GHSA-m5v2-jw65-jh59 · Severity: high — Markdown Preview Enhanced before 0.8.28 parses Bitfield fenced code blocks with interpretJS(),...
Markdown Preview Enhanced before 0.8.28 parses Bitfield fenced code blocks with interpretJS(), which evaluates the block content as code via vm.runInNewContext(), allowing arbitrary code execution. A crafted markdown document containing a malicious bitfield code block executes attacker-controlled code on the server side when the document is rendered or exported. Fixed in 0.8.28 by parsing bitfield register definitions with JSON5.parse(), since they are purely data.
Conclusion & alert: CVE-2026-49493 is rated Moderate Risk (43.1/100): CVSS High severity, with low exploitation likelihood (EPSS 0.33%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.07% | 0.33% | +0.26% |
| 2 | 2026-06-06 | — | 0.07% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.6 | 4.0 | HIGH |
|
— | — | [email protected] |
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | [email protected] |
GHSA-m5v2-jw65-jh59 · Severity: high — Markdown Preview Enhanced before 0.8.28 parses Bitfield fenced code blocks with interpretJS(),...
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| markdown_preview_enhanced_project | markdown_preview_enhanced | < 0.8.28 | cpe:2.3:a:markdown_preview_enhanced_project:markdown_preview_enhanced:*:*:*:*:*:*:*:* |