CVE-2026-8795

HIGH 7.8

CVSS Score

7.8

EPSS Score

0.0%

EPSS Percentile

6th

A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is inserted into a YAML template via Go's text/template without escaping. An attacker providing a crafted collection ZIP can leverage literal double quotes and newlines in the hostname to break out of the YAML quoted string and inject a new mount remapping entry. When an analyst applies the generated remapping file with --remap, arbitrary VQL executes on their machine with NullACLManager (all permissions granted, unsandboxed).

CWE	CWE-74 CWE-94 CWE-116
Vendor	rapid7
Product	velociraptor
Published	Jun 9, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for rapid7 velociraptor

Be the first to know when new high vulnerabilities affecting rapid7 velociraptor are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Rapid7 / Velociraptor

0 < 0.76.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

docs.velociraptor.app: https://docs.velociraptor.app/announcements/advisories/cve-2026-8795/

Credits

Artificial Intelligence