Logo
Retour à la veille

CVE-2026-11393

Publié : 8 juin 2026
Modifié : 8 juin 2026
Lien officiel NVD
Score CVSS
9
CRITICAL

Description détaillée

Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authenticated remote threat actor to execute arbitrary code on AWS AgentCore Runtime under the imported agent's IAM execution role and on the local environment of another user in the same AWS account, via a crafted collaborationInstruction stored on a Bedrock Agent collaborator and later processed by that other user during agent import. To remediate this issue, users should upgrade to version 0.14.2.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Références et Patchs

https://aws.amazon.com/security/security-bulletins/2026-040-aws/https://github.com/aws/agentcore-cli/releases/tag/v0.14.2https://github.com/aws/agentcore-cli/security/advisories/GHSA-m4x6-gwgp-4pm7https://www.npmjs.com/package/@aws/agentcore/v/0.14.2https://www.npmjs.com/package/@aws/agentcore/v/1.0.0-preview.9

Dernières Vulnérabilités

CVE-2026-11701

Inappropriate implementation in Guest View in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

VOIR DÉTAILS

CVE-2026-11700

Use after free in Tracing in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

VOIR DÉTAILS

CVE-2026-11699

Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

VOIR DÉTAILS