CVE-2026-8662 PUBLISHED

Path Traversal in Rapid7 InsightConnect Compression Plugin

Assigner: rapid7
Reserved: 15.05.2026 Published: 25.06.2026 Updated: 25.06.2026

Path Traversal vulnerability in the create_archive function of Rapid7 InsightConnect Compression Plugin on Linux allows authenticated attackers to write to unintended file paths via crafted filename input. The impact is limited to file corruption as content cannot be controlled by the attacker.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L
CVSS Score: 3.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	High	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	Rapid7
Product	InsightConnect Compression Plugin
Versions	Default: unaffected affected from 0 to 2.0.3 (excl.) Version 2.0.3 is unaffected

Credits

Jacob Steadman, Rapid7 finder
Jed Starr, Rapid7 finder

References

https://extensions.rapid7.com/extension/compression

Problem Types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE

Impacts

Arbitrary File Overwrite (with garbage data)