Popular VS Code Extension Flaws Let Markdown Take Over Your PC: CVE-2026-49492 and More

Three flaws have been found together in Markdown Preview Enhanced, a popular extension for the code editor Visual Studio Code (VS Code) used by many programmers, that can let an attacker take over a computer simply by getting the user to open and preview a malicious Markdown file. They are tracked as CVE-2026-49492, CVE-2026-49493, and CVE-2026-50733, each with a CVSS v3.1 severity score of 8.8, the second-highest of four bands ("High").

Markdown Preview Enhanced cleanly renders the lightweight writing format "Markdown" while also drawing diagrams, charts, and equations inline. It is a staple, reaching roughly 9.5 million installs on the VS Code marketplace alone. All three flaws are fixed in version 0.8.28, released June 5, 2026, but anyone who has turned off auto-updates or has not updated in a while may still be running an old version. All an attack needs is for the user to open and preview (or export) a crafted .md file — no login or password required.

This article explains, in plain terms, what happens, what each of the three flaws is, why Markdown preview is targeted so often, and what to do in your own VS Code right now.

Which versions are affected, and how to update

Here is the bottom line. All versions of Markdown Preview Enhanced before 0.8.28 are affected, and updating to 0.8.28 or later closes all three. You can check the extension's version by opening "Markdown Preview Enhanced" from the Extensions icon on the left side of VS Code.

VS Code enables auto-update for extensions by default, but some environments turn it off via policy or manual operation. If an Update button appears next to "Markdown Preview Enhanced" in the extensions list, click it; if not, right-click and check for updates. Note that this extension was previously reported to have another code-execution flaw (CVE-2025-65716), so keeping it current is itself an effective defense.

What happens: just opening and rendering Markdown runs code

The selling point of Markdown Preview Enhanced is not just formatting text but rendering the diagrams, charts, circuit timing diagrams, and equations written inside the document on the spot. The trade-off is that, to draw these, there are places where it treats the document's content not as "data" but as "executable code" — and that became the weak point in all three flaws.

The attack flow is the same in each case. The attacker prepares a crafted Markdown file containing a diagram or a specific notation and gets the user to open it. The moment the user previews (renders) it or exports it to HTML or PDF, the commands embedded in the file run on the user's machine. The NVD (the U.S. vulnerability database) CVSS breakdown shows it succeeds over the network (AV:N) with no special privileges (PR:N), needs only the user to open the file (UI:R), and impacts the theft, alteration, and availability of information alike (C:H/I:H/A:H). Here is each of the three in turn.

CVE-2026-49492: command execution when opening external files via a shell (CWE-78)

The first lives in the handling that opens external files and links from the preview. Markdown Preview Enhanced opens external files and links through a shell (the mechanism that hands commands to the OS) based on things like diagram filenames and LaTeX (a math-typesetting tool) settings. But it validates this input inadequately, and on Windows in particular, a command slipped into a diagram filename runs as an OS command. Technically this is "OS command injection" (CWE-78).

CVE-2026-49493: code execution through Bitfield diagram handling (CWE-94)

The second is in the part that processes "Bitfield" code blocks, a notation for illustrating bit fields. Markdown Preview Enhanced passes the content to a routine called interpretJS() and ultimately evaluates it as JavaScript via vm.runInNewContext(). As a result, even untrusted content in a Bitfield block runs as code. Technically this is "code injection" (CWE-94); the fix replaces execution with a read-as-data approach (JSON5.parse).

CVE-2026-50733: arbitrary code execution via eval() on WaveDrom diagrams

The third is the handling of "WaveDrom," a notation for drawing circuit timing diagrams. Markdown Preview Enhanced was evaluating WaveDrom content with eval(), a dangerous function that runs a string as a program. According to VulnCheck's analysis, the flaw triggers not only on a normal preview but also in presentation mode, on HTML export, and even through a <script type="WaveDrom"> element embedded directly in the Markdown, ultimately leading to arbitrary code execution and arbitrary file writes. The fix drops the dangerous eval() in favor of strict data parsing (JSON5.parse).

Who wants this bug, and what do they walk off with

What these three share is the danger that simply opening and rendering an attacker's Markdown file starts the attacker's code running on that machine with the developer's own privileges. The people who go after this are fake contributors who slip crafted Markdown into an open-source README, issue, or pull request; creators of fake repositories that pose as popular projects to get you to clone them; and distributors who dress malicious files up as technical articles or Gists. What they are after is whatever sits on that dev machine: source code, the credentials in .env, SSH private keys, and npm, cloud, and GitHub access tokens — the things that translate directly into intrusion or money. The moment a crafted .md is previewed, the code that lifts all of this starts running with the developer's own privileges.

The more it is the developer's tokens and keys that get taken, the less the damage stops at one machine. With the stolen access tokens, attackers move into the person's repositories and published npm/PyPI packages, and poison them there, using it as an entry point for a supply-chain attack that cascades to every downstream app that uses the library. As with the Zed editor's "open a malicious repo and get RCE" and the TanStack-to-VS-Code-extension poisoning we covered earlier, the takeover of a single developer spreads to everything that person touches.

