Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 12 pypi packages depend on pymetasploit3 (12 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.0.6.
DescriptionCVE.org
Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading to arbitrary command execution and manipulation of Metasploit sessions.
AnalysisAI
Command injection in pymetasploit3 Python library (versions ≤1.0.6) allows unauthenticated remote attackers to execute arbitrary Metasploit console commands by injecting newline characters into module options like RHOSTS. With a critical CVSS 9.3 score and no public exploit identified at time of analysis, this vulnerability poses significant risk to environments using this library for automated penetration testing workflows. The flaw enables attackers to break command structure in console.run_module_with_output() calls, potentially manipulating Metasploit sessions and executing unintended security operations.
Technical ContextAI
Pymetasploit3 is a Python library (cpe:2.3:a:dan_mcinerney:pymetasploit3) that provides programmatic access to the Metasploit Framework's RPC interface. The vulnerability stems from CWE-77 (Command Injection) within the console.run_module_with_output() method, which fails to properly sanitize or escape newline characters in module parameters. When user-controlled input containing newline sequences is passed to options like RHOSTS (Remote Hosts), the library transmits these directly to the Metasploit console. The newline acts as a command delimiter in the console's command-line interface, allowing subsequent malicious commands to be injected and executed within the same session context. This effectively breaks the intended encapsulation of module parameters and transforms them into executable console commands, bypassing any intended security boundaries within automated penetration testing scripts.
RemediationAI
Organizations should immediately audit all systems and applications utilizing pymetasploit3 library versions 0 through 1.0.6 for exposure to untrusted input. No vendor-released patch identified at time of analysis-the library's GitHub repository (https://github.com/DanMcInerney/pymetasploit3) and PyPI package page (https://pypi.org/project/pymetasploit3/) should be monitored for version 1.0.7 or later addressing CVE-2026-5463. As interim mitigation, implement strict input validation on all parameters passed to console.run_module_with_output() and related methods: sanitize or reject inputs containing newline characters (\n, \r), carriage returns, and other command delimiters before passing to pymetasploit3 functions. Apply allowlist validation for RHOSTS and similar parameters accepting network addresses, permitting only valid IP/CIDR formats. Consider wrapping pymetasploit3 calls in sandboxed environments with restricted Metasploit console permissions to limit blast radius of successful injection attacks. If pymetasploit3 functionality is exposed via web APIs or external interfaces, implement authentication, rate limiting, and comprehensive logging of all module execution attempts. Review application architecture to determine if pymetasploit3 usage can be isolated from untrusted input sources entirely.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18601
GHSA-qpc3-8vqg-8g6w