Vulnerability Found in InsightVM & Nexpose: CVE-2026-1814 (FIXED)

We are grateful to the research team at Atredis for sharing their findings around a vulnerability CVE-2026-1814 impacting our vulnerability management offerings InsightVM and Nexpose. We have identified a fix that addresses this vulnerability and will be delivered via a Security Console product...

CVE-2026-1568

Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service ACS cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup via "Security Console" installations, resulting in full account takeover. The...

EUVD-2026-5244

Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service ACS cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup via "Security Console" installations, resulting in full account takeover. The...

PT-2026-6046

Name of the Vulnerable Software and Affected Versions Rapid7 InsightVM versions prior to 8.34.0 Description Rapid7 InsightVM installations utilizing the "Security Console" setup are susceptible to a signature verification flaw on the Assertion Consumer Service ACS cloud endpoint. This issue allow...

EUVD-2019-15205

Malware in sbrugna...

EUVD-2021-18743

Malware in sbrugna...

EUVD-2019-8321

Malware in sbrugna...

EUVD-2020-26528

Malware in sbrugna...

EUVD-2012-2272

Malware in sbrugna...

EUVD-2020-26521

Malware in sbrugna...

EUVD-2012-2271

Malware in sbrugna...

CVE-2019-5630

A Cross-Site Request Forgery CSRF vulnerability was found in Rapid7 Nexpose InsightVM Security Console versions 6.5.0 through 6.5.68. This issue allows attackers to exploit CSRF vulnerabilities on API endpoints using Flash to circumvent a cross-domain pre-flight OPTIONS request...

Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path

Exploit Title: Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path Date: 2024-04-2 Exploit Author: Saud Alenazi Vendor Homepage: https://www.rapid7.com/ Software Link: https://www.rapid7.com/products/nexpose/ Version: 6.6.240 Tested: Windows 10 x64 Step to discover Unquoted Service Path:...

CVE-2021-31868 Rapid7 Nexpose Security Console Ticket Access Authentication Vulnerability

Rapid7 Nexpose version 6.6.95 and earlier allows authenticated users of the Security Console to view and edit any ticket in the legacy ticketing feature, regardless of the assignment of the ticket. This issue was resolved in version 6.6.96, released on August 4, 2021...

CVE-2021-3535

Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search fiel...

Cross site scripting

Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search fiel...

CVE-2021-3535

Rapid7 Nexpose Security Console is affected by a non-persistent Cross‑Site Scripting (XSS) vulnerability in the Filtered Asset Search feature. A specific combination of search criteria and operators could allow code to be passed through the search field. Affected versions are 6.6.80 and earlier; ...

CVE-2021-3535

Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search fiel...

Fewer False Alarms, Faster Reporting: InsightVM Introduces New One-Click Fix For False Positives

Let’s talk about false positives. They’re frustrating and faulty, but also about as certain as death and taxes for anyone working in IT security. The good news? We’ve added even more ways to reduce the noise they cause. According to Forrester Consulting’s 2019 study, customers have experienced a...

CVE-2020-7381

In Rapid7 Nexpose installer versions prior to 6.6.40, the Nexpose installer calls an executable which can be placed in the appropriate directory by an attacker with access to the local machine. This would prevent the installer from distinguishing between a valid executable called during a Securit...