Vendor CVEs
Rapid7
All CVEs
101 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-17411 | Cri | 0.74 | 9.8 | 0.88 | Dec 21, 2017 | This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web management portal. The issue lies in the lack of proper… | ||
| CVE-2016-7547 | Cri | 0.74 | 9.8 | 0.93 | Apr 12, 2017 | A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in the admin_sys_time.cgi interface. | ||
| CVE-2017-13696 | Cri | 0.73 | 9.8 | 0.80 | Jan 24, 2018 | A buffer overflow vulnerability lies in the web server component of Dup Scout Enterprise 9.9.14, Disk Savvy Enterprise 9.9.14, Sync Breeze Enterprise 9.9.16, and Disk Pulse Enterprise 9.9.16 where an attacker can craft a malicious GET request and exploit the web server… | ||
| CVE-2017-17560 | Cri | 0.73 | 9.8 | 0.73 | Dec 12, 2017 | An issue was discovered on Western Digital MyCloud PR4100 2.30.172 devices. The web administration component, /web/jquery/uploader/multi_uploadify.php, provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on… | ||
| CVE-2022-3365 | Cri | 0.67 | 9.8 | 0.02 | Jan 28, 2025 | Due to reliance on a trivial substitution cipher, sent in cleartext, and the reliance on a default password when the user does not set a password, the Remote Mouse Server by Emote Interactive can be abused by attackers to inject OS commands over theproduct's custom control… | ||
| CVE-2025-2611 | Cri | 0.64 | — | 0.06 | Aug 5, 2025 | The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling. Versions… | ||
| CVE-2026-1568 | Cri | 0.62 | 9.6 | 0.00 | Feb 3, 2026 | Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup via "Security Console" installations, resulting in full… | ||
| CVE-2017-5264 | Hig | 0.60 | 8.8 | 0.03 | Dec 14, 2017 | Versions of Nexpose prior to 6.4.66 fail to adequately validate the source of HTTP requests intended for the Automated Actions administrative web application, and are susceptible to a cross-site request forgery (CSRF) attack. | ||
| CVE-2017-17692 | Hig | 0.58 | 7.5 | 0.79 | Dec 21, 2017 | Samsung Internet Browser 5.4.02.3 allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via crafted JavaScript code that redirects to a child tab and rewrites the innerHTML property. | ||
| CVE-2024-10526 | Hig | 0.56 | — | 0.00 | Nov 7, 2024 | Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BUILTIN\\Users group. This allows local users who are not administrators to grant themselves the Full Control… | ||
| CVE-2026-7373 | Hig | 0.55 | — | 0.00 | May 15, 2026 | Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows a user to gain SYSTEM level control of a Windows host. When started the metasploitPostgreSQL service would start the postgres.exe child process which would in turn load an OpenSSL… | ||
| CVE-2017-5243 | Hig | 0.55 | 8.5 | 0.01 | Jun 6, 2017 | The default SSH configuration in Rapid7 Nexpose hardware appliances shipped before June 2017 does not specify desired algorithms for key exchange and other important functions. As a result, it falls back to allowing ALL algorithms supported by the relevant version of OpenSSH and… | ||
| CVE-2026-6290 | Hig | 0.52 | 8.0 | 0.00 | Apr 15, 2026 | Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries… | ||
| CVE-2026-6482 | Hig | 0.51 | 7.8 | 0.00 | Apr 17, 2026 | The Rapid7 Insight Agent (versions > 4.1.0.2) is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host. Upon startup the agent service attempts to load an OpenSSL configuration file from a non-existent directory that… | ||
| CVE-2024-0394 | Hig | 0.51 | 7.8 | 0.00 | Apr 3, 2024 | Rapid7 Minerva Armor versions below 4.5.5 suffer from a privilege escalation vulnerability whereby an authenticated attacker can elevate privileges and execute arbitrary code with SYSTEM privilege. The vulnerability is caused by the product's implementation of… | ||
| CVE-2017-5236 | Hig | 0.51 | 7.8 | 0.01 | May 3, 2017 | Editions of Rapid7 AppSpider Pro installers prior to version 6.14.060 contain a DLL preloading vulnerability, wherein it is possible for the installer to load a malicious DLL located in the current working directory of the installer. | ||
| CVE-2017-5235 | Hig | 0.51 | 7.8 | 0.01 | Mar 2, 2017 | Rapid7 Metasploit Pro installers prior to version 4.13.0-2017022101 contain a DLL preloading vulnerability, wherein it is possible for the installer to load a malicious DLL located in the current working directory of the installer. | ||
| CVE-2017-5234 | Hig | 0.51 | 7.8 | 0.01 | Mar 2, 2017 | Rapid7 Insight Collector installers prior to version 1.0.16 contain a DLL preloading vulnerability, wherein it is possible for the installer to load a malicious DLL located in the current working directory of the installer. | ||
| CVE-2017-5233 | Hig | 0.51 | 7.8 | 0.01 | Mar 2, 2017 | Rapid7 AppSpider Pro installers prior to version 6.14.053 contain a DLL preloading vulnerability, wherein it is possible for the installer to load a malicious DLL located in the current working directory of the installer. | ||
| CVE-2017-5232 | Hig | 0.51 | 7.8 | 0.01 | Mar 2, 2017 | All editions of Rapid7 Nexpose installers prior to version 6.4.24 contain a DLL preloading vulnerability, wherein it is possible for the installer to load a malicious DLL located in the current working directory of the installer. | ||
| CVE-2017-5240 | Hig | 0.49 | 7.5 | 0.01 | May 3, 2017 | Editions of Rapid7 AppSpider Pro prior to version 6.14.060 contain a heap-based buffer overflow in the FLAnalyzer.exe component. A malicious or malformed Flash source file can cause a denial of service condition when parsed by this component, causing the application to crash. | ||
| CVE-2026-5329 | Hig | 0.48 | 8.5 | 0.00 | Apr 9, 2026 | Rapid7 Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker to write to arbitrary internal server queues via a… | ||
| CVE-2017-5230 | Hig | 0.47 | 7.2 | 0.01 | Mar 2, 2017 | The Java keystore in all versions and editions of Rapid7 Nexpose prior to 6.4.50 is encrypted with a static password of 'r@p1d7k3y5t0r3' which is not modifiable by the user. The keystore provides storage for saved scan credentials in an otherwise secure location on disk. | ||
| CVE-2017-5231 | Hig | 0.46 | 7.1 | 0.01 | Mar 2, 2017 | All editions of Rapid7 Metasploit prior to version 4.13.0-2017020701 contain a directory traversal vulnerability in the Meterpreter stdapi CommandDispatcher.cmd_download() function. By using a specially-crafted build of Meterpreter, it is possible to write to an arbitrary… | ||
| CVE-2017-5229 | Hig | 0.46 | 7.1 | 0.01 | Mar 2, 2017 | All editions of Rapid7 Metasploit prior to version 4.13.0-2017020701 contain a directory traversal vulnerability in the Meterpreter extapi Clipboard.parse_dump() function. By using a specially-crafted build of Meterpreter, it is possible to write to an arbitrary directory on the… | ||
| CVE-2017-5228 | Hig | 0.46 | 7.1 | 0.01 | Mar 2, 2017 | All editions of Rapid7 Metasploit prior to version 4.13.0-2017020701 contain a directory traversal vulnerability in the Meterpreter stdapi Dir.download() function. By using a specially-crafted build of Meterpreter, it is possible to write to an arbitrary directory on the… | ||
| CVE-2017-15084 | Med | 0.45 | 6.5 | 0.01 | Oct 6, 2017 | The web UI in Rapid7 Metasploit before 4.14.1-20170828 allows logout CSRF, aka R7-2017-22. | ||
| CVE-2026-8795 | Hig | 0.44 | 7.8 | 0.00 | Jun 9, 2026 | A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is inserted into a YAML template via Go's text/template without escaping. An attacker… | ||
| CVE-2026-1814 | Med | 0.44 | — | 0.00 | Feb 3, 2026 | Rapid7 Nexpose versions 6.4.50 and later are vulnerable to an insufficient entropy issue in the CredentialsKeyStorePassword.generateRandomPassword() method. When updating legacy keystore passwords, the application generates a new password with insufficient length (7-12… | ||
| CVE-2024-3185 | Med | 0.44 | 6.8 | 0.00 | Apr 23, 2024 | A key used in logging.json does not follow the least privilege principle by default and is exposed to local users in the Rapid7 Platform. This allows an attacker with local access to a machine with the logging.json file to use that key to authenticate to the platform with high… | ||
| CVE-2026-4837 | Med | 0.43 | 6.6 | 0.00 | Apr 8, 2026 | An eval() injection vulnerability in the Rapid7 Insight Agent beaconing logic for Linux versions could theoretically allow an attacker to achieve remote code execution as root via a crafted beacon response. Because the Agent uses mutual TLS (mTLS) to verify commands from the… | ||
