CVE-2026-8795

Name: CVE-2026-8795
Creator: NVD / NIST
Published: 2026-06-09T01:16:47.47+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.8/10EPSS 0.15%

Last modified Jun 17, 2026

This CVE is reserved or awaiting analysis. Details will appear once published by NVD.

Description

A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is inserted into a YAML template via Go's text/template without escaping. An attacker providing a crafted collection ZIP can leverage literal double quotes and newlines in the hostname to break out of the YAML quoted string and inject a new mount remapping entry. When an analyst applies the generated remapping file with --remap, arbitrary VQL executes on their machine with NullACLManager (all permissions granted, unsandboxed).

Metrics

CVSS 3.1

7.8/10

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Probability

0.15%

4.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

References

https://docs.velociraptor.app/announcements/advisories/cve-2026-8795/

Timeline

Published: Jun 9, 2026
Last Modified: Jun 17, 2026
Status: Awaiting Analysis

Are you affected by CVE-2026-8795?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST