CVE-2026-4837

6.6 MEDIUM

An eval() injection vulnerability in the Rapid7 Insight Agent beaconing logic for Linux versions could theoretically allow an attacker to...

Published: 2026-04-08 · Last updated: 2026-06-02

Severity and scoring

CVSS: 6.6 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-95

Affected products

Vendor	Product
rapid7	insight_agent

Description

An eval() injection vulnerability in the Rapid7 Insight Agent beaconing logic for Linux versions could theoretically allow an attacker to achieve remote code execution as root via a crafted beacon response. Because the Agent uses mutual TLS (mTLS) to verify commands from the Rapid7 Platform, it is unlikely that the eval() function could be exploited remotely without prior, highly privileged access to the backend platform.

Source: NVD

References

Related CVEs

Same vendor

CVE-2026-7573 — An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authent... (5.0 MEDIUM)
CVE-2026-7572 — An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 ... (4.4 MEDIUM)
CVE-2026-4482 — The installer certificate files in the …/bootstrap/common/ssl folder do not seem to have restricted permissions on Windows systems (users... (5.5 MEDIUM)

Same CWE

CVE-2026-52858 — Vim is an open source, command line text editor (7.8 HIGH)
CVE-2026-47167 — Vim is an open source, command line text editor (5.3 MEDIUM)
CVE-2026-11422 — Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28 contains a code injection vulnerability in the WaveDrom rendering pipeline t... (7.1 HIGH)
CVE-2026-50733 — Markdown Preview Enhanced before 0.8.28 parses WaveDrom diagrams by evaluating untrusted markdown content with eval(), allowing arbitrary... (8.8 HIGH)
CVE-2026-8914 — In Teltonika Networks RUTOS devices, running versions 7.22 through 7.23.2 and TSWOS devices running versions 1.09 through 1.09.1, due to ...