PatchSiren cyber security CVE debrief
CVE-2026-50733 shd101wyy CVE debrief
CVE-2026-50733 is a high-severity vulnerability in Markdown Preview Enhanced, a popular extension for previewing and editing Markdown files. The vulnerability allows an attacker to execute arbitrary JavaScript code by crafting a malicious Markdown document that contains a WaveDrom diagram. When a victim previews or exports the document, the attacker can execute arbitrary code, potentially leading to arbitrary file writes.
- Vendor
- shd101wyy
- Product
- Markdown Preview Enhanced
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-05
Who should care
Users of Markdown Preview Enhanced, particularly those who preview or export Markdown documents from untrusted sources, should be aware of this vulnerability. Developers and administrators should prioritize updating to version 0.8.28 or later.
Technical summary
The vulnerability exists because Markdown Preview Enhanced uses `eval()` to parse WaveDrom diagrams, which can be injected via raw HTML in Markdown. This allows an attacker to execute arbitrary JavaScript code in the context of the victim's application. The flaw affects all render paths, including live preview, presentation mode, and HTML export.
Defensive priority
High
Recommended defensive actions
- Update Markdown Preview Enhanced to version 0.8.28 or later.
- Avoid previewing or exporting Markdown documents from untrusted sources.
- Use a sandboxed environment for previewing and editing Markdown documents.
Evidence notes
The vulnerability was reported by Vulncheck and is tracked under CVE-2026-50733. The fix is available in version 0.8.28 of Markdown Preview Enhanced.
Official resources
CVE-2026-50733 was published on 2026-06-05T18:17:34.050Z and modified on 2026-06-05T20:17:35.423Z.