{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0969", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2026-01-14T22:09:31.064Z", "datePublished": "2026-02-12T01:35:06.231Z", "dateUpdated": "2026-04-17T17:57:55.801Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Shared library", "repo": "https://github.com/hashicorp/next-mdx-remote", "vendor": "HashiCorp", "versions": [{"lessThan": "6.0.0", "status": "affected", "version": "4.3.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "value": "This issue was identified by researchers at Sejong University."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0.</p><br/>"}], "value": "The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242: Code Injection"}]}], "metrics": [{"cvssV3_1": {"baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code (Code Injection)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2026-04-17T17:57:55.801Z"}, "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2026-01-arbitrary-code-execution-in-react-server-side-rendering-of-untrusted-mdx-content/77155"}], "source": {"advisory": "HCSEC-2026-01", "discovery": "EXTERNAL"}, "title": "Arbitrary code execution in React server-side rendering of untrusted MDX content"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T15:34:59.477052Z", "id": "CVE-2026-0969", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T15:35:09.139Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0969", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-12T15:34:59.477052Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T15:35:04.529Z"}}], "cna": {"title": "Arbitrary code execution in React server-side rendering of untrusted MDX content", "source": {"advisory": "HCSEC-2026-01", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "This issue was identified by researchers at Sejong University."}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242: Code Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/hashicorp/next-mdx-remote", "vendor": "HashiCorp", "product": "Shared library", "versions": [{"status": "affected", "version": "4.3.0", "lessThan": "6.0.0", "versionType": "semver"}], "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2026-01-arbitrary-code-execution-in-react-server-side-rendering-of-untrusted-mdx-content/77155"}], "descriptions": [{"lang": "en", "value": "The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0.", "supportingMedia": [{"type": "text/html", "value": "<p>The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0.</p><br/>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code (Code Injection)"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2026-04-17T17:57:55.801Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0969", "state": "PUBLISHED", "dateUpdated": "2026-04-17T17:57:55.801Z", "dateReserved": "2026-01-14T22:09:31.064Z", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "datePublished": "2026-02-12T01:35:06.231Z", "assignerShortName": "HashiCorp"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0."}, {"lang": "es", "value": "La funci\u00f3n serialize utilizada para compilar MDX en next-mdx-remote es vulnerable a ejecuci\u00f3n de c\u00f3digo arbitrario debido a la sanitizaci\u00f3n insuficiente del contenido MDX. Esta vulnerabilidad, CVE-2026-0969, est\u00e1 corregida en next-mdx-remote 6.0.0."}], "id": "CVE-2026-0969", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@hashicorp.com", "type": "Secondary"}]}, "published": "2026-02-12T03:15:46.667", "references": [{"source": "security@hashicorp.com", "url": "https://discuss.hashicorp.com/t/hcsec-2026-01-arbitrary-code-execution-in-react-server-side-rendering-of-untrusted-mdx-content/77155"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@hashicorp.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[4.3.0,6.0.0)"}}], "product": "shared_library", "vendor": "hashicorp"}], "analysis": {"en": {"generated_at": "2026-04-18T12:36:30.552044+00:00", "value": {"mitigation_remediation": ["Upgrade the next-mdx-remote library to version 6.0.0 or later, which includes the fix for this issue.", "Rebuild and redeploy any applications or services that use the next-mdx-remote library to ensure the updated code is in use.", "Implement monitoring of application logs and process activity for signs of unexpected execution or anomalous behavior following the upgrade."], "summary": {"action": "Apply Patch", "impact": "Arbitrary code execution"}, "threat_synthesis": {"affected_systems": "HashiCorp\u2019s shared library, which incorporates next-mdx-remote, is impacted. All installations that rely on this library and have not applied the fix available in version 6.0.0 are potentially vulnerable; specific version information is not supplied in the advisory.", "description_and_impact": "The serialize function used to compile MDX in the next-mdx-remote library lacks proper sanitization, allowing an attacker to inject and execute arbitrary code when MDX content is rendered on the server. This flaw corresponds to CWE-94 and can compromise the confidentiality, integrity, and availability of the affected system.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity, but the EPSS score is below 1%, suggesting a low probability of exploitation in the current landscape. The vulnerability is not listed in the KEV catalog. The likely attack vector involves an entity that can supply malicious MDX content to the server-side rendering process; if such input is accepted, the attacker can run arbitrary code with the process\u2019s privileges."}}}}, "created": "2026-02-12T09:02:06.646445+00:00", "updated": "2026-04-18T12:45:45.665871+00:00", "vendors": ["hashicorp", "hashicorp$PRODUCT$shared_library"]}