CVE-2026-8795
HIGH EPSS 4.4%
Published Jun 9, 20263w ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
Published Jun 9, 2026 3w ago
Last Modified Jun 17, 2026 2w ago
Description
A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is inserted into a YAML template via Go's text/template without escaping. An attacker providing a crafted collection ZIP can leverage literal double quotes and newlines in the hostname to break out of the YAML quoted string and inject a new mount remapping entry. When an analyst applies the generated remapping file with --remap, arbitrary VQL executes on their machine with NullACLManager (all permissions granted, unsandboxed).
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
4.4% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 3
CWE-116
CWE-74
CWE-94 Improper Control of Generation of Code (Code Injection) Injection
References 1
- docs.velociraptor.app https://docs.velociraptor.app/announcements/advisories/cve-2026-8795/
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.