Search
Find a vulnerability
Search criteria
2 vulnerabilities found for insightconnect_rpm by rapid7
CVE-2026-8663 (GCVE-0-2026-8663)
Vulnerability from nvd – Published: 2026-06-24 23:56 – Updated: 2026-06-25 12:36
VLAI
EPSS
VEX
Title
OS Command Injection in Rapid7 InsightConnect RPM Plugin
Summary
OS Command Injection vulnerability in Rapid7 InsightConnect RPM Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the repo, key, or name parameters due to insufficient input sanitization in shell command construction.
Severity
6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://extensions.rapid7.com/extension/rpm | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Rapid7 | InsightConnect RPM Plugin |
Affected:
0 , < 1.0.2
(custom)
Unaffected: 1.0.2 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8663",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T12:35:55.383114Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T12:36:02.381Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "InsightConnect RPM Plugin",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "1.0.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "1.0.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jacob Steadman, Rapid7"
},
{
"lang": "en",
"type": "finder",
"value": "Jed Starr, Rapid7"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OS Command Injection vulnerability in Rapid7 InsightConnect RPM Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the repo, key, or name parameters due to insufficient input sanitization in shell command construction."
}
],
"value": "OS Command Injection vulnerability in Rapid7 InsightConnect RPM Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the repo, key, or name parameters due to insufficient input sanitization in shell command construction."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Remote Code Execution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T23:56:50.706Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://extensions.rapid7.com/extension/rpm"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "OS Command Injection in Rapid7 InsightConnect RPM Plugin",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2026-8663",
"datePublished": "2026-06-24T23:56:50.706Z",
"dateReserved": "2026-05-15T06:29:07.070Z",
"dateUpdated": "2026-06-25T12:36:02.381Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8663 (GCVE-0-2026-8663)
Vulnerability from cvelistv5 – Published: 2026-06-24 23:56 – Updated: 2026-06-25 12:36
VLAI
EPSS
VEX
Title
OS Command Injection in Rapid7 InsightConnect RPM Plugin
Summary
OS Command Injection vulnerability in Rapid7 InsightConnect RPM Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the repo, key, or name parameters due to insufficient input sanitization in shell command construction.
Severity
6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://extensions.rapid7.com/extension/rpm | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Rapid7 | InsightConnect RPM Plugin |
Affected:
0 , < 1.0.2
(custom)
Unaffected: 1.0.2 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8663",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T12:35:55.383114Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T12:36:02.381Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "InsightConnect RPM Plugin",
"vendor": "Rapid7",
"versions": [
{
"lessThan": "1.0.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "1.0.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jacob Steadman, Rapid7"
},
{
"lang": "en",
"type": "finder",
"value": "Jed Starr, Rapid7"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OS Command Injection vulnerability in Rapid7 InsightConnect RPM Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the repo, key, or name parameters due to insufficient input sanitization in shell command construction."
}
],
"value": "OS Command Injection vulnerability in Rapid7 InsightConnect RPM Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the repo, key, or name parameters due to insufficient input sanitization in shell command construction."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Remote Code Execution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-24T23:56:50.706Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://extensions.rapid7.com/extension/rpm"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "OS Command Injection in Rapid7 InsightConnect RPM Plugin",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2026-8663",
"datePublished": "2026-06-24T23:56:50.706Z",
"dateReserved": "2026-05-15T06:29:07.070Z",
"dateUpdated": "2026-06-25T12:36:02.381Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}