CVE-2026-8666

Summary

OS Command Injection vulnerability in the traceroute action of Rapid7 InsightConnect Traceroute Plugin on Linux allows remote attackers to execute arbitrary OS commands via the host, port, max_ttl, count, or time_out request parameters due to insufficient input validation when constructing shell commands.

Affected Software

VendorProductVersion RangeStatus
Rapid7InsightConnect Traceroute Plugin0 < 1.0.3affected
Rapid7InsightConnect Traceroute Plugin1.0.3unaffected

Weaknesses

  • CWE-78: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References