Amazon Amazon
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Amazon product.
RSS Feeds for Amazon security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Amazon products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Amazon Sorted by Most Security Vulnerabilities since 2018
Recent Amazon Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2026-07-17 | CVE-2026-15415 - Path traversal and arbitrary file write in the workflow linters of aws-healthomics-mcp-server | July 17, 2026 |
| 2026-07-17 | CVE-2026-12283 - Issue with Athena Federated Query Synapse Connector | July 17, 2026 |
| 2026-07-16 | CVE-2026-15895: OS command injection in jsii-diff in AWS jsii | July 16, 2026 |
| 2026-07-16 | CVE-2026-15737 - Sensitive content disclosure via OpenTelemetry spans in AgentCore Python SDK | July 16, 2026 |
| 2026-07-15 | CVE-2026-15746 - Credential disclosure in Strands Agents Tools elasticsearch_memory tool | July 15, 2026 |
| 2026-07-14 | CVE-2026-15738 - Issue with AWS Load Balancer Controller Cross-Namespace Traffic Interception via HTTPRoute/GRPCRoute Priority Ordering | July 14, 2026 |
| 2026-07-14 | CVE-2026-15643 - AWS HealthLake MCP Server SSRF via Unvalidated Pagination URL | July 14, 2026 |
| 2026-07-07 | CVE-2026-14904 - Improper Link Resolution in Auth.GetUserPrivateKey in AWS Research and Engineering Studio | July 7, 2026 |
| 2026-07-06 | CVE-2026-14471 - Authenticated SQL injection in the metrics-service retention policy subsystem of mcp-gateway-registry | July 6, 2026 |
| 2026-07-01 | CVE-2026-14265- Deserialization of Untrusted Data in AWS Advanced JDBC Wrapper RemoteQueryCachePlugin | July 1, 2026 |
By the Year
In 2026 there have been 81 vulnerabilities in Amazon with an average score of 7.3 out of ten. Last year, in 2025 Amazon had 46 security vulnerabilities published. That is, 35 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.63.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 81 | 7.31 |
| 2025 | 46 | 6.68 |
| 2024 | 26 | 6.96 |
| 2023 | 23 | 6.74 |
| 2022 | 23 | 7.27 |
| 2021 | 17 | 8.64 |
| 2020 | 8 | 6.94 |
| 2019 | 6 | 6.83 |
| 2018 | 19 | 6.76 |
It may take a day or so for new Amazon vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Amazon Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-15415 | Jul 17, 2026 |
Directory Traversal in aws-healthomics-mcp-server linting (v<0.0.36)AWS HealthOmics is a HIPAA-eligible service that fully manages the compute, storage, and workflow engine infrastructure required to run bioinformatics analyses at scale for clinical diagnostics, drug discovery, and agricultural research. Improper limitation of a pathname to a restricted directory in the linting tools of the AWS HealthOmics MCP Server (aws-healthomics-mcp-server) before version 0.0.36 might allow an actor who can influence the MCP agent to write an actor-controlled content to arbitrary locations outside the intended workflow bundle directory, via directory traversal sequences in the workflow_files input. To remediate this issue, users should upgrade to version 0.0.36 or later. |
|
| CVE-2026-12283 | Jul 17, 2026 |
AWS Athena Federation Synapse SQL Injection (Prev2026.21.1)Amazon Athena is a serverless, interactive query service that lets you analyze data directly in Amazon S3 using standard SQL. Athena Query Federation is a feature that allows you to connect to data sources outside of Amazon S3 like DynamoDB, Azure Synapse, and custom connectors using standard SQL syntax. Improper neutralization of special elements used in an SQL command in the Synapse connector in Amazon aws-athena-query-federation v2022.20.1 through v2026.19.1 might allow an authenticated remote user to execute injected read-only SQL queries that return unintended data from the connected database via a crafted table name. To remediate this issue, users should upgrade to version v2026.21.1 or later. |
|
| CVE-2026-15737 | Jul 16, 2026 |
AWS Bedrock AgentCore SDK 1.4.8/1.5.0 Logleaks via OT Span AttrsAWS Bedrock AgentCore Python SDK is an open-source Python library that provides client tools for building AI agents on the Amazon Bedrock AgentCore platform. Unintended logging of sensitive user content in the OpenTelemetry instrumentation in AWS Bedrock AgentCore Python SDK versions 1.4.8 and 1.5.0 might allow a local authenticated user with access to CloudWatch Logs to access raw user prompts and agent responses containing sensitive data via span attributes. The SDK wrote raw user prompts and complete agent responses into OpenTelemetry span attributes on every invocation without filtering or masking. These spans flow into the customer's aws/spans CloudWatch log group, exposing sensitive content to any principal with log read access. We recommend you upgrade to version 1.5.1 or later. Users who ran affected versions should also review and purge sensitive content from their aws/spans CloudWatch log groups. |
