{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5463", "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "state": "PUBLISHED", "assignerShortName": "TuranSec", "dateReserved": "2026-04-03T04:28:08.555Z", "datePublished": "2026-04-03T04:32:23.872Z", "dateUpdated": "2026-04-03T04:32:23.872Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "shortName": "TuranSec", "dateUpdated": "2026-04-03T04:32:23.872Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-77", "description": "CWE-77 Improper neutralization of special elements leading to command injection", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "An attacker who can control module option values such as RHOSTS may inject newline characters to execute arbitrary commands in the Metasploit console context. This may allow execution of unintended modules, manipulation of active sessions, and abuse of automated exploitation workflows."}]}], "affected": [{"vendor": "Dan McInerney", "product": "pymetasploit3", "collectionURL": "https://pypi.org/project/pymetasploit3/", "packageName": "pymetasploit3", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.0.6", "versionType": "python"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading to arbitrary command execution and manipulation of Metasploit sessions.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading to arbitrary command execution and manipulation of Metasploit sessions."}]}], "references": [{"url": "https://github.com/DanMcInerney/pymetasploit3"}, {"url": "https://pypi.org/project/pymetasploit3/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseSeverity": "HIGH", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV2_0": {"version": "2.0", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "credits": [{"lang": "en", "value": "Abdivasiyev Sunnatillo", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading to arbitrary command execution and manipulation of Metasploit sessions."}], "id": "CVE-2026-5463", "lastModified": "2026-04-03T05:16:24.160", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}]}, "published": "2026-04-03T05:16:24.160", "references": [{"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://github.com/DanMcInerney/pymetasploit3"}, {"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://pypi.org/project/pymetasploit3/"}], "sourceIdentifier": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.0.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "pymetasploit3", "source": "cna", "vendor": "Dan McInerney"}, "product": "pymetasploit3", "vendor": "dan_mcinerney"}], "analysis": {"en": {"generated_at": "2026-04-03T07:51:20.750376+00:00", "value": {"mitigation_remediation": ["Upgrade pymetasploit3 to the latest released version (\u2265\u202f1.0.7) to eliminate the newline injection flaw.", "If an upgrade cannot be applied immediately, restrict or block use of console.run_module_with_output() in the environment until a fix is in place.", "Implement input validation to reject or properly escape newline characters in module options such as RHOSTS before they are passed to the Metasploit console.", "Monitor Metasploit console logs for unexpected command execution and audit session integrity to detect potential abuse."], "summary": {"action": "Immediate Patch", "impact": "Command Injection leading to Arbitrary Command Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of the pymetasploit3 project maintained by Dan McInerney. Versions up to and including 1.0.6 contain the flaw. Any deployment that relies on these versions for automated module execution or the remote provision of module options should be considered at risk.", "description_and_impact": "A flaw in the Python wrapper for Metasploit, pymetasploit3, allows an attacker to insert newline characters into module options such as RHOSTS when calling console.run_module_with_output(). The added newlines break the intended command syntax, causing the Metasploit console to execute additional, unintended commands. This can result in the execution of arbitrary system commands outside the normal Metasploit flow, potentially compromising the security of any hosts the modules target as well as the integrity of the Metasploit sessions themselves.", "risk_and_exploitability": "The CVSS score of 9.3 denotes a high severity vulnerability. Although EPSS data is not available and the issue is not listed in the CISA KEV catalog, the potential for arbitrary command execution is significant. Based on the description, it is inferred that an attacker must be able to supply module options to console.run_module_with_output(), implying either a local user with write access to a Metasploit console or a remote user with authenticated access to supply those options. Successful exploitation would allow an attacker to run arbitrary commands on the system hosting the Metasploit framework, thereby gaining full control over the environment."}}}}, "created": "2026-04-03T07:31:00.681599+00:00", "title": "Command Injection in pymetasploit3 Enables Arbitrary Command Execution", "updated": "2026-04-03T09:15:47.016804+00:00", "vendors": ["dan_mcinerney", "dan_mcinerney$PRODUCT$pymetasploit3"]}