CVE-2026-49492

Markdown Preview Enhanced OS Command Injection in External File and Link Opening

CVSS 8.6 HIGHEPSS 0.3%CWE-78

Vexday Risk Score

41Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 8.6EPSS 0.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

05 Jun 2026Published on NVD

11 Jun 2026Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

Markdown Preview Enhanced before 0.8.28 opens external files and links from the preview through a shell and does not validate untrusted inputs taken from the markdown document - the diagram filename attribute, imported file paths, and the latex_engine code-chunk attribute. On Windows, a crafted markdown document can inject operating system commands that execute when the document is previewed. Fixed in 0.8.28 by passing these inputs as literal arguments instead of through a shell and validating them before use.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

shd101wyy · Markdown Preview Enhanced

public PoCs found — 1

githubgithub.com/byte16384/CVE-2026-49492-PoC★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/shd101wyy/vscode-markdown-preview-enhanced/releases/tag/0.8.28 https://www.vulncheck.com/advisories/markdown-preview-enhanced-os-command-injection-in-external-file-and-link-opening