Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

AWS CDK

Source -

CNA

CNA CVEs -

1

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
1Vulnerabilities found

CVE-2026-13760
Assigner-Amazon
ShareView Details
Assigner-Amazon
CVSS Score-7||HIGH
EPSS-0.61% / 44.84%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 19:05
Updated-01 Jul, 2026 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OS Command Injection in aws-cdk-lib Docker Bundling

OS command injection in the NodejsFunction Docker bundling pipeline (OsCommand helper) in AWS aws-cdk-lib on all platforms might allow a actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters in the OsCommand helper. This issue requires the actor to control the content of a package.json dependency version string that is processed during Docker-based bundling with nodeModules specified. To remediate this issue, users should upgrade to v2.260.0.

Action-Not Available
Vendor-AWS
Product-AWS CDK
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')