7.3
HIGH CVSS 3.1
CVE-2026-13760
OS Command Injection in aws-cdk-lib Docker Bundling
Description

OS command injection in the NodejsFunction Docker bundling pipeline (OsCommand helper) in AWS aws-cdk-lib on all platforms might allow a actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters in the OsCommand helper. This issue requires the actor to control the content of a package.json dependency version string that is processed during Docker-based bundling with nodeModules specified. To remediate this issue, users should upgrade to v2.260.0.

INFO

Published Date :

July 1, 2026, 7:05 p.m.

Last Modified :

July 1, 2026, 7:07 p.m.

Remotely Exploit :

No

Source :

AMZN
Affected Products

The following products are affected by CVE-2026-13760 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

No affected product recoded yet

CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 HIGH ff89ba41-3aa1-4d27-914a-91399e9639e5
CVSS 4.0 HIGH ff89ba41-3aa1-4d27-914a-91399e9639e5
CVSS 4.0 HIGH ff89ba41-3aa1-4d27-914a-91399e9639e5
Solution
Update AWS CDK lib to a patched version to fix OS command injection.
  • Upgrade AWS CDK lib to v2.260.0 or later.
  • Review and sanitize dependency version strings in package.json.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-13760 vulnerability anywhere in the article.

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.