CVE-2026-49493 HIGH

CVE-2026-49493: Markdown Preview Enhanced Arbitrary Code Execution via Bitfield interpretJS()

Vendor Shd101Wyy
Product Markdown Preview Enhanced
Weakness CWE-94 · Code injection
Published June 5, 2026
Last update June 9, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Markdown Preview Enhanced before 0.8.28 parses Bitfield fenced code blocks with interpretJS(), which evaluates the block content as code via vm.runInNewContext(), allowing arbitrary code execution. A crafted markdown document containing a malicious bitfield code block executes attacker-controlled code on the server side when the document is rendered or exported. Fixed in 0.8.28 by parsing bitfield register definitions with JSON5.parse(), since they are purely data.

Key dates

02Disclosure timeline

June 5, 2026 CVE published
June 9, 2026 Record updated