Aggregates CVE and security vulnerability intelligence across all Amazon-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Disclosed issues often relate to vendor risk path handling, vendor risk cross-site scripting, and vendor risk input validation; exposure may include vendor impact memory corruption in vendor surface server deployment contexts.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-35562 | Allocation of resources without limits in the parsing components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to cause a denial of service by delivering crafted input that triggers excessive resource consumption during the driver's parsing operations. To remediate this issue, users should upgrade to version 2.1.0.0. | ff89ba41-3aa1-4d27-914a-91399e9639e5 | 8.7 | 0.38% | 2026-04-03 | 2026-06-17 |
| CVE-2026-35561 | Insufficient authentication security controls in the browser-based authentication components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to intercept or hijack authentication sessions due to insufficient protections in the browser-based authentication flows. To remediate this issue, users should upgrade to version 2.1.0.0. | ff89ba41-3aa1-4d27-914a-91399e9639e5 | 9.1 | 0.47% | 2026-04-03 | 2026-06-17 |
| CVE-2026-35560 | Improper certificate validation in the identity provider connection components in Amazon Athena ODBC driver before 2.1.0.0 might allow a man-in-the-middle threat actor to intercept authentication credentials due to insufficient default transport security when connecting to identity providers. This only applies to connections with external identity providers and does not apply to connections with Athena. To remediate this issue, users should upgrade to version 2.1.0.0. | ff89ba41-3aa1-4d27-914a-91399e9639e5 | 9.1 | 0.26% | 2026-04-03 | 2026-06-17 |
| CVE-2026-35559 | Out-of-bounds write in the query processing components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to crash the driver by using specially crafted data that is processed by the driver during query operations. To remediate this issue, users should upgrade to version 2.1.0.0. | ff89ba41-3aa1-4d27-914a-91399e9639e5 | 7.1 | 0.27% | 2026-04-03 | 2026-06-17 |
| CVE-2026-35558 | Improper neutralization of special elements in the authentication components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to execute arbitrary code or redirect authentication flows by using specially crafted connection parameters that are processed by the driver during user-initiated authentication. To remediate this issue, users should upgrade to version 2.1.0.0. | ff89ba41-3aa1-4d27-914a-91399e9639e5 | 7.3 | 0.27% | 2026-04-03 | 2026-06-17 |
| CVE-2026-4269 | A missing S3 ownership verification in the Bedrock AgentCore Starter Toolkit before version v0.1.13 may allow a remote actor to inject code during the build process, leading to code execution in the AgentCore Runtime. This issue only affects users of the Bedrock AgentCore Starter Toolkit before version v0.1.13 who build or have built the Toolkit after September 24, 2025. Any users on a version >=v0.1.13, and any users on previous versions who built the toolkit before September 24, 2025 are not a | ff89ba41-3aa1-4d27-914a-91399e9639e5 | 5.8 | 0.24% | 2026-03-16 | 2026-06-17 |
| CVE-2026-4270 | Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context. To remediate this issue, users should upgrade to version 1.3.9. | ff89ba41-3aa1-4d27-914a-91399e9639e5 | 6.8 | 0.13% | 2026-03-16 | 2026-06-17 |
| CVE-2026-3494 | In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (—) or hash (#) style comments, the statement is not logged. | ff89ba41-3aa1-4d27-914a-91399e9639e5 | 5.3 | 0.27% | 2026-03-03 | 2026-06-17 |
| CVE-2026-3338 | Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0. | ff89ba41-3aa1-4d27-914a-91399e9639e5 | 8.7 | 0.78% | 2026-03-02 | 2026-06-29 |
| CVE-2026-3337 | Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis. The impacted implementations are through the EVP CIPHER API: EVP_aes_128_ccm, EVP_aes_192_ccm, and EVP_aes_256_ccm. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0. | ff89ba41-3aa1-4d27-914a-91399e9639e5 | 8.2 | 1.08% | 2026-03-02 | 2026-06-17 |
