Home

Description

Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading to arbitrary command execution and manipulation of Metasploit sessions.

PUBLISHED Reserved 2026-04-03 | Published 2026-04-03 | Updated 2026-04-03 | Assigner TuranSec




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L

HIGH: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

Problem types

CWE-77 Improper neutralization of special elements leading to command injection

Product status

Default status
unaffected

Any version
affected

Credits

Abdivasiyev Sunnatillo finder

References

github.com/DanMcInerney/pymetasploit3

pypi.org/project/pymetasploit3/

cve.org (CVE-2026-5463)

nvd.nist.gov (CVE-2026-5463)

Download JSON