{"uuid": "3cc80f9e-a67a-4b78-847f-a3ae4368fa39", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-12957", "type": "seen", "source": "https://thehackernews.com/2026/06/amazon-q-developer-flaw-could-let.html", "content": "A high-severity flaw in Amazon Q Developer let a malicious repository run commands and steal a developer's cloud credentials. The path was short: a developer opens the repo, trusts the workspace, and Amazon Q does the rest. Amazon has patched it.\n\nTracked as&nbsp;CVE-2026-12957&nbsp;(CVSS 8.5), the bug sat in how Amazon's AI coding assistant handled Model Context Protocol (MCP) servers.\n\nWiz", "creation_timestamp": "2026-06-27T01:00:39.473263Z"}