|
| CVE-2026-15895 | Jul 15, 2026 |
OS Command Injection in AWS jsii-diff (v<1.131.0) npm loading componentOS command injection in the npm package loading component in AWS jsii-diff before 1.131.0 might allow context-dependent attackers to execute arbitrary commands via crafted package specifiers passed to the npm: source argument. To mitigate this issue, users should upgrade to jsii-diff v1.131.0 or later. |
|
| CVE-2026-15746 | Jul 15, 2026 |
SSRF in Strands Agents Tools elasticsearch_memory (pre 0.7.0)Strands Agents is an open-source Python SDK for building and running AI agents. The strands-agents-tools package provides pre-built tools for use with the SDK, including the elasticsearch_memory tool for agent memory storage. We identified CVE-2026-15746, a server-side request forgery (SSRF) issue in the elasticsearch_memory tool. The tool exposed its connection parameters (es_url, cloud_id, api_key) as fields the large language model (LLM) could control through the tool schema. When a caller omitted the api_key parameter, the tool fell back to the operator's ELASTICSEARCH_API_KEY environment variable and sent it to whichever host the LLM specified. A crafted prompt could cause the tool to connect to a threat-actor-controlled server and disclose the operator's Elasticsearch API key in the Authorization header. We recommend you upgrade to strands-agents-tools version 0.7.0 or later. As a precautionary measure, we recommend all operators rotate their ELASTICSEARCH_API_KEY, even if there is no indication the credential was exposed. |
|
| CVE-2026-15738 | Jul 14, 2026 |
AWS LBC <3.4.2: Auth Remoteuser Can Spoof gRPC via HTTPRouteIncorrect behavior order in the Gateway API listener-rule generation in Amazon AWS Load Balancer Controller before 3.4.2 might allow an authenticated remote user to intercept, spoof, or deny another namespace's gRPC traffic on a shared Gateway via a crafted HTTPRoute resource. To mitigate this issue, users should upgrade to version 3.4.2. |
|
| CVE-2026-15643 | Jul 14, 2026 |
AWS HealthLake MCP Server SSRF: Pagination Handling before v0.0.14AWS HealthLake MCP Server (awslabs.healthlake-mcp-server) is a Model Context Protocol server that enables AI assistants to interact with AWS HealthLake FHIR datastores. A server-side request forgery in the pagination handling component in AWS awslabs.healthlake-mcp-server before 0.0.14 on all platforms might allow a remote authenticated user to exfiltrate AWS temporary security credentials to an arbitrary endpoint via a crafted next_token parameter. The server does not validate that pagination URLs point back to the expected HealthLake endpoint, allowing an actor to redirect subsequent requests to an actor-controlled server. Its recommended to upgrade to version 0.0.14 or later. |
|
| CVE-2026-14904 | Jul 07, 2026 |
Auth.GetUserPrivateKey API CWE-59 in AWS RES <2026.06: Improper Link ResAWS Research and Engineering Studio (RES) is an open-source solution that enables researchers and engineers to create and manage secure virtual desktops and computing resources on AWS. Improper link resolution before file access issue (CWE-59) in the Auth.GetUserPrivateKey API. An authenticated remote user could read arbitrary files on the cluster-manager EC2 instance by replacing their SSH private key file (~/.ssh/id_rsa) with a symbolic link targeting any file on the host. Because the cluster-manager process runs as root, any file readable by root is exposed, including other users' SSH private keys and application configuration secrets. It's recommended to upgrade to RES version 2026.06. |
|
| CVE-2026-14471 | Jul 06, 2026 |
Amazon mcp-gateway-registry <1.0.13 SQLi via retention policyImproper Neutralization of Special Elements in the metrics-service retention policy management component in Amazon mcp-gateway-registry before 1.0.13 might allow an authenticated remote user to execute arbitrary SQL queries via a crafted table_name value that is interpolated into SQL statements in identifier position. To remediate this issue, users should upgrade to version 1.0.13 or later. |
|
| CVE-2026-14265 | Jul 01, 2026 |
AWS Advanced JDBC Wrapper 3.3-4.0 RemoteQueryCachePlugin Deserialization RCEDeserialization of untrusted data in the RemoteQueryCachePlugin in Amazon Web Services AWS Advanced JDBC Wrapper 3.3.0 through 4.0.0 might allow an actor with write access to the shared cache infrastructure to execute arbitrary code on application servers that read cached query results via a crafted serialized Java object. The RemoteQueryCachePlugin uses ObjectInputStream without class filtering when deserializing cached query results from Redis or Valkey, enabling gadget chain execution when cache entries are poisoned. We recommend upgrading to AWS Advanced JDBC Wrapper version 4.0.1 or later. |
