CVE-2026-11422 HIGH

CVE-2026-11422: Markdown Preview Enhanced 0.8.x Code Injection via WaveDrom Rendering

Vendor Shd101Wyy
Product Markdown Preview Enhanced
Weakness CWE-95 · Eval injection
Published June 5, 2026
Last update June 8, 2026

CVSS base score

7.1/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28 contains a code injection vulnerability in the WaveDrom rendering pipeline that allows attackers to execute arbitrary JavaScript by embedding malicious content in a wavedrom fenced code block within a crafted Markdown document. Attackers can exploit the unsanitized passing of wavedrom block content to window.eval() in the VS Code webview context to abuse the extension's message passing and invoke arbitrary file writes on the local filesystem.

Key dates

02Disclosure timeline

June 5, 2026 CVE published
June 8, 2026 Record updated