CVE-2026-0969
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0.
AnalysisAI
Authenticated attackers can execute arbitrary code through next-mdx-remote's MDX compiler due to inadequate input validation in the serialization function, affecting applications processing untrusted MDX content. An authenticated user with access to compile MDX can inject and execute malicious code with full system privileges. No patch is currently available, leaving all versions vulnerable to this critical code execution risk.
Technical ContextAI
Classified as CWE-94 (Code Injection). The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0.
Affected ProductsAI
Fixed in: next-mdx-remote 6
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-g4xw-jxrg-5f6m