|
| CVE-2026-13760 | Jul 01, 2026 |
OS Command Injection in aws-cdk-lib NodejsFunction Docker Bundling (v2.260.0 Fix)OS command injection in the NodejsFunction Docker bundling pipeline (OsCommand helper) in AWS aws-cdk-lib on all platforms might allow a actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters in the OsCommand helper. This issue requires the actor to control the content of a package.json dependency version string that is processed during Docker-based bundling with nodeModules specified. To remediate this issue, users should upgrade to v2.260.0. |
|
| CVE-2026-13769 | Jul 01, 2026 |
AWS CLI <=1.44.77 / <=2.34.28: Overly Permissive File Permissions Expose CredentialsOverly permissive file permissions in AWS CLI before 1.44.78 (v1) and 2.34.29 (v2) on Unix-like systems where the umask has not been configured to restrict file permissions (the default on most systems) may allow other local users on the same host to read credentials written by certain CLI subcommands (aws codeartifact login, aws iam create-virtual-mfa-device, aws deploy register). To remediate this issue, users should upgrade to AWS CLI 1.44.78 (v1) or 2.34.29 (v2) or later. |
|
| CVE-2026-53489 | Jul 01, 2026 |
containerd CRI pathtraversal bug pre2.3.2/2.2.5/2.1.9containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a bug where the CRI plugin restores container.log from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via kubectl logs. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9. |
|
| CVE-2026-53492 | Jul 01, 2026 |
containerd CDI Annotation Injection via Untrusted Checkpoints (pre-2.3.2)containerd is an open-source container runtime. In Versions prior to 2.3.2, 2.2.5 and 2.1.9, the CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations from the checkpoint archive rather than relying solely on the pod's create-time specification. This allows a user with pod creation permissions to bypass standard Kubernetes resource allocation and device plugin enforcement, injecting arbitrary CDI edits (such as device nodes and host mounts) into the restored container. Successful exploitation requires that the node has CDI enabled and contains a matching host CDI specification for the requested device; environments where CDI is disabled or lacking sensitive device specifications are not affected. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9. |
|
| CVE-2026-50195 | Jul 01, 2026 |
containerd CRI Checkpoint Image Cache Poisoning (v<2.3.2,2.2.5,2.1.9)containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the CRI checkpoint import process where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd to pull a malicious image and assign it an arbitrary local tag, thereby poisoning the node's local image cache. Subsequently, if other pods on the same node attempt to use the poisoned tag with an IfNotPresent (or Never) pull policy, they will unknowingly execute the attacker's malicious image instead of the legitimate one. This can lead to a compromise of the affected pods, allowing the attacker to execute arbitrary code under the victim pod's identity. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9. |
|
| CVE-2026-47262 | Jul 01, 2026 |
containerd DoS via faulty image load causing OOM kill (v<1.7.33,2.0.10,2.1.9)containerd is an open-source container runtime. Versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2, contain a vulnerability that allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the container runtime API unavailable and can disrupt clients such as the Docker Engine or Kubernetes control-plane components. This issue has been fixed in versions 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2. |
|
| CVE-2026-53488 | Jul 01, 2026 |
CRI Label Injection in containerd 1.7.x/2.0-2.3 (1.7.33/2.3.2)containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10. |
|
| CVE-2026-13763 | Jun 29, 2026 |
AWS ALB HTTP/2 WAF Bypass via Fragmented Body InspectionInconsistent interpretation of HTTP/2 requests in AWS Application Load Balancer with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue only impacts HTTP/2 ALB target groups. To remediate this issue, customers should enable the "Inspect after sufficient data" target group configuration associated to an ALB load balancer. Refer to: ( https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#waf-http2-inspection ) |
|
| CVE-2026-13762 | Jun 29, 2026 |
