PatchSiren cyber security CVE debrief
CVE-2026-49493 shd101wyy CVE debrief
CVE-2026-49493 is a HIGH severity vulnerability in Markdown Preview Enhanced before 0.8.28. The vulnerability allows arbitrary code execution via bitfield fenced code blocks. A crafted markdown document containing a malicious bitfield code block executes attacker-controlled code on the server side when the document is rendered or exported. The vulnerability was fixed in version 0.8.28 by parsing bitfield register definitions with JSON5.parse(), as they are purely data.
- Vendor
- shd101wyy
- Product
- Markdown Preview Enhanced
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-05
Who should care
Users of Markdown Preview Enhanced before version 0.8.28 should update to version 0.8.28 or later to mitigate this vulnerability.
Technical summary
Markdown Preview Enhanced before 0.8.28 parses Bitfield fenced code blocks with interpretJS(), which evaluates the block content as code via vm.runInNewContext(), allowing arbitrary code execution.
Defensive priority
HIGH
Recommended defensive actions
- Update Markdown Preview Enhanced to version 0.8.28 or later.
- Avoid rendering or exporting untrusted markdown documents.
Evidence notes
Vendor and product information could not be confirmed.
Official resources
CVE-2026-49493 was published on 2026-06-05T18:17:33.723Z and modified on 2026-06-05T18:59:54.823Z.