What is GHSA-3vxg-8vgp-994w?

GHSA-3vxg-8vgp-994w is a security advisory published by GitHub Security Advisories with High severity. Markdown Preview Enhanced before 0.8.28 opens external files and links from the preview through a...

Which CVE IDs does GHSA-3vxg-8vgp-994w cover?

GHSA-3vxg-8vgp-994w covers the following CVE IDs: CVE-2026-49492. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-3vxg-8vgp-994w?

GHSA-3vxg-8vgp-994w has a CVSS v3 base score of 8.8, published by GitHub Security Advisories.

GHSA-3vxg-8vgp-994wHighCVSS 8.8

Markdown Preview Enhanced before 0.8.28 opens external files and links from the preview through a...

Vendor

GitHub Security Advisories

Published

June 5, 2026

Last Modified

June 5, 2026

🔗 CVE IDs covered (1)

CVE-2026-49492 →

📋 Description

Markdown Preview Enhanced before 0.8.28 opens external files and links from the preview through a shell and does not validate untrusted inputs taken from the markdown document - the diagram filename attribute, imported file paths, and the latex_engine code-chunk attribute. On Windows, a crafted markdown document can inject operating system commands that execute when the document is previewed. Fixed in 0.8.28 by passing these inputs as literal arguments instead of through a shell and validating them before use.

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-49492
https://github.com/shd101wyy/vscode-markdown-preview-enhanced/releases/tag/0.8.28
https://www.vulncheck.com/advisories/markdown-preview-enhanced-os-command-injection-in-external-file-and-link-opening
https://github.com/advisories/GHSA-3vxg-8vgp-994w