Summary
HashiCorp patched a critical remote code execution vulnerability (CVE-2026-0969) in the next-mdx-remote library that allowed attackers to execute arbitrary code during React server-side rendering.
Take Action:
If your React application renders user-supplied MDX content, update next-mdx-remote to version 6.0.0 immediately to enable the new default security blocks. Avoid enabling JavaScript expressions for untrusted input, as even best-effort sanitization can be bypassed by determined attackers.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)