πŸ” CVE Alert

CVE-2026-13760

HIGH 7.3

OS Command Injection in aws-cdk-lib Docker Bundling

CVSS Score
7.3
EPSS Score
0.0%
EPSS Percentile
0th

OS command injection in the NodejsFunction Docker bundling pipeline (OsCommand helper) in AWS aws-cdk-lib on all platforms might allow a actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters in the OsCommand helper. This issue requires the actor to control the content of a package.json dependency version string that is processed during Docker-based bundling with nodeModules specified. To remediate this issue, users should upgrade toΒ v2.260.0.

CWE CWE-78
Vendor aws
Product aws cdk
Published Jul 1, 2026
Last Updated Jul 1, 2026
Stay Ahead of the Next One

Get instant alerts for aws aws cdk

Be the first to know when new high vulnerabilities affecting aws aws cdk are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

AWS / AWS CDK
0 < 2.260.0

References

NVD β†— CVE.org β†— EPSS Data β†—
github.com: https://github.com/aws/aws-cdk/releases/tag/v2.260.0 aws.amazon.com: https://aws.amazon.com/security/security-bulletins/2026-050-aws/ github.com: https://github.com/aws/aws-cdk/security/advisories/GHSA-vcrf-j523-4mrf