Rapid7 Velociraptor
19 CVEs affecting Rapid7 Velociraptor. Latest disclosed: 2026-05-06. Critical: 0, High: 3.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-5950 | High | 8.6 | 2023-11-06 | Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into… |
CVE-2026-5329 | High | 8.5 | 2026-04-09 | Rapid7 Velociraptor versions prior to 0.76.2 contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor se… |
CVE-2026-6290 | High | 8.0 | 2026-04-15 | Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This all… |
CVE-2026-6863 | Medium | 6.8 | 2026-05-06 | Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organizat… |
CVE-2025-14728 | Medium | 6.8 | 2025-12-29 | Rapid7 Velociraptor versions before 0.75.6 contain a directory traversal issue on Linux servers that allows a rogue client to upload a file which is written ou… |
CVE-2025-6264 | Medium | 5.5 | 2025-06-20 | Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated… |
CVE-2026-7573 | Medium | 5.0 | 2026-05-06 | An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege u… |
CVE-2026-6948 | Medium | 4.9 | 2026-05-04 | Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server's agent control channel. This allows a compromised or rogue… |
CVE-2026-7572 | Medium | 4.4 | 2026-05-06 | An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux a… |
CVE-2025-0914 | Low | 3.8 | 2025-02-27 | An improper access control issue in the VQL shell feature in Velociraptor Versions < 0.73.4 allowed authenticated users to execute the execve() plugin in deplo… |
CVE-2021-3619 | Low | 3.5 | 2021-08-17 | Rapid7 Velociraptor 0.5.9 and prior is vulnerable to a post-authentication persistent cross-site scripting (XSS) issue, where an authenticated user could abuse… |
CVE-2023-2226 | Low | 3.3 | 2023-04-21 | Due to insufficient validation in the PE and OLE parsers in Rapid7's Velociraptor versions earlier than 0.6.8 allows attacker to crash Velociraptor during pars… |
CVE-2024-10526 | | 2024-11-07 | Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to… | |
CVE-2023-0290 | | 2023-01-18 | Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where the collection task… | |
CVE-2023-0242 | | 2023-01-18 | Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server i… | |
CVE-2022-35632 | | 2022-07-29 | The Velociraptor GUI contains an editor suggestion feature that can display the description field of a VQL function, plugin or artifact. This field was not pro… | |
CVE-2022-35631 | | 2022-07-29 | On MacOS and Linux, it may be possible to perform a symlink attack by replacing this predictable file name with a symlink to another file and have the Velocira… | |
CVE-2022-35630 | | 2022-07-29 | A cross-site scripting (XSS) issue in generating a collection report made it possible for malicious clients to inject JavaScript code into the static HTML file… | |
CVE-2022-35629 | | 2022-07-29 | Due to a bug in the handling of the communication between the client and server, it was possible for one client, already registered with their own client ID, t… |