CVE-2026-49493

Source
https://cve.org/CVERecord?id=CVE-2026-49493
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49493.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-49493
Published
2026-06-05T17:49:52.826Z
Modified
2026-07-15T01:49:21.344425945Z
Severity
  • 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Markdown Preview Enhanced Arbitrary Code Execution via Bitfield interpretJS()
Details

Markdown Preview Enhanced before 0.8.28 parses Bitfield fenced code blocks with interpretJS(), which evaluates the block content as code via vm.runInNewContext(), allowing arbitrary code execution. A crafted markdown document containing a malicious bitfield code block executes attacker-controlled code on the server side when the document is rendered or exported. Fixed in 0.8.28 by parsing bitfield register definitions with JSON5.parse(), since they are purely data.

Database specific
{
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49493.json"
}
References

Affected packages

Git / github.com/shd101wyy/vscode-markdown-preview-enhanced

Affected ranges

Type
GIT
Repo
https://github.com/shd101wyy/vscode-markdown-preview-enhanced
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.8.28"
        }
    ]
}

Affected versions

0.*
0.0.8
0.0.9
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.3.0
0.3.1
0.3.10
0.3.11
0.3.12
0.3.13
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.4.0
0.4.1
0.4.2
0.4.3
0.5.0
0.5.1
0.7.10
0.7.7
0.7.8
0.7.9
0.8.0
0.8.1
0.8.10
0.8.11
0.8.12
0.8.13
0.8.14
0.8.15
0.8.16
0.8.17
0.8.18
0.8.19
0.8.2
0.8.20
0.8.21
0.8.23
0.8.24
0.8.25
0.8.26
0.8.27
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
v0.*
v0.3.12
v0.3.13
v0.4.1
v0.4.2
v0.4.3
v0.5.1
v0.5.10
v0.5.11
v0.5.12
v0.5.13
v0.5.14
v0.5.15
v0.5.16
v0.5.17
v0.5.18
v0.5.2
v0.5.20
v0.5.21
v0.5.22
v0.5.3
v0.5.4
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.10
v0.6.2
v0.6.3
v0.6.5
v0.6.6
v0.6.7
v0.6.8
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49493.json"