CloudFront AWS WAF HTTP/2 Body Inspection BypassInconsistent interpretation of HTTP/2 requests in Amazon CloudFront with AWS WAF enabled might allow remote actors to bypass AWS WAF managed rule body inspection via crafted HTTP/2 requests that fragment the request body across frames so that only a partial body is inspected. This issue was remediated server-side. No customer action is required. |
|
| CVE-2026-12958 | Jun 23, 2026 |
AWS Language Server v1.69.0 Symlink Validation Flaw Enables Arbitrary File WriteMissing symlink validation in Language Servers for AWS may allow an arbitrary file write outside of the workspace trust boundary. This may occur when a local user opens a workspace with a maliciously crafted symlink that resolves to a file path outside the workspace trust boundary. To remediate this issue, users should upgrade to version 1.69.0 or higher. |
|
| CVE-2026-12957 | Jun 23, 2026 |
CVE-2026-12957: Code Exec in AWS Language Servers <1.65.0 via Malicious WorkspaceImproper trust boundary enforcement in Language Servers for AWS before version 1.65.0 on all supported platforms may allow a for arbitrary code execution. If a local user opens a maliciously crafted workspace, any commands within the project configuration files may be automatically executed. This issue requires the user to trust the workspace when prompted. To remediate this issue, users should upgrade to Language Servers for AWS version 1.65.0 or higher. |
|
| CVE-2026-12530 | Jun 17, 2026 |
AWS Bedrock AgentCore SDK 1.1.3-1.6.1 Remote Cmd via install_packagesImproper neutralization of argument delimiters in the install_packages() method in AWS Bedrock AgentCore Python SDK versions >= 1.1.3 and < 1.6.1 might allow a remote authenticated user to execute arbitrary commands within the Code Interpreter sandbox via crafted package name arguments. To mitigate this issue, users should upgrade to version 1.6.1. |
|
| CVE-2026-11931 | Jun 15, 2026 |
Kiro IDE 0.11.133 fixes insecure token cache permissions (CVE-2026-11931)Incorrect default permissions in Kiro IDE on macOS and Linux before version 0.11.133 could expose the authentication token cache file to other local users or processes via world-readable permissions (0644) instead of owner-restricted permissions (0600). To remediate this issue, users should upgrade to Kiro IDE version 0.11.133 or later. After upgrading and restarting the application, the cache file permissions are automatically updated on the next token refresh. Users operating in a multi-user environment can invalidate existing tokens by reauthenticating. |
|
| CVE-2026-12043 | Jun 12, 2026 |
AWS Common Runtime aws-c-http 0.11.0: HPACK CVE-2026-12043Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2 HEADERS frames. To remediate this issue, users should upgrade to aws-c-http version 0.11.0. |
|
| CVE-2026-10740 | Jun 10, 2026 |
s2n-quic 1.8.2+ Unbounded CRYPTO frame reassembler DoSUnbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before 1.8.2 may allow an unauthenticated remote actor to cause a denial of service (degraded availability) by sending crafted QUIC Initial packets. To remediate this issue, users should upgrade to v1.8.2. |
|
| CVE-2026-11417 | Jun 10, 2026 |
OS Command Injection NodejsFunction bundling in aws-cdk-lib <2.245.0OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) might allow an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters. This issue requires the threat actor to control the value of one or more of the affected bundling properties in the CDK application. To remediate this issue, users should upgrade to aws-cdk-lib 2.245.0 (2.246.0 on Windows) or later. |
|
| CVE-2026-11393 | Jun 08, 2026 |
CVE-2026-11393: AgentCore CLI v<0.14.2 RCE via triplequote code genImproper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authenticated remote threat actor to execute arbitrary code on AWS AgentCore Runtime under the imported agent's IAM execution role and on the local environment of another user in the same AWS account, via a crafted collaborationInstruction stored on a Bedrock Agent collaborator and later processed by that other user during agent import. To remediate this issue, users should upgrade to version 0.14.2. |
|
| CVE-2026-11401 | Jun 05, 2026 |
AWS Adv Go Wrapper GDBP Untrusted Search Path EscalationAn untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted function created by the actor that runs when that user connects to the cluster through the affected wrapper. To remediate this issue, users should upgrade to the AWS Advanced Go Wrapper release 2026-05-26 |
|
| CVE-2026-11400 | Jun 05, 2026 |
AWS Advanced JDBC Wrapper 4.0.0 GlobalDatabasePlugin Search Path EscalationAn untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted function created by the actor that runs when that user connects to the cluster through an affected wrapper. To remediate this issue, users should upgrade to AWS Advanced JDBC Wrapper version 4.0.1. |
