{"id":"CVE-2026-15895","summary":"OS command injection in jsii-diff in AWS jsii","details":"OS command injection in the npm package loading component in AWS jsii-diff before 1.131.0 might allow context-dependent attackers to execute arbitrary commands via crafted package specifiers passed to the npm: source argument.\n\n\n\nTo mitigate this issue, users should upgrade to jsii-diff v1.131.0 or later.","modified":"2026-07-16T03:48:27.801383693Z","published":"2026-07-15T19:05:30.204Z","database_specific":{"cna_assigner":"AMZN","cwe_ids":["CWE-78"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/15xxx/CVE-2026-15895.json"},"references":[{"type":"ADVISORY","url":"https://aws.amazon.com/security/security-bulletins/2026-057-aws/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/15xxx/CVE-2026-15895.json"},{"type":"FIX","url":"https://github.com/aws/jsii/releases/tag/v1.131.0"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-15895"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/aws/jsii","events":[{"introduced":"0"},{"fixed":"c0a3f35b59af17d8fe4a92292e099fbb08b8ac3c"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"1.131.0"}],"source":"AFFECTED_FIELD"}}],"versions":["v1.130.0","v1.129.0","v1.128.0","v1.127.0","v1.126.0","v1.125.0","v1.124.0","v1.123.0","v1.122.0","v1.121.0","v1.120.0","v1.119.0","v1.118.0","v1.117.0","v1.116.0","v1.115.0","v1.114.1","v1.113.0","v1.112.0","v1.111.0","v1.110.0","v1.109.0","v1.108.0","v1.107.0","v1.106.0","v1.105.0","v1.104.0","v1.103.1","v1.103.0","v1.102.0","v1.101.0","v1.100.0","v1.99.0","v1.98.0","v1.97.0","v1.96.0","v1.95.0","v1.94.0","v1.93.0","v1.92.0","v1.91.0","v1.90.0","v1.89.0","v1.88.0","v1.87.0","v1.86.1","v1.86.0","v1.85.0","v1.84.0","v1.83.0","v1.82.0","v1.81.0","v1.80.0","v1.79.0","v1.78.1","v1.78.0","v1.77.0","v1.76.0","v1.75.0","v1.74.0","v1.73.0","v1.72.0","v1.71.0","v1.70.0","v1.69.0","v1.68.0","v1.67.0","v1.66.0","v1.65.1","v1.65.0","v1.64.0","v1.63.2","v1.63.1","v1.63.0","v1.62.0","v1.61.0","v1.60.1","v1.60.0","v1.59.0","v1.58.0","v1.57.0","v1.56.0","v1.55.1","v1.55.0","v1.54.0","v1.53.0","v1.52.1","v1.52.0","v1.51.0","v1.50.0","v1.49.0","v1.48.0","v1.47.0","v1.46.0","v1.45.0","v1.44.2","v1.44.1","v1.44.0","v1.43.0","v1.42.0","v1.41.0","v1.40.0","v1.39.0","v1.38.0","v1.37.0","v1.36.0","v1.35.0","v1.34.0","v1.33.0","v1.32.0","v1.31.0","v1.30.0","v1.29.0","v1.28.0","v1.27.1","v1.27.0","v1.26.0","v1.25.0","v1.24.0","v1.23.0","v1.22.0","v1.21.0","v1.20.1","v1.20.0","v1.19.0","v1.18.0","v1.17.1","v1.17.0","v1.16.0","v1.15.0","v1.14.1","v1.14.0","v1.13.0","v1.12.0","v1.11.0","v1.10.0","v1.9.0","v1.8.0","v1.7.0","v1.6.0","v1.5.0","v1.4.1","v1.4.0","v1.3.2","v1.3.1","v1.3.0","v1.2.0","v1.0.0","v0.22.0","v0.21.2","v0.21.0","v0.20.11","v0.20.10","v0.20.9","v0.20.8","v0.20.7","v0.20.5","v0.20.2","v0.20.1","v0.20.0","v0.19.0","v0.18.0","v0.17.0","v0.16.0","v0.15.1","v0.15.0","v0.14.3","v0.14.2","v0.14.1","v0.14.0","v0.13.4","v0.13.3","v0.13.2","v0.12.1","v0.12.0","v0.11.3","v0.11.2","v0.11.1","v0.11.0","v0.10.5","v0.10.4","v0.10.3","v0.10.2","v0.10.1","v0.10.0","v0.9.0","v0.8.2","v0.8.1","v0.8.0","v0.7.15","v0.7.14","v0.7.13","v0.7.12","v0.7.11","v0.7.10","v0.7.9","v0.7.8","v0.7.7","v0.7.6","v0.7.5","v0.7.4","v0.7.3","v0.7.2","v0.7.1","v0.7.0","v0.6.4","v0.6.3","v0.6.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15895.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}