| CVE-2026-3336 | Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer. Customers of AWS services do not need to take action. Applications using AWS-LC should upgrade to AWS-LC version 1.69.0. | ff89ba41-3aa1-4d27-914a-91399e9639e5 | 8.7 | 0.77% | 2026-03-02 | 2026-06-29 |
| CVE-2026-1386 | A UNIX symbolic link following issue in the jailer component in Firecracker version v1.13.1 and earlier and 1.14.0 on Linux may allow a local host user with write access to the pre-created jailer directories to overwrite arbitrary host files via a symlink attack during the initialization copy at jailer startup, if the jailer is executed with root privileges. To mitigate this issue, users should upgrade to version v1.13.2 or 1.14.1 or above. | ff89ba41-3aa1-4d27-914a-91399e9639e5 | 6.0 | 0.19% | 2026-01-23 | 2026-06-17 |
| CVE-2026-0830 | Processing specially crafted workspace folder names could allow for arbitrary command injection in the Kiro GitLab Merge-Request helper in Kiro IDE before version 0.6.18 when opening maliciously crafted workspaces. To mitigate, users should update to the latest version. | ff89ba41-3aa1-4d27-914a-91399e9639e5 | 8.4 | 1.28% | 2026-01-09 | 2026-06-17 |
| CVE-2025-14503 | An overly-permissive IAM trust policy in the Harmonix on AWS framework may allow IAM principals in the same AWS account to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any IAM principal in the same AWS account with sts:AssumeRole permissions to assume the role with administrative privileges. We recommend customers upgrade to Harmonix on AWS v0.4.2 or later if you have deplo | ff89ba41-3aa1-4d27-914a-91399e9639e5 | 8.6 | 0.43% | 2025-12-15 | 2026-06-17 |
| CVE-2025-9624 | A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs. This issue affects all OpenSearch versions between 3.0.0 and < 3.3.0 and OpenSearch < 2.19.4. | [email protected] | 8.3 | 0.45% | 2025-11-25 | 2026-06-17 |
| CVE-2025-62371 | OpenSearch Data Prepper as an open source data collector for observability data. In versions prior to 2.12.2, the OpenSearch sink and source plugins in Data Prepper trust all SSL certificates by default when no certificate path is provided. Prior to this fix, the OpenSearch sink and source plugins would automatically use a trust all SSL strategy when connecting to OpenSearch clusters if no certificate path was explicitly configured. This behavior bypasses SSL certificate validation, potentially | [email protected] | 7.4 | 0.18% | 2025-10-15 | 2026-06-17 |
| CVE-2025-11618 | A missing validation check in FreeRTOS-Plus-TCP's UDP/IPv6 packet processing code can lead to an invalid pointer dereference when receiving a UDP/IPv6 packet with an incorrect IP version field in the packet header. This issue only affects applications using IPv6. We recommend upgrading to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes. | ff89ba41-3aa1-4d27-914a-91399e9639e5 | 5.3 | 0.31% | 2025-10-10 | 2026-06-17 |
| CVE-2025-11617 | A missing validation check in FreeRTOS-Plus-TCP's IPv6 packet processing code can lead to an out-of-bounds read when receiving a IPv6 packet with incorrect payload lengths in the packet header. This issue only affects applications using IPv6. We recommend users upgrade to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes. | ff89ba41-3aa1-4d27-914a-91399e9639e5 | 5.3 | 0.28% | 2025-10-10 | 2026-06-17 |
| CVE-2025-11616 | A missing validation check in FreeRTOS-Plus-TCP's ICMPv6 packet processing code can lead to an out-of-bounds read when receiving ICMPv6 packets of certain message types which are smaller than the expected size. These issues only affect applications using IPv6. Users should upgrade to the latest version and ensure any forked or derivative code is patched to incorporate the new fixes. | ff89ba41-3aa1-4d27-914a-91399e9639e5 | 5.3 | 0.28% | 2025-10-10 | 2026-06-17 |
| CVE-2025-2888 | During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes. | ff89ba41-3aa1-4d27-914a-91399e9639e5 | 5.7 | 0.26% | 2025-03-27 | 2026-06-17 |