|
| CVE-2026-10584 | Jun 02, 2026 |
Graph Explorer v<3.0.1 HTTP Fallback Enables HTTPS InterceptionProxy server in Graph Explorer before 3.0.1 falls back to HTTP when certificate files are missing, which might allow remote threat actors to obtain sensitive information via interception of requests intended to be sent over HTTPS. To remediate this issue, users should upgrade to Graph Explorer v3.0.1 or later. |
|
| CVE-2026-10591 | Jun 02, 2026 |
Amazon Kiro IDE <0.11 File Write CA Remote ExecInsufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open. To remediate this issue, users should upgrade to Kiro IDE version 0.11 or later. |
|
| CVE-2026-46300 | May 23, 2026 |
Linux kernel: skb sharedfrag flag mispropagated in fragtransfer helpersIn the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors. |
|
| CVE-2026-9291 | May 22, 2026 |
Amazon Braket SDK 1.117.0 Fix: Insecure Deserialization (Remote Exec)Insecure deserialization in the job results processing component in Amazon Braket SDK before 1.117.0 might allow a remote authenticated user with S3 write access to the job output bucket to achieve arbitrary code execution on any machine that processes job results. We recommend you upgrade to amazon-braket-sdk version 1.117.0 or later. |
|
| CVE-2026-9255 | May 22, 2026 |
Kiro CLI <1.28.0: Missing input validation allows arbitrary tool exec via stdinMissing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary tools, including shell commands, without user approval by crafting content that is piped to kiro-cli via stdin. We recommend you to upgrade to kiro-cli version 1.28.0 or later. |
|
| CVE-2026-9133 | May 20, 2026 |
Amazon MQ rabbitmq-aws <0.2.1: Debug ARN allows remote file readActive debug code exists in the ARN resolver of amazon-mq rabbitmq-aws before version 0.2.1. A debug ARN scheme (arn:aws-debug:file) accepted by the PUT /api/aws/arn/validate validation endpoint might allow remote authenticated users to perform arbitrary file reads on any file accessible to the RabbitMQ process. To remediate this issue, customers should upgrade to version 0.2.1 of rabbitmq-aws. If RabbitMQ is configured to use TLS for connections, we also recommend rotating any associated private certificate keys. |
|
| CVE-2026-8838 | May 18, 2026 |
Amazon Redshift Python Driver eval() Vulnerability in vector_in() before 2.1.14Unsafe use of Python's eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle actor to execute arbitrary code on the client. To remediate this issue, users should upgrade to version 2.1.14. |
|
| CVE-2026-8686 | May 15, 2026 |
coreMQTT v5.0.1 DOS via Missing Bounds Validation in MQTT v5.0 Prop ParserMissing bounds validation in the MQTT v5.0 property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service by sending a crafted packet. To remediate this issue, users should upgrade to v5.0.1. |
|
| CVE-2026-8597 | May 14, 2026 |
Amazon SageMaker SDK v2/v3 Remote Code Exec via Unverified Triton InferenceMissing integrity verification in the Triton inference handler in Amazon SageMaker Python SDK v2 before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to achieve code execution in inference containers via replacement of model artifacts in S3 with a specially crafted pickle payload that is deserialized without verification. This issue requires a remote authenticated actor with S3 write access to the model artifact path. To remediate this issue, we recommend upgrading to Amazon SageMaker Python SDK v2.257.2 or v3.8.0 and rebuild any Triton models previously created with ModelBuilder using the updated SDK. |
|
| CVE-2026-8596 | May 14, 2026 |
Cleartext Sensitive Info in SageMaker Python SDK <v2.257.2/v3<3.8.0Cleartext storage of sensitive information in the ModelBuilder/Serve component in Amazon SageMaker Python SDK before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to extract the HMAC signing key from SageMaker API responses and forge valid integrity signatures for specially crafted model artifacts, achieving code execution in inference containers. This issue requires a remote authenticated actor with permissions to call SageMaker describe APIs and S3 write access to the model artifact path. To remediate this issue, we recommend upgrading to Amazon SageMaker Python SDK v2.257.2 or v3.8.0 and rebuild any models previously created with ModelBuilder using the updated SDK. |
|
| CVE-2026-8178 | May 08, 2026 |
Arbitrary Class Execution via URL in Amazon Redshift JDBC Driver <2.2.2An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in the application context, provided a suitable class is available on the application's classpath. To mitigate this issue, users should upgrade to version 2.2.2 or later. |
|
| CVE-2026-43284 | May 08, 2026 |
