CVE-2026-7191

Name of the Vulnerable Software and Affected Versions qnabot-on-aws versions prior to 7.3.0

Description Improper use of the static-eval npm package allows an authenticated administrator to execute arbitrary code within the fulfillment Lambda execution context. This is achieved by injecting a crafted conditional chaining expression via the Content Designer interface, which bypasses the expression sandbox through JavaScript prototype manipulation. Successful exploitation may grant direct access to backend resources, including Lambda environment variables, OpenSearch indices, S3 objects, and DynamoDB tables, which are typically not exposed through administrative interfaces.

Recommendations Upgrade to version 7.3.0 or above.