Skip to main content

Remotion CVE-2026-30120

| EUVDEUVD-2026-36743 CRITICAL
Code Injection (CWE-94)
2026-06-15 mitre GHSA-2jqp-f4gr-44fr
9.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable code injection is plausible when Remotion is exposed as a render backend, but AC:H reflects that typical deployments do not expose unauthenticated render input; full CIA impact for RCE.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 16, 2026 - 15:27 vuln.today
CVSS changed
Jun 16, 2026 - 15:22 NVD
9.8 (CRITICAL)
CVE Published
Jun 15, 2026 - 00:00 cve.org
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 28 npm packages depend on remotion (27 direct, 8 indirect)

Ecosystem-wide dependent count for version 4.0.410.

DescriptionCVE.org

remotion-dev remotion v4.0.409 was discovered to contain a remote code execution (RCE) vulnerability.

AnalysisAI

Remote code execution affects remotion-dev's Remotion framework at version 4.0.409, enabling attackers to execute arbitrary code on systems running the affected version per CWE-94 code injection semantics. The CVSS 9.8 vector indicates network-reachable, unauthenticated exploitation without user interaction, though no public exploit identified at time of analysis and EPSS probability remains low at 0.25% (16th percentile). The vulnerability is reported by MITRE with a third-party advisory on GitHub but lacks detailed exploitation specifics.

Technical ContextAI

Remotion is a TypeScript/React-based programmatic video creation framework from remotion-dev used by developers to render videos using web technologies, often invoked from Node.js backends or CI pipelines. CWE-94 (Improper Control of Generation of Code, a.k.a. Code Injection) indicates that user-controllable input flows into a code-evaluation or template-rendering context - common Remotion attack surfaces include the rendering pipeline's evaluation of compositions, props passed to renderMedia/renderStill, or server-side bundling routines that may evaluate untrusted inputs. The supplied CPE 'cpe:2.3:a:n/a:n/a' is a placeholder rather than a properly formed product identifier, which complicates automated scanning until the official CPE is published.

RemediationAI

No vendor-released patch identified at time of analysis - the only public reference is a third-party advisory at https://github.com/EaEa0001/security-advisories/blob/main/CVE-2026-30120.md and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-30120, neither of which cites a fixed Remotion release. Until remotion-dev publishes a fixed version, pin to a known-good prior release if regression-tested, avoid passing untrusted user input as Remotion composition props, render parameters, or bundling inputs, and run Remotion renders in an isolated container or sandbox with no network egress and minimal filesystem access to contain potential code execution. If Remotion is exposed via a server-side rendering endpoint, place it behind authenticated access and validate/strictly type all props before they reach renderMedia or selectComposition - the trade-off is reduced flexibility for callers passing dynamic templates.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-30120 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy