logo

Database

Server side template injection In next-mdx-remote

Description

next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-09692. NVD-2026-09693. OSV-2026-09694. GCVE-2026-0969

References

1. https://github.com/hashicorp/next-mdx-remote/commit/4d527fdcaed911b87f427d0b4d3c711e817fa4b32. https://discuss.hashicorp.com/t/hcsec-2026-01-arbitrary-code-execution-in-react-server-side-rendering-of-untrusted-mdx-content/771553. https://github.com/hashicorp/next-mdx-remote/releases/tag/v6.0.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.