By weakness (CWE)

CWE-95: related vulnerabilities

CVEs classified under CWE-95. Understanding the weakness class helps prioritize systemic fixes over one-off patches.

2 published vulnerabilities

  • CVE-2026-50733HIGH 8.8

    Markdown Preview Enhanced, a popular markdown editor extension, contains a critical flaw in how it renders WaveDrom diagrams—a type of digital waveform visualization. Versions before 0.8.28 use JavaScript's eval() function to process diagram code, which means maliciously crafted markdown files can trick the software into executing arbitrary code on your machine. An attacker only needs to get you to open or export a booby-trapped markdown document; no interaction beyond that is required. The vulnerability works across all rendering modes: live preview, presentation slides, and HTML export. A patch is available that replaces the unsafe eval() with proper JSON parsing, eliminating the risk.

  • CVE-2026-11422HIGH 7.1

    Markdown Preview Enhanced, a popular VS Code extension that renders Markdown with enhanced visualization features, contains a critical flaw in how it processes WaveDrom diagrams. An attacker can craft a malicious Markdown file containing specially crafted WaveDrom code that, when previewed in VS Code, executes arbitrary JavaScript with the privileges of the extension. This JavaScript can then read files from your computer and write new files to your filesystem, potentially installing malware or stealing sensitive data. The vulnerability affects version 0.8.x when used with crossnote engine 0.9.28.