CVE-2026-13760

Source
https://cve.org/CVERecord?id=CVE-2026-13760
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13760.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-13760
Aliases
  • GHSA-vcrf-j523-4mrf
Published
2026-07-01T19:05:18.671Z
Modified
2026-07-08T08:11:12.505635113Z
Severity
  • 7.0 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
OS Command Injection in aws-cdk-lib Docker Bundling
Details

OS command injection in the NodejsFunction Docker bundling pipeline (OsCommand helper) in AWS aws-cdk-lib on all platforms might allow a actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters in the OsCommand helper. This issue requires the actor to control the content of a package.json dependency version string that is processed during Docker-based bundling with nodeModules specified.

To remediate this issue, users should upgrade to v2.260.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/13xxx/CVE-2026-13760.json",
    "cna_assigner": "AMZN",
    "cwe_ids": [
        "CWE-78"
    ]
}
References

Affected packages

Git / github.com/aws/aws-cdk

Affected ranges

Type
GIT
Repo
https://github.com/aws/aws-cdk
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.260.0"
        }
    ]
}

Affected versions

v0.*
v0.10.0
v0.11.0
v0.12.0
v0.13.0
v0.14.0
v0.14.1
v0.15.0
v0.15.1
v0.15.2
v0.16.0
v0.17.0
v0.18.0
v0.18.1
v0.19.0
v0.20.0
v0.21.0
v0.22.0
v0.23.0
v0.24.0
v0.24.1
v0.25.0
v0.25.2
v0.25.3
v0.26.0
v0.27.0
v0.28.0
v0.29.0
v0.30.0
v0.31.0
v0.32.0
v0.33.0
v0.34.0
v0.35.0
v0.36.0
v0.36.1
v0.36.2
v0.37.0
v0.38.0
v0.39.0
v0.7.0-beta
v0.7.1-beta
v0.7.2-beta
v0.7.3-beta
v0.7.4-beta
v0.8.0
v0.8.1
v0.8.2
v0.9.0
v0.9.1
v0.9.2
v1.*
v1.0.0
v1.1.0
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.13.1
v1.14.0
v1.15.0
v1.16.0
v1.16.1
v1.17.0
v1.17.1
v1.18.0
v1.19.0
v1.2.0
v1.3.0
v1.4.0
v1.5.0
v1.6.0
v1.6.1
v1.7.0
v1.8.0
v1.9.0
v2.*
v2.0.0
v2.0.0-alpha.10
v2.0.0-alpha.11
v2.0.0-alpha.12
v2.0.0-alpha.13
v2.0.0-alpha.14
v2.0.0-rc.1
v2.0.0-rc.10
v2.0.0-rc.11
v2.0.0-rc.12
v2.0.0-rc.13
v2.0.0-rc.14
v2.0.0-rc.15
v2.0.0-rc.16
v2.0.0-rc.17
v2.0.0-rc.18
v2.0.0-rc.19
v2.0.0-rc.20
v2.0.0-rc.21
v2.0.0-rc.22
v2.0.0-rc.23
v2.0.0-rc.24
v2.0.0-rc.25
v2.0.0-rc.26
v2.0.0-rc.27
v2.0.0-rc.28
v2.0.0-rc.29
v2.0.0-rc.3
v2.0.0-rc.30
v2.0.0-rc.31
v2.0.0-rc.32
v2.0.0-rc.33
v2.0.0-rc.4
v2.0.0-rc.5
v2.0.0-rc.6
v2.0.0-rc.7
v2.0.0-rc.8
v2.0.0-rc.9
v2.1.0
v2.10.0
v2.100.0
v2.101.0
v2.101.1
v2.102.0
v2.102.1
v2.103.0
v2.103.1
v2.104.0
v2.105.0
v2.106.0
v2.106.1
v2.107.0
v2.108.0
v2.108.1
v2.109.0
v2.11.0
v2.110.0
v2.110.1
v2.111.0
v2.112.0
v2.113.0
v2.114.0
v2.114.1
v2.115.0
v2.116.0
v2.116.1
v2.117.0
v2.118.0
v2.119.0
v2.12.0
v2.120.0
v2.121.0
v2.121.1
v2.122.0
v2.123.0
v2.124.0
