The vulnerability CVE-2026-0969 affects the serialize function in the next-mdx-remote library version 4.3.0, used by HashiCorp. It allows arbitrary code execution due to insufficient sanitization of MDX content during compilation. This improper control of code generation (CWE-94) can lead to full compromise of affected systems. The vulnerability has a CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and high impact on confidentiality, integrity, and availability. The issue is resolved in version 6.0.0 of next-mdx-remote.

Successful exploitation of this vulnerability allows an attacker with limited privileges to execute arbitrary code remotely, potentially leading to full system compromise including loss of confidentiality, integrity, and availability of the affected system. There are no reports of active exploitation in the wild currently.

A fix is available in next-mdx-remote version 6.0.0. Users of affected versions, such as 4.3.0, should upgrade to version 6.0.0 or later to remediate this vulnerability. Since this is not a cloud service, remediation requires applying the updated library version in affected environments. Patch status is confirmed by the vendor advisory stating the issue is fixed in 6.0.0.