AWS has released an important security bulletin concerning Language Servers for AWS and Amazon Q Developer IDE plugins. Two vulnerabilities have been identified, requiring immediate attention. The first, CVE-2026-12957, is an improper trust boundary enforcement issue present in versions before 1.65.0. This could lead to automatic command execution if a local user opens a crafted workspace and trusts it. The second vulnerability, CVE-2026-12958, involves missing symlink validation. It affects versions prior to 1.69.0 and can be exploited through a maliciously crafted symlink pointing outside the workspace. Both vulnerabilities are present in the Amazon Q Developer IDE plugins, which utilize these language servers. These critical issues are resolved in Language Servers for AWS version 1.69.0. Affected products include various versions of the Amazon Q Developer IDE plugins for VS Code, JetBrains, Eclipse, and Visual Studio. Users are strongly advised to update to the latest versions to mitigate these risks. Further details and the most current information are available in the linked AWS Security Bulletin.