OS command injection in the npm package loading component in AWS jsii-diff before 1.131.0 might allow context-dependent attackers to execute arbitrary commands via crafted package specifiers passed to the npm: source argument.
To mitigate this issue, users should upgrade to jsii-diff v1.131.0 or later.
To mitigate this issue, users should upgrade to jsii-diff v1.131.0 or later.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Wed, 15 Jul 2026 19:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | OS command injection in the npm package loading component in AWS jsii-diff before 1.131.0 might allow context-dependent attackers to execute arbitrary commands via crafted package specifiers passed to the npm: source argument. To mitigate this issue, users should upgrade to jsii-diff v1.131.0 or later. | |
| Title | OS command injection in jsii-diff in AWS jsii | |
| First Time appeared |
Aws
Aws jsii |
|
| Weaknesses | CWE-78 | |
| CPEs | cpe:2.3:a:aws:jsii:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Aws
Aws jsii |
|
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: AMZN
Published:
Updated: 2026-07-15T19:21:30.087Z
Reserved: 2026-07-15T17:56:36.976Z
Link: CVE-2026-15895
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-16T01:00:04Z
Weaknesses