CVE-2026-5709
HIGHAWS Research and Engineering Studio (RES) FileBrowser Command Injection
Title source: cnaDescription
Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.
References (3)
Core 3
Core References
Release Notes release-notes
https://github.com/aws/res/releases/tag/2026.03
Patch patch
https://github.com/aws/res/issues/150
Vendor Advisory vendor-advisory
https://aws.amazon.com/security/security-bulletins/2026-014-aws/
Scores
CVSS v3
8.8
EPSS
0.0109
EPSS Percentile
60.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (2)
amazon/research_and_engineering_studio
< 2026.03
AWS/Research and Engineering Studio (RES)
2024.10 - 2025.12.01
Published
Apr 06, 2026
Tracked Since
Apr 07, 2026