And the cleanup lands not only on the individual developer but on the products they work on, their employer, and even everyone who uses that software. Revoking and reissuing leaked tokens, auditing for rogue commits or package publishes, notifying users where supply-chain poisoning is suspected — heavier than the CVSS 8.8 is the fact that in the single instant of opening one file, all of your development assets can be carried off. That is why whether you can keep one extension up to date can decide whether you protect yourself and your downstream users.

Why Markdown preview is targeted so often

Markdown was originally a simple notation for jotting down headings and bullet lists. But a high-feature extension like Markdown Preview Enhanced carries a variety of rendering engines inside so it can draw diagrams, charts, equations, circuit diagrams, and even slides. In exchange for the convenience, the number of places that treat document content as "something executable" grows, and a structural weakness emerges: if even one of them validates input loosely, it leads to code execution.

Indeed, code execution starting from a Markdown preview keeps turning up. The same Markdown Preview Enhanced had CVE-2025-65716 reported in early 2026, and Markdown RCE was even found in Windows' built-in Notepad (CVE-2026-20841), drawing wide attention to the "just open Markdown" attack surface. Security firms warn that flaws like these in VS Code extensions expose developers to RCE and data exfiltration.

For developers, extensions tend to be "installed and left in place," but an extension runs with the same privileges as the editor and handles high-value data like source code and credentials. Just as pulling in open-source parts and tools widens the attack surface, extensions deserve the same scrutiny as your library dependencies. Pulling in fixes quickly when they ship, as here, is the plainest and surest defense.

From disclosure to fix

The three were published together with the fixed version. They are already closed in 0.8.28, but the mechanism of the attacks is described in the public advisories. Here is the timeline.

← Swipe to move

How hard is it to exploit, and how dangerous is it right now

There is no need to panic, but it is also dangerous to shrug off. All three require the user to open and preview (or export) a crafted Markdown file to trigger. This is not the kind that hijacks you while you do nothing. The flip side is that the attacker first needs a little effort to get you to "open it."

What you cannot dismiss, though, is that for a developer, "opening Markdown" is an utterly routine action. Cloning a repository on GitHub and opening the README, checking a .md sample or spec someone sent you, previewing a draft of a tech article — these casual actions are the trigger. Many people use Markdown Preview Enhanced with previews opening automatically, so it is not unusual for the conditions to be met the instant a file is opened.

For the record, these three are not listed in the CISA KEV catalog of "vulnerabilities known to be exploited" as of June 6, 2026. It has not reached the stage of confirmed widespread abuse. But the attack mechanism is described in public advisories, and given the scale of roughly 9.5 million installs, it is undoubtedly an attractive target. As with the 7-Zip flaw that triggers on "just opening a file," closing it before abuse spreads is the lowest-cost response.

What to do right now

What you need to do is basically a single update of Markdown Preview Enhanced. The steps are as follows.

• Open the Extensions icon in VS Code and check the version of "Markdown Preview Enhanced"
• If it is earlier than 0.8.28, click Update to move to 0.8.28 or later (if no Update button appears, right-click and check for updates)
• If you have extension auto-update disabled, consider enabling it on this occasion
• Until the update is done, do not casually preview .md files from untrusted senders or Markdown from unfamiliar repositories
• Also check that similar Markdown-preview extensions and code-execution-related extensions are on their latest versions

In particular, if your role involves routinely opening repositories and files received from outside, raise the priority and update. This attack succeeds simply by previewing a crafted Markdown file, so the more you open arbitrary files while unpatched, the higher the risk. If your team uses VS Code, inventory the extension versions and broadcast the update to 0.8.28 or later in one go to be sure.

FAQ

Conclusion

CVE-2026-49492, 49493, and 50733 are three flaws in the popular VS Code extension Markdown Preview Enhanced, with roughly 9.5 million installs. Places that execute document content as code in order to draw diagrams and equations are exploited, so simply opening and previewing an attacker-crafted Markdown file can run arbitrary code on the user's machine. No login or special privileges are needed — only the act of "opening a file."

All three are closed in the fixed version 0.8.28. Check the version from VS Code's extensions panel and update to 0.8.28 or later. As of June 6, 2026, no widespread abuse has been confirmed, but the attack mechanism is public, and opening Markdown is everyday work for a developer. The longer you keep using an old version, the more worthwhile it is to update now.

References

• ▸ NVD - CVE-2026-49492
• ▸ NVD - CVE-2026-49493
• ▸ NVD - CVE-2026-50733
• ▸ GitHub Security Advisory - GHSA-j39p-jf99-v5w8 (WaveDrom / CVE-2026-50733)
• ▸ VulnCheck - Markdown Preview Enhanced Arbitrary Code Execution via WaveDrom eval
• ▸ Markdown Preview Enhanced 0.8.28 Release Notes
• ▸ Visual Studio Marketplace - Markdown Preview Enhanced
• ▸ SOCRadar - Severe VS Code Extension CVEs Expose Developers to RCE
• ▸ CWE-94: Improper Control of Generation of Code
• ▸ CWE-78: OS Command Injection