CVE-2026-8661

Server-Side Cross-Site Scripting and Server-Side Request Forgery vulnerability in the markdown to pdf action of Rapid7 InsightConnect Markdown Plugin version 3.1.4 and earlier on Linux allows remote attackers to execute JavaScript server-side and make arbitrary outbound HTTP requests via crafted content embedded in Markdown input. The PDF rendering engine does not restrict script execution or outbound network access.