Arbitrary Code Exec CVE-2026-0969 in next-mdx-remote <6.0.0
CVE-2026-0969 Published on February 12, 2026

Arbitrary code execution in React server-side rendering of untrusted MDX content
The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0.

NVD

Weakness Type

What is a Code Injection Vulnerability?

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVE-2026-0969 has been classified to as a Code Injection vulnerability or weakness.

Affected Versions

HashiCorp Shared library:

Version 4.3.0 and below 6.0.0 is affected.

Exploit Probability

EPSS

0.08%

Percentile

23.49%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Arbitrary Code Exec CVE-2026-0969 in next-mdx-remote <6.0.0CVE-2026-0969 Published on February 12, 2026

Weakness Type

What is a Code Injection Vulnerability?

Affected Versions

Exploit Probability

Arbitrary Code Exec CVE-2026-0969 in next-mdx-remote <6.0.0
CVE-2026-0969 Published on February 12, 2026