External risk intelligence

Remotion Remote Code Execution Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-30120

A critical remote code execution vulnerability exists in the Remotion software, a development tool used for creating videos programmatically. If reachable, an attacker could execute arbitrary code on affected systems without authentication. Confirming where Remotion is used within our environment is crucial to assess r

1Halo Surface Signal

Code Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-30120

Remotion is a library for creating videos programmatically via code. It is a build-time or development-time tool used within local development environments or CI/CD pipelines to render media, not a network-facing service, gateway, or application intended for public internet exposure.

PCI scan relevance

PCI Relevance for CVE-2026-30120

Yes

CVE-2026-30120 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical remote code execution vulnerability in remotion-dev remotion is relevant for PCI compliance due to its potential to allow attackers to execute arbitrary code and compromise systems. Such vulnerabilities fall under PCI DSS Requirement 6, which mandates the developmen

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A critical remote code execution vulnerability has been identified in the Remotion software, which is used for building videos programmatically. This issue allows for code to be run without authentication, potentially impacting systems that utilize this development tool. The main concern at this time is to confirm if and where this technology is being used within our environment.

A code execution flaw exists in Remotion.
It's a development tool, confirm its use.
Prioritize confirming relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted input to the remotion-dev remotion library, which lacks sufficient input validation. This allows for arbitrary code execution on the affected system, potentially leading to a complete takeover of the application and its underlying resources. The vulnerability is present in network-facing applications where user input is processed by the remotion library.

Attacker sends malicious input.
Vulnerable component processes input.
Allows arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

The remotion-dev remotion library, when used in a supported configuration, could allow for remote code execution. This means an attacker might be able to run arbitrary code on a system where remotion is used, potentially affecting the integrity and availability of that system.

System code execution.
Network-based remote attack.
Compromise of system integrity.

Operational Fix

Recommended remediation, mitigation, and detection steps

The remote code execution vulnerability in Remotion v4.0.409 is likely to impact development and build pipelines rather than directly exposed services. The first step is to locate where Remotion is used within your environment, confirm its operational context, and identify the accountable team.

Confirm development/CI/CD ownership.
Verify usage and exposure.
Plan remediation during maintenance.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Remotion?

Remotion is a software library designed for creating videos programmatically using web technologies like React. Developers use it to automate video rendering in build-time environments or continuous integration and deployment (CI/CD) pipelines, rather than as a standard web server.

How does CVE-2026-30120 cause remote code execution?

This vulnerability is classified as CWE-94, which involves the improper control of generation of code. In simple terms, the application fails to safely validate input before processing it. Because of this flaw, the library can be tricked into executing unintended commands provided by an attacker, effectively allowing them to run arbitrary code on the host machine.

How can an attacker trigger this vulnerability?

An attacker must send specially crafted input to a system that processes data using the vulnerable Remotion library. It is important to note that this bug is not triggered by standard usage or automated rendering tasks that do not involve external, unvalidated input. If the library is used in an isolated environment without processing untrusted data, the conditions for this specific trigger are not met.

Is my system at risk if it uses Remotion?

According to Halo Surface Signal, this software is typically a development tool, not a network-facing service or gateway. The risk depends on whether you have configured Remotion to process untrusted input over a network. If it is used solely within private build pipelines or local development machines, the likelihood of an external actor successfully exploiting this is very low.

What should I do if I use Remotion?

Your priority is to inventory your environment to locate where Remotion is implemented. Once identified, confirm the specific context of its use and determine if it interacts with external user inputs. Engage the teams responsible for your CI/CD pipelines or local development workflows to plan a maintenance window for addressing the software version.

References

github.com/EaEa0001/security-advisories/blob/main/CVE-2026-30120…

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.