{"url":"http://public2.vulnerablecode.io/api/packages/74012?format=json","purl":"pkg:npm/next-mdx-remote@4.3.0","type":"npm","namespace":"","name":"next-mdx-remote","version":"4.3.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.0.0","latest_non_vulnerable_version":"6.0.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50121?format=json","vulnerability_id":"VCID-svwv-1m2f-3bbf","summary":"next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content\nThe serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content.","references":[{"reference_url":"https://discuss.hashicorp.com/t/hcsec-2026-01-arbitrary-code-execution-in-react-server-side-rendering-of-untrusted-mdx-content/77155","reference_id":"","reference_type":"","scores":[],"url":"https://discuss.hashicorp.com/t/hcsec-2026-01-arbitrary-code-execution-in-react-server-side-rendering-of-untrusted-mdx-content/77155"},{"reference_url":"https://github.com/hashicorp/next-mdx-remote","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hashicorp/next-mdx-remote"},{"reference_url":"https://github.com/hashicorp/next-mdx-remote/commit/4d527fdcaed911b87f427d0b4d3c711e817fa4b3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hashicorp/next-mdx-remote/commit/4d527fdcaed911b87f427d0b4d3c711e817fa4b3"},{"reference_url":"https://github.com/hashicorp/next-mdx-remote/releases/tag/v6.0.0","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hashicorp/next-mdx-remote/releases/tag/v6.0.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0969","reference_id":"CVE-2026-0969","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0969"},{"reference_url":"https://github.com/advisories/GHSA-g4xw-jxrg-5f6m","reference_id":"GHSA-g4xw-jxrg-5f6m","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-g4xw-jxrg-5f6m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74013?format=json","purl":"pkg:npm/next-mdx-remote@6.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-mdx-remote@6.0.0"}],"aliases":["CVE-2026-0969","GHSA-g4xw-jxrg-5f6m"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-svwv-1m2f-3bbf"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next-mdx-remote@4.3.0"}