A critical remote code execution vulnerability in Markdown Preview Enhanced allows attackers to execute arbitrary JavaScript and gain control over the host environment.

The application improperly handles WaveDrom diagram rendering by passing untrusted input to eval(). This can be triggered through standard markdown rendering or by injecting a <script type="WaveDrom"> element, allowing an unauthenticated attacker to execute arbitrary code and perform unauthorized file operations.

A CVSS score of 8.8 reflects the high risk of this vulnerability, which facilitates complete system compromise. Organizations could suffer from significant data breaches, loss of system integrity, and potential ransomware deployment if attackers leverage this flaw to write malicious files to the server.

Immediate Action: Update the software to version 0.8.28, which replaces unsafe evaluation with JSON5.parse() and enforces strict sanitization of WaveDrom scripts.

Proactive Monitoring: Review file system integrity logs for unauthorized file creation or modifications, particularly in directories accessible by the web application.

Compensating Controls: Disable the rendering of WaveDrom diagrams if not strictly required, or deploy WAF rules to block HTML-injected <script> tags containing "WaveDrom" identifiers.

Public Exploit Available: true

The ability to achieve arbitrary code execution via a simple markdown preview makes this a high-priority threat. Organizations must apply the vendor-provided patch immediately to remove the reliance on unsafe evaluation functions.