Description
OS Command Injection vulnerability in the TR action of Rapid7 InsightConnect Translate Plugin on Linux allows remote attackers to execute arbitrary OS commands via the text or expression parameters due to insufficient input sanitization in shell command construction.
Published: 2026-06-25
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic OS command injection flaw that appears when the Translate action in Rapid7 InsightConnect Translate Plugin constructs a shell command without proper sanitization of the text or expression parameters. An attacker who can reach the action endpoint can supply specially crafted input that is executed verbatim by the underlying operating system, allowing the attacker to run any commands they choose. This leads to a total breakdown of confidentiality, integrity, and availability for the affected system.

Affected Systems

The affected component is the Translate plugin for Rapid7 InsightConnect, which runs on Linux platforms. No specific version information is provided, so all installations of this plugin that contain the described input‑handling logic are potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.7 indicates that the flaw is considered a high‑severity vulnerability. The EPSS score is not available, and the issue is not currently listed in the CISA Known Exploited Vulnerabilities catalog, so the exploitation likelihood is unclear, but the lack of input validation makes exploitation straightforward if the action can be invoked remotely.

Generated by OpenCVE AI on June 25, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Rapid7 InsightConnect Translate Plugin to the latest available version that includes the fix for the command injection flaw.
  • Restrict network access to the Translate action by placing firewalls or network segmentation between untrusted networks and the plugin, ensuring that only trusted internal hosts can reach the endpoint.
  • Apply strict input validation or sanitization to the text and expression parameters before they are used in any shell command; if the plugin’s functionality is not required, consider disabling or removing the vulnerable code path entirely.

Generated by OpenCVE AI on June 25, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://extensions.rapid7.com/extension/tr cve-icon
History

Thu, 25 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Description OS Command Injection vulnerability in the TR action of Rapid7 InsightConnect Translate Plugin on Linux allows remote attackers to execute arbitrary OS commands via the text or expression parameters due to insufficient input sanitization in shell command construction.
Title OS Command Injection in Rapid7 InsightConnect Translate Plugin
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: rapid7

Published:

Updated: 2026-06-25T01:12:00.562Z

Reserved: 2026-05-15T06:29:10.878Z

Link: CVE-2026-8665

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T02:30:15Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')