CVE-2025-65716

HighPublic PoCRCE

Published: 16 February 2026

Published

16 February 2026

Modified

25 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0009 25.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-65716 is a high-severity Code Injection (CWE-94) vulnerability in Shd101Wyy Markdown Preview Enhanced. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 25.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely patching and remediation of the specific code injection flaw in Markdown Preview Enhanced v0.8.18 to prevent arbitrary code execution.

SI-10 Information Input Validation good match

prevent

Enforces validation of untrusted Markdown inputs in the preview feature to block crafted .md files from injecting and executing arbitrary code.

SI-3 Malicious Code Protection good match

preventdetect

Deploys malicious code protection mechanisms to scan and prevent execution of arbitrary code triggered by malicious Markdown previews in VS Code.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Code injection in VSCode extension enables client-side RCE via malicious .md file requiring user preview action.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue in Visual Studio Code Extensions Markdown Preview Enhanced v0.8.18 allows attackers to execute arbitrary code via uploading a crafted .Md file.

Deeper analysisAI

CVE-2025-65716 is a code injection vulnerability (CWE-94) in the Markdown Preview Enhanced extension for Visual Studio Code, version 0.8.18. Published on 2026-02-16, it enables attackers to execute arbitrary code when users preview a specially crafted .md file in the extension's Markdown preview feature. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), reflecting its high severity due to the potential for significant impact.

Remote attackers can exploit this vulnerability over the network with low attack complexity and no required privileges, though it demands user interaction—specifically, opening and previewing a malicious .md file within the affected extension. Successful exploitation allows arbitrary code execution on the victim's system, compromising confidentiality, integrity, and availability with high impact.

Mitigation guidance and patch details are available in advisories linked to the CVE, including the extension's GitHub repository at https://github.com/shd101wyy/markdown-preview-enhanced and the OX Security blog post at https://www.ox.security/blog/cve-2025-65716-markdown-preview-enhanced-vscode-vulnerability/. Security practitioners should consult these resources for updates, version fixes, and recommended remediation steps.