CVE-2026-8661 - Vulnerability Details

- Server-Side Cross-Site Scripting and SSRF in Rapid7 InsightConnect Markdown to PDF Plugin

Description

Server-Side Cross-Site Scripting and Server-Side Request Forgery vulnerability in the markdown_to_pdf action of Rapid7 InsightConnect Markdown Plugin version 3.1.4 and earlier on Linux allows remote attackers to execute JavaScript server-side and make arbitrary outbound HTTP requests via crafted content embedded in Markdown input. The PDF rendering engine does not restrict script execution or outbound network access.

Published: 2026-06-26

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Server-side Cross‑Site Scripting (CWE‑79) and Server‑Side Request Forgery (CWE‑918) are present in the markdown_to_pdf action of Rapid7 InsightConnect Markdown Plugin version 3.1.4 and earlier on Linux. The vulnerability allows a remote attacker to inject arbitrary JavaScript that is executed directly by the PDF rendering engine and to cause the server to make outbound HTTP requests to any target. This combination can compromise the confidentiality, integrity, and availability of the system by enabling remote code execution and the ability to forward requests to internal or external services.

Affected Systems

Rapid7 InsightConnect Markdown Plugin, version 3.1.4 and earlier, available on Linux operating systems.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not in CISA’s KEV catalog, so there is no documented exploitation to date. The likely attack vector is through the markdown_to_pdf action, which can be triggered via the web UI or API by providing crafted Markdown content. Successful exploitation requires the attacker to reach the plugin action and supply input containing malicious JavaScript or crafted URLs, after which the server will execute the script and/or make outbound HTTP requests.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Rapid7

InsightConnect Markdown Plugin

unaffected

Version	Status	Constraints
`0`	affected	< 4.0.0
`4.0.0`	unaffected	—

No data.

Vendor Product Confidence Versions

Rapid7

Insightconnect Markdown Plugin

100%

Version	Status	Scheme	Platform
`[0,4.0.0)`	affected	generic	['linux']
`4.0.0`	unaffected	semver	['linux']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Rapid7 InsightConnect Markdown Plugin to the latest released version that removes the ability to execute JavaScript server‑side and restricts outbound network calls.
Restrict access to the markdown_to_pdf action so that only trusted users or internal services can invoke it, reducing the exposed attack surface.
Configure the PDF rendering engine or network firewall to block or monitor outbound HTTP requests initiated by the plugin, preventing unintended SSRF traffic.

Generated by OpenCVE AI on June 26, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00254.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/rapid7/insightconnect-plugins/blob/master/plugins/markdown/help.md
https://github.com/rapid7/insightconnect-plugins/pull/3721

History

Fri, 26 Jun 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 26 Jun 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Rapid7 Rapid7 insightconnect Markdown Plugin
Vendors & Products		Rapid7 Rapid7 insightconnect Markdown Plugin

Fri, 26 Jun 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		Server-Side Cross-Site Scripting and Server-Side Request Forgery vulnerability in the markdown_to_pdf action of Rapid7 InsightConnect Markdown Plugin version 3.1.4 and earlier on Linux allows remote attackers to execute JavaScript server-side and make arbitrary outbound HTTP requests via crafted content embedded in Markdown input. The PDF rendering engine does not restrict script execution or outbound network access.
Title		Server-Side Cross-Site Scripting and SSRF in Rapid7 InsightConnect Markdown to PDF Plugin
Weaknesses		CWE-79 CWE-918
References		https://github.com/rapid7/insightconnect-plugins/blob/master/plugins/markdown/help.md https://github.com/rapid7/insightconnect-plugins/pull/3721
Metrics		cvssV3_1 `{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Rapid7 Insightconnect Markdown Plugin

MITRE

Status: PUBLISHED

Assigner: rapid7

Published: 2026-06-26T01:59:58.963Z

Updated: 2026-06-26T12:24:03.302Z

Reserved: 2026-05-15T06:29:03.740Z

Link: CVE-2026-8661

Vulnrichment

Updated: 2026-06-26T12:23:49.835Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T09:35:52Z

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-918
Server-Side Request Forgery (SSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object