v2.125.0
v2.126.0
v2.127.0
v2.128.0
v2.129.0
v2.13.0
v2.130.0
v2.131.0
v2.132.0
v2.132.1
v2.133.0
v2.134.0
v2.135.0
v2.136.0
v2.136.1
v2.137.0
v2.138.0
v2.139.0
v2.139.1
v2.14.0
v2.140.0
v2.141.0
v2.142.0
v2.142.1
v2.143.0
v2.143.1
v2.144.0
v2.145.0
v2.146.0
v2.147.0
v2.147.1
v2.147.2
v2.147.3
v2.148.0
v2.148.1
v2.149.0
v2.15.0
v2.150.0
v2.151.0
v2.151.1
v2.152.0
v2.153.0
v2.154.0
v2.154.1
v2.155.0
v2.156.0
v2.157.0
v2.158.0
v2.159.0
v2.159.1
v2.16.0
v2.160.0
v2.161.0
v2.161.1
v2.162.0
v2.162.1
v2.163.0
v2.163.1
v2.164.0
v2.164.1
v2.165.0
v2.166.0
v2.167.0
v2.167.1
v2.167.2
v2.168.0
v2.169.0
v2.17.0
v2.170.0
v2.171.0
v2.171.1
v2.172.0
v2.173.0
v2.173.1
v2.173.2
v2.173.3
v2.173.4
v2.174.0
v2.174.1
v2.175.0
v2.175.1
v2.176.0
v2.177.0
v2.178.0
v2.178.1
v2.178.2
v2.179.0
v2.18.0
v2.180.0
v2.181.0
v2.181.1
v2.182.0
v2.183.0
v2.184.0
v2.184.1
v2.185.0
v2.186.0
v2.187.0
v2.188.0
v2.189.0
v2.189.1
v2.19.0
v2.190.0
v2.191.0
v2.192.0
v2.193.0
v2.194.0
v2.195.0
v2.196.0
v2.196.1
v2.197.0
v2.198.0
v2.199.0
v2.2.0
v2.20.0
v2.200.0
v2.200.1
v2.200.2
v2.201.0
v2.202.0
v2.203.0
v2.203.1
v2.204.0
v2.205.0
v2.206.0
v2.207.0
v2.208.0
v2.209.0
v2.209.1
v2.21.0
v2.21.1
v2.210.0
v2.211.0
v2.212.0
v2.213.0
v2.214.0
v2.215.0
v2.216.0
v2.217.0
v2.218.0
v2.219.0
v2.22.0
v2.220.0
v2.221.0
v2.221.1
v2.222.0
v2.223.0
v2.224.0
v2.225.0
v2.226.0
v2.227.0
v2.228.0
v2.229.0
v2.229.1
v2.23.0
v2.230.0
v2.231.0
v2.232.0
v2.232.1
v2.232.2
v2.233.0
v2.234.0
v2.234.1
v2.235.0
v2.235.1
v2.236.0
v2.237.0
v2.237.1
v2.238.0
v2.239.0
v2.24.0
v2.24.1
v2.240.0
v2.241.0
v2.242.0
v2.243.0
v2.244.0
v2.245.0
v2.246.0
v2.247.0
v2.248.0
v2.249.0
v2.25.0
v2.250.0
v2.251.0
v2.252.0
v2.253.0
v2.253.1
v2.254.0
v2.255.0
v2.256.0
v2.256.1
v2.257.0
v2.258.0
v2.258.1
v2.259.0
v2.26.0
v2.27.0
v2.28.0
v2.28.1
v2.29.0
v2.29.1
v2.3.0
v2.30.0
v2.31.0
v2.31.1
v2.31.2
v2.32.0
v2.32.1
v2.33.0
v2.34.0
v2.34.1
v2.34.2
v2.35.0
v2.36.0
v2.37.0
v2.37.1
v2.38.0
v2.38.1
v2.39.0
v2.39.1
v2.4.0
v2.40.0
v2.41.0
v2.42.0
v2.42.1
v2.43.0
v2.43.1
v2.44.0
v2.45.0
v2.46.0
v2.47.0
v2.48.0
v2.49.0
v2.49.1
v2.5.0
v2.50.0
v2.51.0
v2.51.1
v2.52.0
v2.52.1
v2.53.0
v2.54.0
v2.55.0
v2.55.1
v2.56.0
v2.56.1
v2.57.0
v2.58.0
v2.58.1
v2.59.0
v2.6.0
v2.60.0
v2.61.0
v2.61.1
v2.62.0
v2.62.1
v2.62.2
v2.63.0
v2.63.1
v2.63.2
v2.64.0
v2.65.0
v2.66.0
v2.66.1
v2.67.0
v2.68.0
v2.69.0
v2.7.0
v2.70.0
v2.72.0
v2.72.1
v2.73.0
v2.74.0
v2.75.0
v2.75.1
v2.76.0
v2.77.0
v2.78.0
v2.79.0
v2.79.1
v2.8.0
v2.80.0
v2.81.0
v2.82.0
v2.83.0
v2.83.1
v2.84.0
v2.85.0
v2.86.0
v2.87.0
v2.88.0
v2.89.0
v2.9.0
v2.90.0
v2.91.0
v2.92.0
v2.93.0
v2.94.0
v2.95.0
v2.95.1
v2.96.0
v2.96.1
v2.96.2
v2.97.0
v2.97.1
v2.98.0
v2.99.0
v2.99.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13760.json"