Server-Side Cross-Site Scripting and Request Forgery in Rapid7 InsightConnect Markdown Plugin
CVE-2026-8661

4.8MEDIUM

Key Information:

Vendor: Rapid7
Status: Insightconnect Markdown Plugin
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-8661?

The Rapid7 InsightConnect Markdown Plugin is susceptible to server-side cross-site scripting and server-side request forgery due to improper handling of Markdown input. Attackers can exploit this vulnerability by crafting malicious content that may execute JavaScript on the server or initiate unwanted outbound HTTP requests. This issue arises in the plugin's markdown_to_pdf action, exposing significant security risks in environments where the Markdown input is processed without adequate sanitization. Users are advised to implement necessary patches to mitigate potential attacks.

Affected Version(s)

InsightConnect Markdown Plugin Linux 0 < 4.0.0

InsightConnect Markdown Plugin Linux 4.0.0

References

https://github.com/rapid7/insightconnect-plugins/blob/mas...

vendor-advisory

https://github.com/rapid7/insightconnect-plugins/pull/3721

patch

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
May 15, 2026

Credit

Jacob Steadman, Rapid7

Jed Starr, Rapid7

CVE-2026-8661 Data

JSON