Unknown · Obsidian Dataview · CVE-2021-42057
**Name of the Vulnerable Software and Affected Versions**
Obsidian Dataview versions 0.4.12-hotfix1 and earlier
**Description**
The issue allows for eval injection due to the `evalInContext` function executing user input. This enables an attacker to craft malicious Markdown files that will execute arbitrary code once opened.
**Recommendations**
For versions 0.4.12-hotfix1 and earlier, update to version 0.4.13 or later to mitigate the issue for some use cases.
As a temporary workaround, consider restricting the use of the `evalInContext` function until a more comprehensive patch is available.