Unknown · Qnabot On Aws · CVE-2026-7191
**Name of the Vulnerable Software and Affected Versions**
qnabot-on-aws versions prior to 7.3.0
**Description**
Improper use of the static-eval npm package allows an authenticated administrator to execute arbitrary code within the fulfillment Lambda execution context. This is achieved by injecting a crafted conditional chaining expression via the Content Designer interface, which bypasses the expression sandbox through JavaScript prototype manipulation. Successful exploitation may grant direct access to backend resources, including Lambda environment variables, OpenSearch indices, S3 objects, and DynamoDB tables, which are typically not exposed through administrative interfaces.
**Recommendations**
Upgrade to version 7.3.0 or above.