PatchSiren cyber security CVE debrief
CVE-2026-49492 shd101wyy CVE debrief
CVE-2026-49492 is a HIGH severity vulnerability in Markdown Preview Enhanced before version 0.8.28. The vulnerability allows for OS command injection when a crafted markdown document is previewed on Windows. This is due to the application opening external files and links from the preview through a shell without validating untrusted inputs taken from the markdown document.
- Vendor
- shd101wyy
- Product
- Markdown Preview Enhanced
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-05
Who should care
Users of Markdown Preview Enhanced on Windows should update to version 0.8.28 or later to mitigate this vulnerability.
Technical summary
The vulnerability exists in the handling of the diagram filename attribute, imported file paths, and the latex_engine code-chunk attribute in markdown documents. An attacker can inject operating system commands that execute when the document is previewed.
Defensive priority
HIGH
Recommended defensive actions
- Update Markdown Preview Enhanced to version 0.8.28 or later.
- Be cautious when previewing markdown documents from untrusted sources.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd] respectively. Additional information is available at [ref-4] and [ref-5].
Official resources
CVE-2026-49492 was published on 2026-06-05T18:17:33.377Z and modified on 2026-06-05T18:59:54.823Z.