CVE-2026-5463

HIGH

pymetasploit3 < 1.0.6 - Command Injection via Newline in Module Options

Title source: llm

Description

Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading to arbitrary command execution and manipulation of Metasploit sessions.

References (2)

Core 2

Core References

https://github.com/DanMcInerney/pymetasploit3

View Writeup ZIP pw:eip

https://pypi.org/project/pymetasploit3/

Scores

CVSS v3 8.6

EPSS 0.0192

EPSS Percentile 77.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-77

Status published

Products (3)

Dan McInerney/pymetasploit3 < 1.0.6

danmcinerney/pymetasploit3 < 1.0.6

pypi/pymetasploit3 0 - 1.0.6PyPI

Published Apr 03, 2026

Tracked Since Apr 03, 2026