CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-13760

highCVSS 7.3covered by 2 sourcesfirst seen 2026-07-01
Bulletin ID: 2026-050-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 07/01/2026 12:15 PM PDT Description: AWS CDK (aws-cdk-lib) is an open-source framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. We identified CVE-2026-13760, an OS command injection issue in the NodejsFunction Docker bundling pipeline in aws-cdk-lib before 2.260.0 that could allow an actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters in the OsCommand helper. This issue requires the actor to control the content of a package.json dependency version string that is processed during Docker-based bundling with nodeModules specified. Impacted versions: < 2.260.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

CSIRTS triage

What
An OS command injection issue could allow execution of arbitrary commands on the host running the CDK toolchain.
Who is affected
Deployments of aws-cdk-lib before version 2.260.0.
Urgency
Remediation is urgent due to the potential for command injection vulnerabilities.
Action
Update aws-cdk-lib to version 2.260.0 or later.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-13760

Get an email if CVE-2026-13760 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-13760

CVE.org record

Embed the live status

CVE-2026-13760 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-13760 status](https://www.csirts.com/badge/CVE-2026-13760)](https://www.csirts.com/cve/CVE-2026-13760)