Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is inserted into a YAML template via Go's text/template without escaping. An attacker providing a crafted collection ZIP can leverage literal double quotes and newlines in the hostname to break out of the YAML quoted string and inject a new mount remapping entry. When an analyst applies the generated remapping file with --remap, arbitrary VQL executes on their machine with NullACLManager (all permissions granted, unsandboxed).
AnalysisAI
Arbitrary VQL execution in Rapid7 Velociraptor before 0.76.6 allows attackers to compromise analyst workstations by supplying a malicious collection ZIP whose client_info.json hostname field breaks out of a YAML template generated by the Windows.Collectors.Remapping artifact. Triggered when an analyst loads the resulting remapping file with --remap, the injected VQL runs under NullACLManager with full permissions and no sandbox. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Technical ContextAI
Velociraptor is an open-source DFIR endpoint-monitoring and collection platform whose 'remapping' feature lets analysts load offline collections by translating client paths via a YAML configuration. The Windows.Collectors.Remapping artifact constructs that YAML using Go's text/template package, which performs textual substitution without context-aware escaping for YAML quoted strings. The hostname value, taken from attacker-controllable client_info.json inside a collection ZIP, is interpolated directly between double quotes, so embedded literal quote and newline characters terminate the string and let new YAML keys be appended. This is a classic CWE-74 injection (improper neutralization of special elements) where the underlying flaw is using a generic text templating engine to emit a structured data format, then executing the resulting structure as code (VQL) inside an unrestricted NullACLManager context.
RemediationAI
Vendor-released patch: upgrade Rapid7 Velociraptor to 0.76.6 or later, per the advisory at https://docs.velociraptor.app/announcements/advisories/cve-2026-8795/. Until the upgrade is applied, do not invoke --remap on collection ZIPs originating from untrusted endpoints or external parties, and treat client_info.json hostname fields as untrusted by inspecting the generated remapping YAML manually before loading it; analysts who must process suspicious collections should do so inside a disposable VM or container so that any arbitrary VQL executes in an isolated environment rather than against the responder workstation, accepting the trade-off of slower triage workflows.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35289
GHSA-6jwp-vhch-qjpr