Description
OS Command Injection vulnerability in Rapid7 InsightConnect RPM Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the repo, key, or name parameters due to insufficient input sanitization in shell command construction.
Severity (CVSS)
| Base score | 6 |
|---|---|
| Severity | Medium |
| Version | CVSS 3.1 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L |
| Provided by | CNA |
Weaknesses
- CWE-78 — CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Affected products
| Vendor | Product | Versions |
|---|---|---|
| Rapid7 | InsightConnect RPM Plugin | 0 to <1.0.2; 1.0.2 |
References
- https://extensions.rapid7.com/extension/rpm (vendor-advisory)
Generated from the official CVE List on 25 Jun 2026 10:14 UTC.