CVE-2026-11393 — Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authentic... · QSearch CVE Watch

Severity and scoring

CVSS: 9.0 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-94

Description

Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authenticated remote threat actor to execute arbitrary code on AWS AgentCore Runtime under the imported agent's IAM execution role and on the local environment of another user in the same AWS account, via a crafted collaborationInstruction stored on a Bedrock Agent collaborator and later processed by that other user during agent import. To remediate this issue, users should upgrade to version 0.14.2.

Source: NVD

References

Related CVEs

Same CWE

CVE-2026-46517 — LMDeploy is a toolkit for compressing, deploying, and serving large language models (7.8 HIGH)
CVE-2026-46432 — LMDeploy is a toolkit for compressing, deploying, and serving large language models (7.8 HIGH)
CVE-2026-47292 — Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to elevate privileges locally (7.8 HIGH)
CVE-2026-45583 — Improper control of generation of code ('code injection') in Microsoft Exchange Server allows an unauthorized attacker to execute code ov... (7.5 HIGH)
CVE-2026-0414 — Insufficient input validation vulnerability in the listed NETGEAR models allows authenticated administrators connected to the local netwo...