From f336385f3a0c9e5df9a92298db4d5ed1880cd766 Mon Sep 17 00:00:00 2001 From: Arne Wouters <25950814+arnewouters@users.noreply.github.com> Date: Tue, 14 Apr 2026 10:24:40 +0200 Subject: [PATCH] Improve GHSA-fgmx-xfp3-w28p --- .../GHSA-fgmx-xfp3-w28p.json | 26 +++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/advisories/unreviewed/2026/04/GHSA-fgmx-xfp3-w28p/GHSA-fgmx-xfp3-w28p.json b/advisories/unreviewed/2026/04/GHSA-fgmx-xfp3-w28p/GHSA-fgmx-xfp3-w28p.json index 622b1f6798faf..3df4ecfc702c5 100644 --- a/advisories/unreviewed/2026/04/GHSA-fgmx-xfp3-w28p/GHSA-fgmx-xfp3-w28p.json +++ b/advisories/unreviewed/2026/04/GHSA-fgmx-xfp3-w28p/GHSA-fgmx-xfp3-w28p.json @@ -1,11 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-fgmx-xfp3-w28p", - "modified": "2026-04-11T03:30:30Z", + "modified": "2026-04-11T03:30:41Z", "published": "2026-04-11T03:30:30Z", "aliases": [ "CVE-2026-5059" ], + "summary": "AWS CLI Command Injection Remote Code Execution Vulnerability", "details": "aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of the allowed commands list. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the MCP server. Was ZDI-CAN-27969.", "severity": [ { @@ -13,12 +14,33 @@ "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], - "affected": [], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "aws-mcp" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ] + } + ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5059" }, + { + "type": "PACKAGE", + "url": "https://github.com/alexei-led/aws-mcp-server" + }, { "type": "WEB", "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-245"