| CVE-2026-4482 | Med | 0.36 | 5.5 | 0.00 | Apr 10, 2026 | The installer certificate files in the …/bootstrap/common/ssl folder do not seem to have restricted permissions on Windows systems (users have read and execute access). For the client.key file in particular, this could potentially lead to exploits, as this exposes agent… | ||
| CVE-2016-9757 | Med | 0.35 | 5.4 | 0.01 | Dec 20, 2016 | In the Create Tags page of the Rapid7 Nexpose version 6.4.12 user interface, any authenticated user who has the capability to create tags can inject cross-site scripting (XSS) elements in the tag name field. Once this tag is viewed in the Tag Detail page of the Rapid7 Nexpose… | ||
| CVE-2024-11401 | Med | 0.34 | — | 0.00 | Dec 11, 2024 | Rapid7 Insight Platform versions prior to November 13th 2024, suffer from a privilege escalation vulnerability whereby, due to a lack of authorization checks, an attacker can successfully update the password policy in the platform settings as a standard user by crafting an API… | ||
| CVE-2026-7573 | Med | 0.33 | 5.0 | 0.00 | May 6, 2026 | An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying… | ||
| CVE-2026-7572 | Med | 0.29 | 4.4 | 0.00 | May 6, 2026 | An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx… | ||
| CVE-2017-5244 | Low | 0.23 | 3.5 | 0.01 | Jun 15, 2017 | Routes used to stop running Metasploit tasks (either particular ones or all tasks) allowed GET requests. Only POST requests should have been allowed, as the stop/stop_all routes change the state of the service. This could have allowed an attacker to stop currently-running… | ||
| CVE-2020-7350 | 0.08 | — | 0.05 | Apr 22, 2020 | Rapid7 Metasploit Framework versions before 5.0.85 suffers from an instance of CWE-78: OS Command Injection, wherein the libnotify plugin accepts untrusted user-supplied data via a remote computer's hostname or service name. An attacker can create a specially-crafted hostname or… | |||
| CVE-2019-5645 | 0.06 | — | 0.42 | Sep 1, 2020 | By sending a specially crafted HTTP GET request to a listening Rapid7 Metasploit HTTP handler, an attacker can register an arbitrary regular expression. When evaluated, this malicious handler can either prevent new HTTP handler sessions from being established, or cause a… | |||
| CVE-2020-7384 | 0.05 | — | 0.31 | Oct 29, 2020 | Rapid7's Metasploit msfvenom framework handles APK files in a way that allows for a malicious user to craft and publish a file that would execute arbitrary commands on a victim's machine. | |||
| CVE-2012-6493 | 0.03 | — | 0.02 | Feb 4, 2014 | Cross-site request forgery (CSRF) vulnerability in Rapid7 Nexpose Security Console before 5.5.4 allows remote attackers to hijack the authentication of unspecified victims for requests that delete scan data and sites via a request to data/site/delete. | |||
| CVE-2026-9153 | 0.00 | — | 0.00 | Jun 25, 2026 | Arbitrary File Read vulnerability in Rapid7 InsightConnect Sed Plugin on Linux allows authenticated attackers to read arbitrary files via the expression parameter due to insufficient input validation. | |||
| CVE-2026-9154 | 0.00 | — | 0.00 | Jun 25, 2026 | Arbitrary File Write vulnerability in Rapid7 InsightConnect Sed Plugin on Linux allows authenticated attackers to write attacker-controlled content to arbitrary file paths via the expression parameter. | |||
| CVE-2026-9155 | 0.00 | — | 0.01 | Jun 25, 2026 | OS Command Injection vulnerability in Rapid7 InsightConnect Sed Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the expression parameter due to insufficient input validation. | |||
| CVE-2026-8659 | 0.00 | — | 0.01 | Jun 25, 2026 | OS Command Injection vulnerability in Rapid7 InsightConnect SQLmap Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the api_host or api_port parameters during connection configuration due to insufficient input validation. | |||
| CVE-2026-8663 | 0.00 | — | 0.01 | Jun 24, 2026 | OS Command Injection vulnerability in Rapid7 InsightConnect RPM Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the repo, key, or name parameters due to insufficient input sanitization in shell command construction. | |||
| CVE-2025-14728 | 0.00 | — | 0.00 | Dec 29, 2025 | Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue… | |||
| CVE-2025-11195 | 0.00 | — | 0.00 | Sep 30, 2025 | Rapid7 AppSpider Pro versions below 7.5.021 suffer from a project name validation vulnerability, whereby an attacker can change the project name directly in the configuration file to a name that already exists. This issue stems from a lack of effective verification of the… | |||
| CVE-2025-36857 | 0.00 | — | 0.00 | Sep 25, 2025 | Rapid7 Appspider Pro versions below 7.5.021, suffer from a broken access control vulnerability in the application's configuration file loading mechanism, whereby an attacker can place files in directories belonging to other users or projects. Affected versions allow standard… | |||
| CVE-2025-6264 | 0.00 | — | 0.01 | Jun 20, 2025 | Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions. To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions… |
- risk 0.74cvss 9.8epss 0.88
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web management portal. The issue lies in the lack of proper…
- risk 0.74cvss 9.8epss 0.93
A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in the admin_sys_time.cgi interface.
- risk 0.73cvss 9.8epss 0.80
A buffer overflow vulnerability lies in the web server component of Dup Scout Enterprise 9.9.14, Disk Savvy Enterprise 9.9.14, Sync Breeze Enterprise 9.9.16, and Disk Pulse Enterprise 9.9.16 where an attacker can craft a malicious GET request and exploit the web server…
- risk 0.73cvss 9.8epss 0.73
An issue was discovered on Western Digital MyCloud PR4100 2.30.172 devices. The web administration component, /web/jquery/uploader/multi_uploadify.php, provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on…
- risk 0.67cvss 9.8epss 0.02
Due to reliance on a trivial substitution cipher, sent in cleartext, and the reliance on a default password when the user does not set a password, the Remote Mouse Server by Emote Interactive can be abused by attackers to inject OS commands over theproduct's custom control…
- risk 0.64cvss —epss 0.06
The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling. Versions…
- risk 0.62cvss 9.6epss 0.00
Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup via "Security Console" installations, resulting in full…
- risk 0.60cvss 8.8epss 0.03
Versions of Nexpose prior to 6.4.66 fail to adequately validate the source of HTTP requests intended for the Automated Actions administrative web application, and are susceptible to a cross-site request forgery (CSRF) attack.
- risk 0.58cvss 7.5epss 0.79
Samsung Internet Browser 5.4.02.3 allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via crafted JavaScript code that redirects to a child tab and rewrites the innerHTML property.
- risk 0.56cvss —epss 0.00
Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BUILTIN\\Users group. This allows local users who are not administrators to grant themselves the Full Control…
- risk 0.55cvss —epss 0.00
Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows a user to gain SYSTEM level control of a Windows host. When started the metasploitPostgreSQL service would start the postgres.exe child process which would in turn load an OpenSSL…
- risk 0.55cvss 8.5epss 0.01
The default SSH configuration in Rapid7 Nexpose hardware appliances shipped before June 2017 does not specify desired algorithms for key exchange and other important functions. As a result, it falls back to allowing ALL algorithms supported by the relevant version of OpenSSH and…
- risk 0.52cvss 8.0epss 0.00
Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries…
- risk 0.51cvss 7.8epss 0.00
The Rapid7 Insight Agent (versions > 4.1.0.2) is vulnerable to a local privilege escalation attack that allows users to gain SYSTEM level control of a Windows host. Upon startup the agent service attempts to load an OpenSSL configuration file from a non-existent directory that…
- risk 0.51cvss 7.8epss 0.00
Rapid7 Minerva Armor versions below 4.5.5 suffer from a privilege escalation vulnerability whereby an authenticated attacker can elevate privileges and execute arbitrary code with SYSTEM privilege. The vulnerability is caused by the product's implementation of…
- risk 0.51cvss 7.8epss 0.01
Editions of Rapid7 AppSpider Pro installers prior to version 6.14.060 contain a DLL preloading vulnerability, wherein it is possible for the installer to load a malicious DLL located in the current working directory of the installer.
- risk 0.51cvss 7.8epss 0.01
Rapid7 Metasploit Pro installers prior to version 4.13.0-2017022101 contain a DLL preloading vulnerability, wherein it is possible for the installer to load a malicious DLL located in the current working directory of the installer.
- risk 0.51cvss 7.8epss 0.01
Rapid7 Insight Collector installers prior to version 1.0.16 contain a DLL preloading vulnerability, wherein it is possible for the installer to load a malicious DLL located in the current working directory of the installer.
- risk 0.51cvss 7.8epss 0.01
Rapid7 AppSpider Pro installers prior to version 6.14.053 contain a DLL preloading vulnerability, wherein it is possible for the installer to load a malicious DLL located in the current working directory of the installer.
- risk 0.51cvss 7.8epss 0.01
All editions of Rapid7 Nexpose installers prior to version 6.4.24 contain a DLL preloading vulnerability, wherein it is possible for the installer to load a malicious DLL located in the current working directory of the installer.
- risk 0.49cvss 7.5epss 0.01
Editions of Rapid7 AppSpider Pro prior to version 6.14.060 contain a heap-based buffer overflow in the FLAnalyzer.exe component. A malicious or malformed Flash source file can cause a denial of service condition when parsed by this component, causing the application to crash.
- risk 0.48cvss 8.5epss 0.00
Rapid7 Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker to write to arbitrary internal server queues via a…
- risk 0.47cvss 7.2epss 0.01
The Java keystore in all versions and editions of Rapid7 Nexpose prior to 6.4.50 is encrypted with a static password of 'r@p1d7k3y5t0r3' which is not modifiable by the user. The keystore provides storage for saved scan credentials in an otherwise secure location on disk.
- risk 0.46cvss 7.1epss 0.01
All editions of Rapid7 Metasploit prior to version 4.13.0-2017020701 contain a directory traversal vulnerability in the Meterpreter stdapi CommandDispatcher.cmd_download() function. By using a specially-crafted build of Meterpreter, it is possible to write to an arbitrary…
- risk 0.46cvss 7.1epss 0.01
All editions of Rapid7 Metasploit prior to version 4.13.0-2017020701 contain a directory traversal vulnerability in the Meterpreter extapi Clipboard.parse_dump() function. By using a specially-crafted build of Meterpreter, it is possible to write to an arbitrary directory on the…
- risk 0.46cvss 7.1epss 0.01
All editions of Rapid7 Metasploit prior to version 4.13.0-2017020701 contain a directory traversal vulnerability in the Meterpreter stdapi Dir.download() function. By using a specially-crafted build of Meterpreter, it is possible to write to an arbitrary directory on the…
- risk 0.45cvss 6.5epss 0.01
The web UI in Rapid7 Metasploit before 4.14.1-20170828 allows logout CSRF, aka R7-2017-22.
- risk 0.44cvss 7.8epss 0.00
A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is inserted into a YAML template via Go's text/template without escaping. An attacker…
- risk 0.44cvss —epss 0.00
Rapid7 Nexpose versions 6.4.50 and later are vulnerable to an insufficient entropy issue in the CredentialsKeyStorePassword.generateRandomPassword() method. When updating legacy keystore passwords, the application generates a new password with insufficient length (7-12…
- risk 0.44cvss 6.8epss 0.00
A key used in logging.json does not follow the least privilege principle by default and is exposed to local users in the Rapid7 Platform. This allows an attacker with local access to a machine with the logging.json file to use that key to authenticate to the platform with high…
- risk 0.43cvss 6.6epss 0.00
An eval() injection vulnerability in the Rapid7 Insight Agent beaconing logic for Linux versions could theoretically allow an attacker to achieve remote code execution as root via a crafted beacon response. Because the Agent uses mutual TLS (mTLS) to verify commands from the…
- risk 0.36cvss 5.5epss 0.00
The installer certificate files in the …/bootstrap/common/ssl folder do not seem to have restricted permissions on Windows systems (users have read and execute access). For the client.key file in particular, this could potentially lead to exploits, as this exposes agent…
- risk 0.35cvss 5.4epss 0.01
In the Create Tags page of the Rapid7 Nexpose version 6.4.12 user interface, any authenticated user who has the capability to create tags can inject cross-site scripting (XSS) elements in the tag name field. Once this tag is viewed in the Tag Detail page of the Rapid7 Nexpose…
