CVE Catalog

CVE-2026-8795

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.02%

6th percentile - higher than 6% of all known CVEs

Summary

CVE-2026-8795 describes a YAML injection vulnerability in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is inserted into a YAML template without proper escaping.

Risk Assessment

An attacker can exploit this vulnerability to inject arbitrary VQL code, leading to unauthorized actions being executed on the analyst's machine with full permissions.

Recommendation

It is recommended to update Rapid7 Velociraptor to version 0.76.6 or later to mitigate this vulnerability.

Original NVD description (English source)

A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is inserted into a YAML template via Go's text/template without escaping. An attacker providing a crafted collection ZIP can leverage literal double quotes and newlines in the hostname to break out of the YAML quoted string and inject a new mount remapping entry. When an analyst applies the generated remapping file with --remap, arbitrary VQL executes on their machine with NullACLManager (all permissions granted, unsandboxed).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS