28 June 2026
Reference: CVE-2026-12957
1. What is being reported?
The issue involves AWS Language Servers before version 1.65.0, where if a user opens a specially crafted project workspace and agrees to trust it, commands in the project files may run without further checks. This could let attackers execute harmful code on the computer.
2. What this means in plain English
If your organisation uses AWS Language Servers and someone opens a project from an untrusted source, attackers might run dangerous commands on your system. This could lead to data loss, theft, or disruption of your IT systems.
3. Could this affect a small business?
Small businesses or charities using AWS Language Servers in their software development or IT setup could be affected. If you do not use this software or do not open project workspaces from unknown sources, you are less likely to be at risk.
4. What to do now
- Check if your organisation uses AWS Language Servers and identify the version installed.
- If you use this software, upgrade it to version 1.65.0 or later as soon as possible.
- Avoid opening project workspaces from unknown or untrusted sources.
- Ask your IT provider to confirm that your systems are protected against this vulnerability.
5. Ask your IT provider
Can you confirm whether our AWS Language Servers are updated to version 1.65.0 or higher to protect against the recent code execution vulnerability?
6. Bottom line
Keep your AWS Language Servers updated and only trust project workspaces from reliable sources to reduce risk.
Information from NVD, CISA KEV, and reputable security news reporting.