{"id":"CVE-2026-50733","summary":"Markdown Preview Enhanced Arbitrary Code Execution via WaveDrom eval()","details":"Markdown Preview Enhanced before 0.8.28 parses WaveDrom diagrams by evaluating untrusted markdown content with eval(), allowing arbitrary JavaScript execution. The flaw affects every render path - the live preview (window.eval) and presentation mode plus HTML export (the bundled WaveDrom.ProcessAll()/eva() helpers) - and can also be triggered through a \u003cscript type=\"WaveDrom\"\u003e element injected via raw HTML in markdown. When a victim previews or exports a crafted markdown document, an attacker can execute arbitrary code, leading to arbitrary file write. Fixed in 0.8.28 by parsing with JSON5.parse() and sanitizing WaveDrom data scripts to inert strict JSON.","modified":"2026-07-08T08:05:22.487816663Z","published":"2026-06-05T17:49:53.631Z","database_specific":{"cwe_ids":["CWE-95"],"cna_assigner":"VulnCheck","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50733.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50733.json"},{"type":"ADVISORY","url":"https://github.com/shd101wyy/vscode-markdown-preview-enhanced/releases/tag/0.8.28"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-50733"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/markdown-preview-enhanced-arbitrary-code-execution-via-wavedrom-eval"},{"type":"REPORT","url":"https://github.com/shd101wyy/vscode-markdown-preview-enhanced/issues/2315"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/shd101wyy/vscode-markdown-preview-enhanced","events":[{"introduced":"0"},{"fixed":"dcd80281c986293b93d9f1af34ced64dcb230c77"}],"database_specific":{"source":["AFFECTED_FIELD","DESCRIPTION","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"0.8.28"}]}}],"versions":["0.8.27","0.8.26","0.8.25","0.8.24","0.8.23","0.8.21","0.8.20","0.8.19","0.8.18","0.8.17","0.8.16","0.8.15","0.8.14","0.8.13","0.8.12","0.8.11","0.8.10","0.8.9","0.8.8","0.8.7","0.8.6","0.8.5","0.8.4","0.8.3","0.8.2","0.8.1","0.8.0","0.7.10","0.7.9","0.7.8","0.7.7","v0.7.6","v0.7.5","v0.7.4","v0.7.3","v0.7.2","v0.7.1","v0.7.0","v0.6.10","v0.6.8","v0.6.7","v0.6.6","v0.6.5","v0.6.3","v0.6.2","v0.6.1","v0.6.0","v0.5.22","v0.5.21","v0.5.20","v0.5.18","v0.5.17","v0.5.16","v0.5.15","v0.5.14","v0.5.13","v0.5.12","v0.5.11","v0.5.10","v0.5.9","v0.5.8","v0.5.4","v0.5.3","v0.5.2","v0.5.1","0.5.1","0.5.0","v0.4.3","0.4.3","v0.4.2","0.4.2","v0.4.1","0.4.1","0.4.0","v0.3.13","0.3.13","v0.3.12","0.3.12","0.3.11","0.3.10","0.3.9","0.3.8","0.3.7","0.3.6","0.3.5","0.3.4","0.3.3","0.3.2","0.3.1","0.3.0","0.2.9","0.2.8","0.2.7","0.2.6","0.2.5","0.2.4","0.2.3","0.2.2","0.2.1","0.2.0","0.1.9","0.1.8","0.1.7","0.1.6","0.1.5","0.1.4","0.1.3","0.1.2","0.1.1","0.1.0","0.0.9","0.0.8"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50733.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}