CVE-2026-5709HIGH 8.8EPSS p61.0%

CVE-2026-5709CVE-2026-5709

Description

Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS1.09% probability of exploitation · percentile 61.0% · 2026-06-19T12:03:05Z
Published2026-04-06
Last modified2026-04-10

Underlying weaknesses· 1

CWE-78

References

  1. https://aws.amazon.com/security/security-bulletins/2026-014-aws/
  2. https://github.com/aws/res/issues/150
  3. https://github.com/aws/res/releases/tag/2026.03

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-5707
CVE
CVE-2026-5708
CVE
CVE-2026-10591
CVE
CVE-2025-57790
CVE
CVE-2026-21628
CVE
CVE-2025-5277
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.