216.73.216.75

CVE-2026-11417

· Published 10/06/2026 18:16 · Modified 10/06/2026 18:35

Labels: CVE-2026-11417 2026-06-10CVE-2026-11417CWE-78ff89ba41-3aa1-4d27-914a-91399e9639e5

Essential information

Published
10/06/2026 18:16
Modified
10/06/2026 18:35
Author
Creator
CVSS
7.0 HIGH (v3) 7.0 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) might allow an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters. This issue requires the threat actor to control the value of one or more of the affected bundling properties in the CDK application. To remediate this issue, users should upgrade to aws-cdk-lib 2.245.0 (2.246.0 on Windows) or later.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
ff89ba41-3aa1-4d27-914a-91399e9639e5
NVD
View on NVD

Affected products (CPE)

ProductCPE
amazon / aws-cdk-lib cpe:2.3:a:amazon:aws-cdk-lib:<2.245.0:*:*:*:*:*:*:*
amazon / aws-cdk-lib cpe:2.3:a:amazon:aws-cdk-lib:2.246.0:*:*:*:*:*:*:*

References