- risk 0.34cvss —epss 0.00
Rapid7 Insight Platform versions prior to November 13th 2024, suffer from a privilege escalation vulnerability whereby, due to a lack of authorization checks, an attacker can successfully update the password policy in the platform settings as a standard user by crafting an API…
- risk 0.33cvss 5.0epss 0.00
An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying…
- risk 0.29cvss 4.4epss 0.00
An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx…
- risk 0.23cvss 3.5epss 0.01
Routes used to stop running Metasploit tasks (either particular ones or all tasks) allowed GET requests. Only POST requests should have been allowed, as the stop/stop_all routes change the state of the service. This could have allowed an attacker to stop currently-running…
- CVE-2020-7350Apr 22, 2020risk 0.08cvss —epss 0.05
Rapid7 Metasploit Framework versions before 5.0.85 suffers from an instance of CWE-78: OS Command Injection, wherein the libnotify plugin accepts untrusted user-supplied data via a remote computer's hostname or service name. An attacker can create a specially-crafted hostname or…
- CVE-2019-5645Sep 1, 2020risk 0.06cvss —epss 0.42
By sending a specially crafted HTTP GET request to a listening Rapid7 Metasploit HTTP handler, an attacker can register an arbitrary regular expression. When evaluated, this malicious handler can either prevent new HTTP handler sessions from being established, or cause a…
- CVE-2020-7384Oct 29, 2020risk 0.05cvss —epss 0.31
Rapid7's Metasploit msfvenom framework handles APK files in a way that allows for a malicious user to craft and publish a file that would execute arbitrary commands on a victim's machine.
- CVE-2012-6493Feb 4, 2014risk 0.03cvss —epss 0.02
Cross-site request forgery (CSRF) vulnerability in Rapid7 Nexpose Security Console before 5.5.4 allows remote attackers to hijack the authentication of unspecified victims for requests that delete scan data and sites via a request to data/site/delete.
- CVE-2026-9153Jun 25, 2026risk 0.00cvss —epss 0.00
Arbitrary File Read vulnerability in Rapid7 InsightConnect Sed Plugin on Linux allows authenticated attackers to read arbitrary files via the expression parameter due to insufficient input validation.
- CVE-2026-9154Jun 25, 2026risk 0.00cvss —epss 0.00
Arbitrary File Write vulnerability in Rapid7 InsightConnect Sed Plugin on Linux allows authenticated attackers to write attacker-controlled content to arbitrary file paths via the expression parameter.
- CVE-2026-9155Jun 25, 2026risk 0.00cvss —epss 0.01
OS Command Injection vulnerability in Rapid7 InsightConnect Sed Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the expression parameter due to insufficient input validation.
- CVE-2026-8659Jun 25, 2026risk 0.00cvss —epss 0.01
OS Command Injection vulnerability in Rapid7 InsightConnect SQLmap Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the api_host or api_port parameters during connection configuration due to insufficient input validation.
- CVE-2026-8663Jun 24, 2026risk 0.00cvss —epss 0.01
OS Command Injection vulnerability in Rapid7 InsightConnect RPM Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the repo, key, or name parameters due to insufficient input sanitization in shell command construction.
- CVE-2025-14728Dec 29, 2025risk 0.00cvss —epss 0.00
Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written outside the datastore directory. Velociraptor is normally only allowed to write in the datastore directory. The issue…
- CVE-2025-11195Sep 30, 2025risk 0.00cvss —epss 0.00
Rapid7 AppSpider Pro versions below 7.5.021 suffer from a project name validation vulnerability, whereby an attacker can change the project name directly in the configuration file to a name that already exists. This issue stems from a lack of effective verification of the…
- CVE-2025-36857Sep 25, 2025risk 0.00cvss —epss 0.00
Rapid7 Appspider Pro versions below 7.5.021, suffer from a broken access control vulnerability in the application's configuration file loading mechanism, whereby an attacker can place files in directories belonging to other users or projects. Affected versions allow standard…
- CVE-2025-6264Jun 20, 2025risk 0.00cvss —epss 0.01
Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions. To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions…
Page 1 of 3