CVE-2026-0969

HIGH 8.8

Arbitrary code execution in React server-side rendering of untrusted MDX content

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

11th

The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0.

CWE	CWE-94
Vendor	hashicorp
Product	shared library
Published	Feb 12, 2026
Last Updated	Apr 17, 2026

Stay Ahead of the Next One

Get instant alerts for hashicorp shared library

Be the first to know when new high vulnerabilities affecting hashicorp shared library are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

HashiCorp / Shared library

4.3.0 < 6.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

discuss.hashicorp.com: https://discuss.hashicorp.com/t/hcsec-2026-01-arbitrary-code-execution-in-react-server-side-rendering-of-untrusted-mdx-content/77155

Credits

This issue was identified by researchers at Sejong University.