Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable code injection is plausible when Remotion is exposed as a render backend, but AC:H reflects that typical deployments do not expose unauthenticated render input; full CIA impact for RCE.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 28 npm packages depend on remotion (27 direct, 8 indirect)
Ecosystem-wide dependent count for version 4.0.410.
DescriptionCVE.org
remotion-dev remotion v4.0.409 was discovered to contain a remote code execution (RCE) vulnerability.
AnalysisAI
Remote code execution affects remotion-dev's Remotion framework at version 4.0.409, enabling attackers to execute arbitrary code on systems running the affected version per CWE-94 code injection semantics. The CVSS 9.8 vector indicates network-reachable, unauthenticated exploitation without user interaction, though no public exploit identified at time of analysis and EPSS probability remains low at 0.25% (16th percentile). The vulnerability is reported by MITRE with a third-party advisory on GitHub but lacks detailed exploitation specifics.
Technical ContextAI
Remotion is a TypeScript/React-based programmatic video creation framework from remotion-dev used by developers to render videos using web technologies, often invoked from Node.js backends or CI pipelines. CWE-94 (Improper Control of Generation of Code, a.k.a. Code Injection) indicates that user-controllable input flows into a code-evaluation or template-rendering context - common Remotion attack surfaces include the rendering pipeline's evaluation of compositions, props passed to renderMedia/renderStill, or server-side bundling routines that may evaluate untrusted inputs. The supplied CPE 'cpe:2.3:a:n/a:n/a' is a placeholder rather than a properly formed product identifier, which complicates automated scanning until the official CPE is published.
RemediationAI
No vendor-released patch identified at time of analysis - the only public reference is a third-party advisory at https://github.com/EaEa0001/security-advisories/blob/main/CVE-2026-30120.md and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-30120, neither of which cites a fixed Remotion release. Until remotion-dev publishes a fixed version, pin to a known-good prior release if regression-tested, avoid passing untrusted user input as Remotion composition props, render parameters, or bundling inputs, and run Remotion renders in an isolated container or sandbox with no network egress and minimal filesystem access to contain potential code execution. If Remotion is exposed via a server-side rendering endpoint, place it behind authenticated access and validate/strictly type all props before they reach renderMedia or selectComposition - the trade-off is reduced flexibility for callers passing dynamic templates.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36743
GHSA-2jqp-f4gr-44fr