VYPR
Vendor

AWS

Products
51
CVEs
67
Across products
62
Status
Private

Products

51
View all 51 products →

Recent CVEs

67
View all 67 CVEs →
  • CVE-2026-11393CriJun 8, 2026
    risk 0.59cvss 9.0epss 0.00

    Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authenticated remote threat actor to execute arbitrary code on AWS AgentCore Runtime under the imported agent's IAM execution role and on the local…

  • CVE-2024-32888CriMay 15, 2024
    risk 0.58cvss 10.0epss 0.01

    The Amazon JDBC Driver for Redshift is a Type 4 JDBC driver that provides database connectivity through the standard JDBC application program interfaces (APIs) available in the Java Platform, Enterprise Editions. Prior to version 2.1.0.28, SQL injection is possible when using…

  • CVE-2026-8838CriMay 18, 2026
    risk 0.57cvss 9.8epss 0.01

    Unsafe use of Python's eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle actor to execute arbitrary code on the client. To remediate this issue, users should upgrade to version…

  • CVE-2026-6911CriApr 24, 2026
    risk 0.57cvss 9.8epss 0.00

    Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user…

  • CVE-2026-11400HigJun 5, 2026
    risk 0.52cvss 8.0epss 0.00

    An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted…

  • CVE-2026-6912HigApr 24, 2026
    risk 0.50cvss 8.8epss 0.00

    Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted…

  • CVE-2026-8178HigMay 8, 2026
    risk 0.46cvss 8.1epss 0.01

    An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in…

  • CVE-2024-30165HigMay 28, 2024
    risk 0.46cvss 7.1epss 0.00

    Amazon AWS Client VPN before 3.9.1 on macOS has a buffer overflow that could potentially allow a local actor to execute arbitrary commands with elevated permissions, a different vulnerability than CVE-2024-30164.

  • CVE-2026-11401HigJun 5, 2026
    risk 0.45cvss 8.0epss 0.00

    An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted…

  • CVE-2025-12967HigNov 10, 2025
    risk 0.45cvss 8.0epss 0.00

    An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users. We…

  • CVE-2024-34073HigMay 3, 2024
    risk 0.44cvss 7.8epss 0.01

    sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. In affected versions the capture_dependencies function in `sagemaker.serve.save_retrive.version_1_0_0.save.utils` module allows for potentially unsafe Operating System (OS)…

  • CVE-2024-34072HigMay 3, 2024
    risk 0.44cvss 7.8epss 0.00

    sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. The sagemaker.base_deserializers.NumpyDeserializer module before v2.218.0 allows potentially unsafe deserialization when untrusted data is passed as pickled object arrays.…

  • CVE-2026-11417HigJun 10, 2026
    risk 0.40cvss 7.3epss 0.01

    OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) might allow an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary…

  • CVE-2026-8597HigMay 14, 2026
    risk 0.40cvss 7.2epss 0.00

    Missing integrity verification in the Triton inference handler in Amazon SageMaker Python SDK v2 before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to achieve code execution in inference containers via replacement of model artifacts in S3 with a…

  • CVE-2026-8596HigMay 14, 2026
    risk 0.40cvss 7.2epss 0.00

    Cleartext storage of sensitive information in the ModelBuilder/Serve component in Amazon SageMaker Python SDK before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to extract the HMAC signing key from SageMaker API responses and forge valid integrity…

  • CVE-2026-7461HigApr 30, 2026
    risk 0.40cvss 7.2epss 0.01

    Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on Windows before version 1.103.0 might allow a remote authenticated threat actor to execute shell commands with SYSTEM privileges on the…

  • CVE-2026-1777HigFeb 2, 2026
    risk 0.40cvss 7.2epss 0.00

    The Amazon SageMaker Python SDK before v3.2.0 and v2.256.0 includes the ModelBuilder HMAC signing key in the cleartext response elements of the DescribeTrainingJob function. A third party with permissions to both call this API and permissions to modify objects in the Training…

  • CVE-2025-5279HigMay 27, 2025
    risk 0.39cvss epss 0.00

    When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider. An insecure connection could allow an actor to intercept the token exchange process and…

  • CVE-2026-10584MedJun 2, 2026
    risk 0.38cvss 5.9epss 0.00

    Proxy server in Graph Explorer before 3.0.1 falls back to HTTP when certificate files are missing, which might allow remote threat actors to obtain sensitive information via interception of requests intended to be sent over HTTPS. To remediate this issue, users should upgrade…

  • CVE-2025-13524MedNov 21, 2025
    risk 0.37cvss 5.7epss 0.00

    Improper resource release in the call termination process in AWS Wickr before version 6.62.13 on Windows, macOS and Linux may allow a call participant to continue receiving audio input from another user after they close their call window. This issue occurs under certain…