CVE-2026-9154 | THREATINT

Description

Arbitrary File Write vulnerability in Rapid7 InsightConnect Sed Plugin on Linux allows authenticated attackers to write attacker-controlled content to arbitrary file paths via the expression parameter.

PUBLISHED Reserved 2026-05-21 | Published 2026-06-25 | Updated 2026-06-25 | Assigner rapid7

HIGH: 7.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status

unaffected

Any version before 2.0.5

affected

2.0.5 (custom)

unaffected

Credits

Sebastián Alba Vives (@Sebasteuo / 0xs4bbi), Independent security researcher, Costa Rica finder

References

extensions.rapid7.com/extension/sed vendor-advisory

cve.org (CVE-2026-9154)

nvd.nist.gov (CVE-2026-9154)

Download JSON