Markdown Preview Enhanced is vulnerable to OS command injection and arbitrary JavaScript execution, enabling attackers to compromise systems through malicious markdown documents.

The plugin suffers from OS command injection when opening external files/links due to lack of input validation. Furthermore, it parses WaveDrom diagrams by evaluating untrusted content with eval(), leading to arbitrary JavaScript execution.

With a CVSS score of 8.8, this vulnerability poses a high risk to developer workstations and systems where Markdown Preview Enhanced is utilized. Successful exploitation allows for complete control over the user's local environment, potentially leading to the theft of sensitive development credentials or source code.

Immediate Action: Update the Markdown Preview Enhanced extension to version 0.8.28 or later.

Proactive Monitoring: Review system logs for suspicious process creation or unexpected network connections originating from the editor environment.

Compensating Controls: Disable the automatic rendering of untrusted markdown files or diagrams until the update can be applied, and restrict the editor's permissions if possible.

Public Exploit Available: false

The combination of command injection and arbitrary code execution makes this a severe risk for any software development environment. Users should upgrade to version 0.8.28 immediately and exercise caution when opening markdown documents from untrusted sources.