CVE-2026-5707HIGH 8.8EPSS p58.1%

CVE-2026-5707CVE-2026-5707

Description

Unsanitized input in an OS command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host via a crafted session name. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.99% probability of exploitation · percentile 58.1% · 2026-06-19T12:03:05Z
Published2026-04-06
Last modified2026-04-10

Underlying weaknesses· 1

CWE-78

References

  1. https://aws.amazon.com/security/security-bulletins/2026-014-aws/
  2. https://github.com/aws/res/issues/151
  3. https://github.com/aws/res/releases/tag/2026.03

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-5708
CVE
CVE-2026-5709
CVE
CVE-2025-25269
CVE
CVE-2026-10727
CVE
CVE-2025-12779
CVE
CVE-2025-21309
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.