TinaCMS 安全漏洞

TinaCMS is an open-source headless CMS developed by Tina for Markdown, MDX, and JSON formats. Versions of TinaCMS prior to 2.2.2 contained a security vulnerability. This vulnerability stemmed from string-based path validation in FilesystemBridge, which allowed operations on files outside of the...

Remote Code Execution (RCE)

next-mdx-remote is vulnerable to Remote Code Execution RCE. The vulnerability is due to insufficient sanitization of MDX content in the serialize function, which allows an attacker to execute arbitrary code...

CVE-2026-0969

The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0...

@aliceoq/library-test (>=1.3.2 <=1.3.3), @bentwnghk/chat (>=1.61.0 <=1.107.2) +165 more potentially affected by CVE-2026-0969 via next-mdx-remote (>=4.4.1 <=5.0.0)

next-mdx-remote NPM version =4.4.1, =1.3.2, =1.61.0, =1.1.1, =0.0.2, =1.0.0, =0.1.1, =0.0.1, =2.13.2, =0.0.3, =0.2.0, =0.0.66, =0.1.10, =0.1.11 - @graphcommerce/docs =3.1.4 and more Source cves: CVE-2026-0969 Source advisory: OSV:GHSA-G4XW-JXRG-5F6M...

CVE-2026-0969

The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0...

Arbitrary Code Injection

Overview next-mdx-remote is an utilities for loading mdx from any remote source as data, rather than as a local import Affected versions of this package are vulnerable to Arbitrary Code Injection via the serialize function. An attacker can execute arbitrary code by submitting specially crafted MD...

@aliceoq/library-test (>=1.3.2 <=1.3.3), @bentwnghk/chat (>=1.61.0 <=1.107.2) +165 more potentially affected by CVE-2026-0969 via next-mdx-remote (>=4.4.1 <=5.0.0)

next-mdx-remote NPM version =4.4.1, =1.3.2, =1.61.0, =1.1.1, =0.0.2, =1.0.0, =0.1.1, =0.0.1, =2.13.2, =0.0.3, =0.2.0, =0.0.66, =0.1.10, =0.1.11 - @graphcommerce/docs =3.1.4 and more Source cves: CVE-2026-0969 Source advisory: SNYK:JS-NEXTMDXREMOTE-15282839...

CVE-2026-0969

The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0...

CVE-2026-0969 Arbitrary code execution in React server-side rendering of untrusted MDX content

The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0...

CVE-2026-0969 Arbitrary code execution in React server-side rendering of untrusted MDX content

The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0...

PT-2026-7809

Name of the Vulnerable Software and Affected Versions next-mdx-remote versions 4.3.0 through 5.0.0 Description The serialize function within next-mdx-remote is susceptible to arbitrary code execution because of inadequate sanitization of MDX content. This allows untrusted MDX to execute JavaScrip...

EUVD-2022-55774

In the Linux kernel, the following vulnerability has been resolved: md/raid1: stop mdxraid1 thread when raid1 array run failed fail run raid1 array when we assemble array with the inactive disk only, but the mdxraid1 thread were not stop, Even if the associated resources have been released. it wi...

CVE-2022-50715

In the Linux kernel, the following vulnerability has been resolved: md/raid1: stop mdxraid1 thread when raid1 array run failed fail run raid1 array when we assemble array with the inactive disk only, but the mdxraid1 thread were not stop, Even if the associated resources have been released. it wi...

CVE-2022-50715

In the Linux kernel, the following vulnerability has been resolved: md/raid1: stop mdxraid1 thread when raid1 array run failed fail run raid1 array when we assemble array with the inactive disk only, but the mdxraid1 thread were not stop, Even if the associated resources have been released. it wi...

CVE-2025-67843

Mintlify Platform is affected by a Server-Side Template Injection (SSTI) in its MDX Rendering Engine prior to 2025-11-15. The vulnerability allows remote attackers to execute arbitrary code via inline JSX expressions in an MDX file. Affected component: MDX Rendering Engine in Mintlify Platform (p...

EUVD-2025-204427

A Server-Side Template Injection SSTI vulnerability in the MDX Rendering Engine in Mintlify Platform before 2025-11-15 allows remote attackers to execute arbitrary code via inline JSX expressions in an MDX file...

PT-2025-52404

Name of the Vulnerable Software and Affected Versions Mintlify Platform versions prior to 2025-11-15 Description A Server-Side Template Injection SSTI flaw exists in the MDX Rendering Engine of Mintlify Platform. This issue allows remote attackers to execute arbitrary code through inline JSX...

EUVD-2025-180491

Malicious code in aether-start-lepton-mdx npm...

EUVD-2025-175807

Malicious code in unuk-loop-mdx-mysql npm...

Malicious code in pegasus-mdx-pino-izar (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 81b9b25739f729310e407971211ce7a65d98ec3f75743105e9c830595d96b8e7 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...