Skip to main content

Insightconnect Traceroute Plugin

1 CVEs product

Monthly

CVE-2026-8666 CRITICAL PATCH Act Now

OS command injection in Rapid7's InsightConnect Traceroute Plugin (Linux, versions below 1.0.3) lets attackers inject arbitrary shell commands through the traceroute action's host, port, max_ttl, count, or time_out parameters, which are concatenated into a shell command without sufficient validation. Successful exploitation grants full command execution in the plugin container with the same impact on confidentiality, integrity, and availability. This was reported by the vendor (Rapid7) with a fix in 1.0.3; there is no public exploit identified at time of analysis, and EPSS sits at a modest 0.55% (42nd percentile).

Command Injection Insightconnect Traceroute Plugin
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

OS command injection in Rapid7's InsightConnect Traceroute Plugin (Linux, versions below 1.0.3) lets attackers inject arbitrary shell commands through the traceroute action's host, port, max_ttl, count, or time_out parameters, which are concatenated into a shell command without sufficient validation. Successful exploitation grants full command execution in the plugin container with the same impact on confidentiality, integrity, and availability. This was reported by the vendor (Rapid7) with a fix in 1.0.3; there is no public exploit identified at time of analysis, and EPSS sits at a modest 0.55% (42nd percentile).

Command Injection Insightconnect Traceroute Plugin
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy