CVE-2026-5463

HIGH

DAN Mcinerney Pymetasploit3 < 1.0.6 - Command Injection

Title source: rule

Description

Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading to arbitrary command execution and manipulation of Metasploit sessions.

References (2)

https://github.com/DanMcInerney/pymetasploit3

View Writeup ZIP pw:eip

https://pypi.org/project/pymetasploit3/

Scores

CVSS v3 8.6

EPSS 0.0178

EPSS Percentile 82.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-77

Status published

Products (2)

Dan McInerney/pymetasploit3 < 1.0.6

pypi/pymetasploit3 0PyPI

Published Apr 03, 2026

Tracked Since Apr 03, 2026