Skip to main content

Pymetasploit3 CVE-2026-5463

| EUVDEUVD-2026-18601 CRITICAL
Command Injection (CWE-77)
2026-04-03 TuranSec GHSA-qpc3-8vqg-8g6w
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 03, 2026 - 05:15 euvd
EUVD-2026-18601
Analysis Generated
Apr 03, 2026 - 05:15 vuln.today
CVE Published
Apr 03, 2026 - 04:32 nvd
CRITICAL 9.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 12 pypi packages depend on pymetasploit3 (12 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.0.6.

DescriptionCVE.org

Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading to arbitrary command execution and manipulation of Metasploit sessions.

AnalysisAI

Command injection in pymetasploit3 Python library (versions ≤1.0.6) allows unauthenticated remote attackers to execute arbitrary Metasploit console commands by injecting newline characters into module options like RHOSTS. With a critical CVSS 9.3 score and no public exploit identified at time of analysis, this vulnerability poses significant risk to environments using this library for automated penetration testing workflows. The flaw enables attackers to break command structure in console.run_module_with_output() calls, potentially manipulating Metasploit sessions and executing unintended security operations.

Technical ContextAI

Pymetasploit3 is a Python library (cpe:2.3:a:dan_mcinerney:pymetasploit3) that provides programmatic access to the Metasploit Framework's RPC interface. The vulnerability stems from CWE-77 (Command Injection) within the console.run_module_with_output() method, which fails to properly sanitize or escape newline characters in module parameters. When user-controlled input containing newline sequences is passed to options like RHOSTS (Remote Hosts), the library transmits these directly to the Metasploit console. The newline acts as a command delimiter in the console's command-line interface, allowing subsequent malicious commands to be injected and executed within the same session context. This effectively breaks the intended encapsulation of module parameters and transforms them into executable console commands, bypassing any intended security boundaries within automated penetration testing scripts.

RemediationAI

Organizations should immediately audit all systems and applications utilizing pymetasploit3 library versions 0 through 1.0.6 for exposure to untrusted input. No vendor-released patch identified at time of analysis-the library's GitHub repository (https://github.com/DanMcInerney/pymetasploit3) and PyPI package page (https://pypi.org/project/pymetasploit3/) should be monitored for version 1.0.7 or later addressing CVE-2026-5463. As interim mitigation, implement strict input validation on all parameters passed to console.run_module_with_output() and related methods: sanitize or reject inputs containing newline characters (\n, \r), carriage returns, and other command delimiters before passing to pymetasploit3 functions. Apply allowlist validation for RHOSTS and similar parameters accepting network addresses, permitting only valid IP/CIDR formats. Consider wrapping pymetasploit3 calls in sandboxed environments with restricted Metasploit console permissions to limit blast radius of successful injection attacks. If pymetasploit3 functionality is exposed via web APIs or external interfaces, implement authentication, rate limiting, and comprehensive logging of all module execution attempts. Review application architecture to determine if pymetasploit3 usage can be isolated from untrusted input sources entirely.

Share

CVE-2026-5463 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy