md-to-pdf is vulnerable to remote code execution. The library does not properly disable the JS engine in default when the library utilizing gray-matter to parse front matter content, allowing an attacker to execute the remote code through the JS engine.