Skip to main content

Language Servers For Aws

2 CVEs product

Monthly

CVE-2026-12958 HIGH PATCH This Week

Arbitrary file write in AWS Language Servers (versions prior to 1.69.0) allows a local attacker to escape the workspace trust boundary by tricking a user into opening a workspace containing a maliciously crafted symbolic link. Because the language server fails to validate symlink targets, files written through normal language-server operations can land at arbitrary paths on disk, enabling tampering with sensitive files outside the workspace. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Language Servers For Aws
NVD GitHub
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-12957 HIGH PATCH NEWS This Week

Arbitrary code execution in AWS Language Servers prior to version 1.65.0 allows attackers to run commands on a developer's machine when a victim opens and trusts a maliciously crafted workspace. The flaw stems from improper trust boundary enforcement (CWE-732) that causes commands embedded in project configuration files to execute automatically. No public exploit identified at time of analysis, but the requirement for only passive user interaction (workspace trust prompt) makes this a credible developer-targeting threat.

RCE Language Servers For Aws
NVD GitHub
CVSS 4.0
8.5
EPSS
0.1%
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Arbitrary file write in AWS Language Servers (versions prior to 1.69.0) allows a local attacker to escape the workspace trust boundary by tricking a user into opening a workspace containing a maliciously crafted symbolic link. Because the language server fails to validate symlink targets, files written through normal language-server operations can land at arbitrary paths on disk, enabling tampering with sensitive files outside the workspace. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Language Servers For Aws
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Arbitrary code execution in AWS Language Servers prior to version 1.65.0 allows attackers to run commands on a developer's machine when a victim opens and trusts a maliciously crafted workspace. The flaw stems from improper trust boundary enforcement (CWE-732) that causes commands embedded in project configuration files to execute automatically. No public exploit identified at time of analysis, but the requirement for only passive user interaction (workspace trust prompt) makes this a credible developer-targeting threat.

RCE Language Servers For Aws
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy