HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-50733Published Modified CNA VulnCheck

CVE-2026-50733: Markdown Preview Enhanced Arbitrary Code Execution via WaveDrom eval()

Markdown Preview Enhanced before 0.8.28 parses WaveDrom diagrams by evaluating untrusted markdown content with eval(), allowing arbitrary JavaScript execution. The flaw affects every render path - the live preview (window.eval) and presentation mode plus HTML export (the bundled WaveDrom.ProcessAll()/eva() helpers) - and can also be triggered through a <script type="WaveDrom"> element injected via raw HTML in markdown. When a victim previews or exports a crafted markdown document, an attacker can execute arbitrary code, leading to arbitrary file write. Fixed in 0.8.28 by parsing with JSON5.parse() and sanitizing WaveDrom data scripts to inert strict JSON.

Metrics

CVSS v4.0
8.6
Severity
HIGH
Fixed in
0.8.28
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Arbitrary code execution via unsafe eval() in Markdown Preview Enhanced affects versions before 0.8.28. The vulnerability is reached over the network with no authentication required, but a victim must open and preview or export a crafted markdown document. Successful exploitation gives an attacker full arbitrary JavaScript execution in the victim's environment, enabling arbitrary file writes on the victim's machine. A patched-image rebuild at version 0.8.28 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Markdown Preview Enhanced. Any image carrying a version of the package below 0.8.28 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 8.6 HIGH using the CVSS v4.0 vector, and that score is applied during triage alongside each customer environment's compliance policy weighting to prioritize findings. Routed alerts reach the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at version 0.8.28 is available on HarborGuard for any environment running an affected version of Markdown Preview Enhanced. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the crafted markdown document over the network, so the victim's environment must be reachable or the victim must fetch the malicious file from a network-accessible source.

  • AuthenticationNot required

    No account or credential is needed; any unauthenticated party can craft and deliver a malicious markdown file.

  • Victim interactionRequired

    The victim must open and preview or export the crafted markdown document, making this a social-engineering vector that requires the victim to take an explicit action.

  • Attack complexityDetail

    The exploit is reliable and condition-free once the victim opens the document; no race conditions, memory layout dependencies, or environmental factors need to be satisfied.

Blast Radius

  • Attacker executes arbitrary JavaScript in the victim's Markdown Preview Enhanced render context with the privileges of the process running the editor.
  • Arbitrary file writes are enabled on the victim's local filesystem, allowing the attacker to plant malicious files, overwrite configuration, or exfiltrate data by writing to a network-accessible path.
  • All confidential content visible to the editor process, including locally stored documents, credentials files, and environment variables, is exposed to the attacker's injected code.
  • Integrity of the victim's local environment is compromised; the attacker can modify or delete files accessible to the editor process.

How HarborGuard Handles This

Available on HarborGuard: any image that bundles Markdown Preview Enhanced below 0.8.28 is detected and flagged within minutes of the CVE entering upstream feeds, with no manual configuration required. For customers who opt into auto-remediation, HarborGuard rebuilds the image at version 0.8.28, runs the regression suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with full CVSS context so teams can manually trigger the rebuild. Customers running environments where users regularly preview or export untrusted markdown content should treat this as a priority fix given the zero-authentication, arbitrary-file-write impact.

See how HarborGuard automates this

Fix available

0.8.28
Affected packages
  • shd101wyy / Markdown Preview Enhanced
    < 0.8.28 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References