CVE-2026-11422

Source
https://cve.org/CVERecord?id=CVE-2026-11422
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11422.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-11422
Published
2026-06-05T20:16:50.802Z
Modified
2026-07-15T01:48:55.454913497Z
Severity
  • 8.4 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Markdown Preview Enhanced 0.8.x Code Injection via WaveDrom Rendering
Details

Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28 contains a code injection vulnerability in the WaveDrom rendering pipeline that allows attackers to execute arbitrary JavaScript by embedding malicious content in a wavedrom fenced code block within a crafted Markdown document. Attackers can exploit the unsanitized passing of wavedrom block content to window.eval() in the VS Code webview context to abuse the extension's message passing and invoke arbitrary file writes on the local filesystem.

Database specific
{
    "cwe_ids": [
        "CWE-95"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/11xxx/CVE-2026-11422.json",
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/shd101wyy/crossnote

Affected ranges

Type
GIT
Repo
https://github.com/shd101wyy/crossnote
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.9.28"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}
Type
GIT
Repo
https://github.com/shd101wyy/vscode-markdown-preview-enhanced
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.8.27"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

0.*
0.0.8
0.0.9
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.3.0
0.3.1
0.3.10
0.3.11
0.3.12
0.3.13
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.4.0
0.4.1
0.4.2
0.4.3
0.5.0
0.5.1
0.7.10
0.7.7
0.7.8
0.7.9
0.8.0
0.8.1
0.8.10
0.8.11
0.8.12
0.8.13
0.8.14
0.8.15
0.8.16
0.8.17
0.8.18
0.8.19
0.8.2
0.8.20
0.8.21
0.8.22
0.8.23
0.8.24
0.8.25
0.8.26
0.8.27
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.9.0
0.9.1
0.9.10
0.9.11
0.9.12
0.9.13
0.9.14
0.9.15
0.9.16
0.9.17
0.9.18
0.9.19
0.9.2
0.9.20
0.9.21
0.9.22
0.9.23
0.9.24
0.9.25
0.9.26
0.9.27
0.9.28
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
v0.*
v0.3.12
v0.3.13
v0.4.1
v0.4.2
v0.4.3
v0.5.1
v0.5.10
v0.5.11
v0.5.12
v0.5.13
v0.5.14
v0.5.15
v0.5.16
v0.5.17
v0.5.18
v0.5.2
v0.5.20
v0.5.21
v0.5.22
v0.5.3
v0.5.4
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.10
v0.6.2
v0.6.3
v0.6.5
v0.6.6
v0.6.7
v0.6.8
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11422.json"