Description
OS Command Injection vulnerability in the ping action of Rapid7 InsightConnect Ping Plugin on Linux allows remote attackers to execute arbitrary OS commands via the host parameter due to insufficient input validation when constructing shell commands.
Published: 2026-06-25
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This CVE exposes an OS command injection flaw in Rapid7 InsightConnect’s Ping Plugin. The vulnerability arises when the plugin incorporates the user‑provided host argument into a shell command without proper sanitization. An attacker that can reach the ping action can inject arbitrary shell commands, leading to remote code execution on the underlying Linux host and compromising confidentiality, integrity, and availability.

Affected Systems

The flaw affects the Rapid7 InsightConnect Ping Plugin. No specific version range was enumerated in the advisory, implying that all supported releases that include the ping action are vulnerable until a fix is released.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity risk. While the EPSS metric is unavailable, the absence from CISA’s KEV catalog suggests no confirmed exploits yet, but the remote nature of the flaw and the ability to execute any command makes it a top priority for remediation. An attacker would likely invoke the ping endpoint via the public API or user interface, supplying a malicious host string to spawn shell commands on the InsightConnect server.

Generated by OpenCVE AI on June 25, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Rapid7 InsightConnect to a version in which the ping plugin validates or sanitizes host input and limits command execution.
  • If an update is not immediately possible, restrict the ping action to trusted users or network segments and consider disabling the plugin if it is not required.
  • Enable and monitor InsightConnect audit logs for abnormal ping command activity to detect potential exploitation attempts.

Generated by OpenCVE AI on June 25, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Description OS Command Injection vulnerability in the ping action of Rapid7 InsightConnect Ping Plugin on Linux allows remote attackers to execute arbitrary OS commands via the host parameter due to insufficient input validation when constructing shell commands.
Title OS Command Injection in Rapid7 InsightConnect Ping Plugin
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: rapid7

Published:

Updated: 2026-06-25T00:52:34.341Z

Reserved: 2026-05-15T06:29:01.208Z

Link: CVE-2026-8660

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T02:30:15Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')