Linux Kernel ESP: Prevent In-Place Decrypt on Shared skb FragsIn the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data(). |
|
| CVE-2026-7791 | May 04, 2026 |
Privilege Escalation in Amazon WorkSpaces Skylight WS Config (before 2.6.2034)Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before 2.6.2034.0 allows a local non-admin authenticated user to place arbitrary files into arbitrary locations bypassing file system permission protections, leading to local privilege escalation to SYSTEM. |
|
| CVE-2026-7461 | Apr 30, 2026 |
Amazon ECS Agent FSx WinFS OS Command Injection <v1.103.0Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on Windows before version 1.103.0 might allow a remote authenticated threat actor to execute shell commands with SYSTEM privileges on the underlying host via a specially crafted username field in an ECS task definition. This issue requires permissions to register ECS task definitions or write to the Secrets Manager or SSM Parameter Store credentials used by the FSx volume configuration. To remediate this issue, users should upgrade to version 1.103.0. |
|
| CVE-2026-7426 | Apr 29, 2026 |
FreeRTOS-Plus-TCP <4.2.6, <4.4.1 IPv6 RA Prefix Length OverflowInsufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause memory corruption by sending a crafted Router Advertisement with a prefix length value exceeding the maximum valid length, resulting in a heap buffer overflow. Users processing IPv4 RA only are not impacted. To mitigate this issue, users should upgrade to the fixed version when available. |
|
| CVE-2026-7425 | Apr 29, 2026 |
FreeRTOS-Plus-TCP <= V4.4.1: IPv6 RA Prefix truncation DoSInsufficient option length validation in the IPv6 Router Advertisement parser in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause a denial of service (device crash) by sending a crafted Router Advertisement with a truncated PREFIX_INFORMATION option that is smaller than the expected structure size. To mitigate this issue, users should upgrade to the fixed version when available. |
|
| CVE-2026-7424 | Apr 29, 2026 |
FreeRTOS-Plus-TCP DHCPv6 Integer Underflow (V4.4.1/4.2.6)Integer underflow in the DHCPv6 sub-option parser in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network actor to corrupt the device's IPv6 address assignment, DNS configuration, and lease times, and to cause a denial of service (permanent IP task freeze requiring hardware reset) by sending a single crafted DHCPv6 packet. The issue is present whenever DHCPv6 is enabled. To mitigate this issue, users should upgrade to version V4.2.6 or V4.4.1 or newer. |
|
| CVE-2026-7423 | Apr 29, 2026 |
Integer Underflow in FreeRTOS-Plus-TCP ICMP Handlers V4.4.1/V4.2.6Integer underflow in the ICMP and ICMPv6 echo reply handlers in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network user to cause a denial of service (device crash) when outgoing ping support is enabled, because header sizes are subtracted from a packet length field without validating the field is large enough, resulting in a heap out-of-bounds read of up to approximately 65KB. To mitigate this issue, users should upgrade to the fixed version when available. |
|
| CVE-2026-7422 | Apr 29, 2026 |
FreeRTOS-Plus-TCP MAC Spoof Loophole before v4.4.1Insufficient packet validation in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to bypass all checksum and minimum-size validation by spoofing the Ethernet source MAC address to match one of the device's own registered endpoints, because the loopback detection mechanism skips all input validation for packets whose source MAC matches a local endpoint. To mitigate this issue, users should upgrade to the fixed version when available. |
|
| CVE-2026-7191 | Apr 27, 2026 |
qnabot-on-aws <7.3 CExec via static-eval Exploit (CVE-2026-7191)Improper use of the static-eval npm package in the open source solution qnabot-on-aws versions 7.2.4 and earlier may allow an authenticated administrator to execute arbitrary code within the fulfillment Lambda execution context by injecting a crafted conditional chaining expression via the Content Designer interface, which bypasses the intended expression sandbox through JavaScript prototype manipulation. This may grant direct access to backend resources (Lambda environment variables, OpenSearch indices, S3 objects, DynamoDB tables) that are not exposed through normal administrative interfaces. We recommend you upgrade to version 7.3.0 or above. |
|
| CVE-2026-6968 | Apr 24, 2026 |
AWS Tough v<0.22.0 Path Traversal via Absolute Target NamesIncomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write, because write paths trust the joined destination path without post-resolution containment verification. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0. |
|