CVE-2026-0969
Published: 12 February 2026
Summary
CVE-2026-0969 is a high-severity Code Injection (CWE-94) vulnerability in Hashicorp (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-0969 is an arbitrary code execution vulnerability in the serialize function used to compile MDX content within the next-mdx-remote package. The flaw stems from insufficient sanitization of MDX content, enabling malicious code execution during compilation. It affects next-mdx-remote versions prior to 6.0.0 and is associated with CWE-94 (Improper Control of Generation of Code).
An attacker with low privileges, such as an authenticated user, can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), potentially allowing full server compromise through untrusted MDX input processed server-side.
The vulnerability is addressed in next-mdx-remote version 6.0.0, which includes a fix for the sanitization issue. Additional details are available in the HashiCorp security advisory at https://discuss.hashicorp.com/t/hcsec-2026-01-arbitrary-code-execution-in-react-server-side-rendering-of-untrusted-mdx-content/77155.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7026
Vulnerability details
The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via unsanitized MDX compilation (CWE-94) in a server-side package enables exploitation of public-facing web applications for code execution and server compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the insufficient sanitization of untrusted MDX content by requiring validation to prevent arbitrary code execution during compilation.
Mandates timely remediation through patching vulnerable next-mdx-remote versions prior to 6.0.0 with the fix for the serialization flaw.
Enables vulnerability scanning to identify and prioritize CVE-2026-0969 in deployed next-mdx-remote instances for subsequent remediation.