OS Command Injection Vulnerability in AWS jsii-diff Package
CVE-2026-15895

8.4HIGH

Key Information:

Vendor

Aws

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-15895?

A vulnerability exists in the AWS jsii-diff package prior to version 1.131.0, allowing attackers to exploit command injection. By passing specially crafted package specifiers through the npm: source argument, an attacker may execute arbitrary commands within the context of the application, presenting a substantial risk for systems utilizing this package. It is crucial for users to update to jsii-diff version 1.131.0 or later to mitigate this risk effectively.

Affected Version(s)

jsii 0 < 1.131.0

References

CVSS V4

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.