CVE-2026-0969 — Code Injection in Shared Library

CWE-94 — Code Injection5 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.0%

top 89.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Shared Library

Timeline

PublishedFeb 12

Description

The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶CVEListV5hashicorp/shared_library4.3.0 — 6.0.0

🔴Vulnerability Details

GHSA

next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content↗2026-02-12

▶

CVEList

Arbitrary code execution in React server-side rendering of untrusted MDX content↗2026-02-12

▶

OSV

next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content↗2026-02-12

▶

🕵️Threat Intelligence

Wiz

CVE-2026-0969 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