CVE-2026-8661

Name of the Vulnerable Software and Affected Versions Rapid7 InsightConnect Markdown Plugin versions prior to 3.1.5

Description Server-Side Cross-Site Scripting (XSS) and Server-Side Request Forgery (SSRF) exist in the markdown to pdf action. These issues occur because the PDF rendering engine fails to restrict script execution and outbound network access, allowing remote attackers to execute JavaScript on the server and initiate arbitrary outbound HTTP requests through specially crafted content embedded in Markdown input.

Recommendations Update Rapid7 InsightConnect Markdown Plugin to version 3.1.5 or later. As a temporary mitigation, restrict the use of the markdown to pdf action.