Skip to main content

Aws Cdk

1 CVEs product

Monthly

CVE-2026-13760 HIGH PATCH This Week

OS command injection in AWS aws-cdk-lib lets an actor who controls a dependency version string in a project's package.json run arbitrary commands on the host executing the CDK toolchain. The flaw lives in the OsCommand helper of the NodejsFunction Docker bundling pipeline, which passes unsanitized version strings into a shell during nodeModules installation. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; AWS has released a fixed version (v2.260.0).

Command Injection Docker Aws Cdk
NVD GitHub
CVSS 4.0
7.0
EPSS
0.6%
EPSS 1% CVSS 7.0
HIGH PATCH This Week

OS command injection in AWS aws-cdk-lib lets an actor who controls a dependency version string in a project's package.json run arbitrary commands on the host executing the CDK toolchain. The flaw lives in the OsCommand helper of the NodejsFunction Docker bundling pipeline, which passes unsanitized version strings into a shell during nodeModules installation. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; AWS has released a fixed version (v2.260.0).

Command Injection Docker Aws Cdk
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy