← Back

CVE-2026-4837

nvd nist
Published: Apr 8, 2026Modified: Jun 2, 2026

JSON object

Loading...
7.2
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Exploitability: 1.2 / Impact: 5.9
Source: NVD

Description

An eval() injection vulnerability in the Rapid7 Insight Agent beaconing logic for Linux versions could theoretically allow an attacker to achieve remote code execution as root via a crafted beacon response. Because the Agent uses mutual TLS (mTLS) to verify commands from the Rapid7 Platform, it is unlikely that the eval() function could be exploited remotely without prior, highly privileged access to the backend platform.

Affected (1)

Rapid7
1 product
Insight Agent
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Insight Agent
Before 4.1.0.2

Related CWEs

CWE-95
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

References (1)

Source: cve@rapid7.com
Release Notes

Timeline

No history available yet.