CVE-2026-11417
7.3 HIGHOS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) might allow an acto...
Published: 2026-06-10 · Last updated: 2026-06-10
Severity and scoring
- CVSS
- 7.3 HIGH
- Vector
- CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
- CWE
- CWE-78
Description
OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) might allow an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters. This issue requires the threat actor to control the value of one or more of the affected bundling properties in the CDK application. To remediate this issue, users should upgrade to aws-cdk-lib 2.245.0 (2.246.0 on Windows) or later.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-49219 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
- CVE-2026-42563 — Dulwich is a pure-Python implementation of the Git file formats and protocols
- CVE-2026-0273 — A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrict...
- CVE-2026-6893 — A flaw was found in dracut (8.8 HIGH)
- CVE-2026-46643 — Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page