🟠 High  |  Source: AWS Security Bulletins


A command injection vulnerability (CVE-2026-15895) has been identified in jsii-diff, a CLI tool used to compare API differences between AWS jsii assemblies. Specially crafted command line arguments can be used to execute arbitrary shell commands on the host system. All versions prior to 1.131.0 are affected.

Security Architect’s Take: Audit your CI/CD pipelines and developer toolchains for use of jsii-diff and upgrade to version 1.131.0 or later immediately. Pay particular attention to any automated workflows where jsii-diff processes externally supplied or untrusted input, as these present the highest exploitation risk.

Original advisory: CVE-2026-15895: OS command injection in jsii-diff in AWS jsii