What is GHSA-m5v2-jw65-jh59?

GHSA-m5v2-jw65-jh59 is a security advisory published by GitHub Security Advisories with High severity. Markdown Preview Enhanced before 0.8.28 parses Bitfield fenced code blocks with interpretJS(),...

Which CVE IDs does GHSA-m5v2-jw65-jh59 cover?

GHSA-m5v2-jw65-jh59 covers the following CVE IDs: CVE-2026-49493. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-m5v2-jw65-jh59?

GHSA-m5v2-jw65-jh59 has a CVSS v3 base score of 8.8, published by GitHub Security Advisories.

GHSA-m5v2-jw65-jh59HighCVSS 8.8

Markdown Preview Enhanced before 0.8.28 parses Bitfield fenced code blocks with interpretJS(),...

Vendor

GitHub Security Advisories

Published

June 5, 2026

Last Modified

June 5, 2026

🔗 CVE IDs covered (1)

CVE-2026-49493 →

📋 Description

Markdown Preview Enhanced before 0.8.28 parses Bitfield fenced code blocks with interpretJS(), which evaluates the block content as code via vm.runInNewContext(), allowing arbitrary code execution. A crafted markdown document containing a malicious bitfield code block executes attacker-controlled code on the server side when the document is rendered or exported. Fixed in 0.8.28 by parsing bitfield register definitions with JSON5.parse(), since they are purely data.

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-49493
https://github.com/shd101wyy/vscode-markdown-preview-enhanced/releases/tag/0.8.28
https://www.vulncheck.com/advisories/markdown-preview-enhanced-arbitrary-code-execution-via-bitfield-interpretjs
https://github.com/advisories/GHSA-m5v2-jw65-jh59