EUVD-2026-19550
GHSA-6vq3-2fhj-j6wx
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Tags
Description
Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.
Analysis
Remote command injection in AWS Research and Engineering Studio (RES) 2024.10 through 2025.12.01 allows authenticated users to execute arbitrary commands on cluster-manager EC2 instances through unsanitized input in the FileBrowser API. Vendor-released patch available (version 2026.03). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all AWS RES deployments running versions 2024.10 through 2025.12.01 and document current versions across all environments. Within 7 days: Test vendor patch version 2026.03 in non-production environments to validate compatibility with existing workflows and integrations. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today