Cyber Resilience

CVE-2026-0969

HighRCE

Published: 12 February 2026

Published
12 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0058 43.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-0969 is a high-severity Code Injection (CWE-94) vulnerability in Hashicorp (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-0969 is an arbitrary code execution vulnerability in the serialize function used to compile MDX content within the next-mdx-remote package. The flaw stems from insufficient sanitization of MDX content, enabling malicious code execution during compilation. It affects next-mdx-remote versions prior to 6.0.0 and is associated with CWE-94 (Improper Control of Generation of Code).

An attacker with low privileges, such as an authenticated user, can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), potentially allowing full server compromise through untrusted MDX input processed server-side.

The vulnerability is addressed in next-mdx-remote version 6.0.0, which includes a fix for the sanitization issue. Additional details are available in the HashiCorp security advisory at https://discuss.hashicorp.com/t/hcsec-2026-01-arbitrary-code-execution-in-react-server-side-rendering-of-untrusted-mdx-content/77155.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct RCE via unsanitized MDX compilation (CWE-94) in a server-side package enables exploitation of public-facing web applications for code execution and server compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-2052Shared CWE-94
CVE-2026-9170Shared CWE-94
CVE-2025-54451Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2025-22204Shared CWE-94

Affected Assets

Hashicorp
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the insufficient sanitization of untrusted MDX content by requiring validation to prevent arbitrary code execution during compilation.

prevent

Mandates timely remediation through patching vulnerable next-mdx-remote versions prior to 6.0.0 with the fix for the serialization flaw.

detect

Enables vulnerability scanning to identify and prioritize CVE-2026-0969 in deployed next-mdx-remote instances for subsequent remediation.

References