LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Vulnerability Intelligence / CVE-2026-0969

CVE-2026-0969 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: February 12, 2026

next-mdx-remote - Remote Code Execution

Published: February 12, 2026Updated: February 12, 2026Remote Exploitable

Overview

next-mdx-remote contains a remote code execution caused by insufficient sanitization of MDX content in the serialize function, letting attackers execute arbitrary code remotely, exploit requires crafted MDX content.

Severity & Score

Severity: High
CVSS Score: 8.8
EPSS Score: 7.1%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary code remotely, potentially compromising the server.

Mitigation

Update to the latest version of next-mdx-remote.

References

Social Media Activity(4 posts)

Jason St-Cyr :mstdn:
Jason St-Cyr :mstdn:
@jasonstcyr
Feb 15, 2026

New CVE-2026-0969 in MDX Remote popped up. I hadn't realized it was an issue, npm audit and dependency-bot hadn't reported anything, but Vercel suddenly stopped letting me deploy last night. Easy enough fix to update to 6.0.0! https://discuss.hashicorp.com/t/hcsec-2026-01-arbitrary-code-execution-in-react-server-side-rendering-of-untrusted-mdx-content/77155

View original post
BeyondMachines :verified:
BeyondMachines :verified:
@beyondmachines1
Feb 14, 2026

HashiCorp Patches Critical RCE Vulnerability in next-mdx-remote Library HashiCorp patched a critical remote code execution vulnerability (CVE-2026-0969) in the next-mdx-remote library that allowed attackers to execute arbitrary code during React server-side rendering. **If your React application renders user-supplied MDX content, update next-mdx-remote to version 6.0.0 immediately to enable the new default security blocks. Avoid enabling JavaScript expressions for untrusted input, as even best-effort sanitization can be bypassed by determined attackers.** #cybersecurity #infosec #advisory #vulnerability https://beyondmachines.net/event_details/hashicorp-patches-critical-rce-vulnerability-in-next-mdx-remote-library-t-u-a-5-2/gD2P6Ple2L

View original post
Jason St-Cyr :mstdn:
Jason St-Cyr :mstdn:
@jasonstcyr
Feb 15, 2026

New CVE-2026-0969 in MDX Remote popped up. I hadn't realized it was an issue, npm audit and dependency-bot hadn't reported anything, but Vercel suddenly stopped letting me deploy last night. Easy enough fix to update to 6.0.0! https://discuss.hashicorp.com/t/hcsec-2026-01-arbitrary-code-execution-in-react-server-side-rendering-of-untrusted-mdx-content/77155

View original post
BeyondMachines :verified:
BeyondMachines :verified:
@beyondmachines1
Feb 14, 2026

HashiCorp Patches Critical RCE Vulnerability in next-mdx-remote Library HashiCorp patched a critical remote code execution vulnerability (CVE-2026-0969) in the next-mdx-remote library that allowed attackers to execute arbitrary code during React server-side rendering. **If your React application renders user-supplied MDX content, update next-mdx-remote to version 6.0.0 immediately to enable the new default security blocks. Avoid enabling JavaScript expressions for untrusted input, as even best-effort sanitization can be bypassed by determined attackers.** #cybersecurity #infosec #advisory #vulnerability https://beyondmachines.net/event_details/hashicorp-patches-critical-rce-vulnerability-in-next-mdx-remote-library-t-u-a-5-2/gD2P6Ple2L

View original post

Related Resources

Details

CVE ID
CVE-2026-0969
Severity
High
CVSS Score
8.8
Type
insecure_deserialization
Status
unconfirmed
EPSS
7.1%
Social Posts
4

CWE

  • CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

7.1%Probability of exploitation in the next 30 days