CVE-2026-49492

Markdown Preview Enhanced OS Command Injection in External File and Link Opening

CVSS 8.6 HIGHEPSS 0.3%CWE-78

Markdown Preview Enhanced before 0.8.28 opens external files and links from the preview through a shell and does not validate untrusted inputs taken from the markdown document - the diagram filename attribute, imported file paths, and the latex_engine code-chunk attribute. On Windows, a crafted markdown document can inject operating system commands that execute when the document is previewed. Fixed in 0.8.28 by passing these inputs as literal arguments instead of through a shell and validating them before use.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

shd101wyy · Markdown Preview Enhanced

public PoCs found — 1

githubgithub.com/byte16384/CVE-2026-49492-PoC★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/shd101wyy/vscode-markdown-preview-enhanced/releases/tag/0.8.28 https://www.vulncheck.com/advisories/markdown-preview-enhanced-os-command-injection-in-external-file-and-link-opening