CVE-2026-49492EPSS p19.0%

CVE-2026-49492CVE-2026-49492

Description

Markdown Preview Enhanced before 0.8.28 opens external files and links from the preview through a shell and does not validate untrusted inputs taken from the markdown document - the diagram filename attribute, imported file paths, and the latex_engine code-chunk attribute. On Windows, a crafted markdown document can inject operating system commands that execute when the document is previewed. Fixed in 0.8.28 by passing these inputs as literal arguments instead of through a shell and validating them before use.

Scoring

CVSS 8.8 ()
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.27% probability of exploitation · percentile 19.0% · 2026-06-18T12:00:27Z
Last modified2026-06-05

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-49493
CVE
CVE-2026-50733
CVE
CVE-2026-11422
CVE
CVE-2025-65716
CVE
CVE-2026-46492
CVE
CVE-2025-26525
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.