CVE-2026-8664
MediumCVSS 6.0Exploitation Probability (EPSS)
Low risk50th percentile — higher than 50% of all known CVEs
Summary
The Finger plugin for Rapid7 InsightConnect on Linux contains an OS Command Injection vulnerability. An authenticated attacker can execute arbitrary OS commands via the user or host parameters due to insufficient input validation in shell command construction.
Risk Assessment
The risk for the organization includes potential system compromise by an authenticated attacker, leading to data theft, configuration changes, or lateral movement within the network.
Recommendation
Immediately update the Finger plugin to the latest version provided by the vendor and implement input validation mechanisms for the user and host parameters.
Original NVD description (English source)
OS Command Injection vulnerability in Rapid7 InsightConnect Finger Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the user or host parameters due to insufficient input validation in shell command construction.

