216.73.217.86

CVE-2026-49492

· Published 05/06/2026 18:17 · Modified 05/06/2026 18:59

Labels: CVE-2026-49492 2026-06-05CVE-2026-49492CWE-78[email protected]

Essential information

Published
05/06/2026 18:17
Modified
05/06/2026 18:59
Author
Creator
CVSS
8.6 HIGH (v3) 8.6 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Markdown Preview Enhanced before 0.8.28 opens external files and links from the preview through a shell and does not validate untrusted inputs taken from the markdown document - the diagram filename attribute, imported file paths, and the latex_engine code-chunk attribute. On Windows, a crafted markdown document can inject operating system commands that execute when the document is previewed. Fixed in 0.8.28 by passing these inputs as literal arguments instead of through a shell and validating them before use.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
markdown preview enhanced / markdown preview enhanced cpe:2.3:a:markdown_preview_enhanced:markdown_preview_enhanced:<0.8.28:*:*:*:*:*:*:*

References