the victim's filesystem, including overwriting sensitive files such as SSH authorized keys.
Such actions can lead to persistent remote access to the victim's machine, compromising system integrity and confidentiality.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying the use of vulnerable versions of Markdown Preview Enhanced (before 0.8.28) or Visual Studio Code versions 1.122.1 with the affected extension version 0.8.27.
Since the vulnerability is triggered by opening markdown files containing WaveDrom fenced code blocks that are evaluated with unsafe eval(), you can detect suspicious activity by monitoring for execution of JavaScript code originating from markdown preview processes or unusual file write operations initiated by the extension.
Specific commands to detect vulnerable software versions or suspicious files include:
- Check the installed version of Markdown Preview Enhanced extension in VS Code: `code --list-extensions --show-versions | grep markdown-preview-enhanced`
- Check VS Code version: `code --version`
- Search for markdown files containing WaveDrom code blocks: `grep -r --include='*.md' '```wavedrom' /path/to/markdown/files`
- Monitor file system for unexpected writes by VS Code or the extension, for example using auditd or filesystem monitoring tools.
Note that no direct network detection commands are provided in the resources, as the vulnerability is local to the markdown rendering and file system access within the VS Code environment.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Markdown Preview Enhanced to version 0.8.28 or later, where the vulnerability is fixed by replacing unsafe eval() calls with JSON5.parse() and sanitizing WaveDrom scripts.
Additionally, ensure that Visual Studio Code is updated to a version that is compatible with the fixed extension version.
Avoid opening or previewing untrusted markdown files containing WaveDrom diagrams until the update is applied.
Consider disabling script execution in the Markdown Preview Enhanced extension if possible, or configure it to not execute scripts automatically.
Monitor and restrict file system permissions to prevent unauthorized file writes by the extension or VS Code processes.