www.velocidex.com/golang/velociraptor (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package www.velocidex.com/golang/velociraptor, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (7)
CVE-2023-0242 — CVSS 8.8 (high): Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any…
CVE-2026-6290 — CVSS 8.0 (high): Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current…
CVE-2026-6863 — CVSS 6.8 (medium): Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role…
CVE-2025-6264 — CVSS 5.5 (medium): Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and…
CVE-2026-7573 — CVSS 5.0 (medium): An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any…
CVE-2026-7572 — CVSS 4.4 (medium): An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on…
CVE-2023-0290 — CVSS 4.3 (medium): Rapid7 Velociraptor did not properly sanitize the client ID parameter to the CreateCollection API, allowing a directory traversal in where…