OS Command Injection in Rapid7 InsightConnect Finger Plugin for Linux
CVE-2026-8664

6MEDIUM

Key Information:

Vendor

Rapid7

Vendor
CVE Published:
25 June 2026

What is CVE-2026-8664?

An OS Command Injection vulnerability exists in the Rapid7 InsightConnect Finger Plugin on Linux. Authenticated attackers can exploit this weakness to execute arbitrary operating system commands by manipulating the user or host parameters. The flaw arises due to inadequate input validation during the construction of shell commands, leading to possible unauthorized control over the system.

Affected Version(s)

InsightConnect Finger Plugin Linux 0 < 1.0.3

InsightConnect Finger Plugin Linux 1.0.3

References

CVSS V3.1

Score:
6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jacob Steadman, Rapid7
Jed Starr, Rapid7
.