Cyber Posture

CVE-2026-5463

HighPublic PoC

Published: 03 April 2026

Published
03 April 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
EPSS Score 0.0174 82.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading…

more

to arbitrary command execution and manipulation of Metasploit sessions.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 mandates information input validation at entry points like module options, directly preventing newline character injection that enables command structure breakage in pymetasploit3.

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely flaw remediation, such as upgrading pymetasploit3 beyond version 1.0.6 to eliminate the command injection vulnerability.

SI-9 Information Input Restrictions good match
prevent

SI-9 enforces input restrictions on fields like RHOSTS, blocking malicious payloads such as newlines that lead to unintended Metasploit console command execution.

Security SummaryAI

CVE-2026-5463 is a command injection vulnerability in the console.run_module_with_output() function of pymetasploit3 through version 1.0.6. Attackers can inject newline characters into module options such as RHOSTS, which breaks the intended command structure of the Metasploit console and causes execution of additional unintended commands. This may result in arbitrary command execution and manipulation of Metasploit sessions. The issue carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L) and maps to CWE-77: Command Injection.

Any attacker able to supply input to the run_module_with_output() function, such as by controlling module options like RHOSTS, can exploit this vulnerability over the network with low complexity, no required privileges, and no user interaction. Successful exploitation enables execution of arbitrary commands within the Metasploit console, achieving high integrity impact through session manipulation, low confidentiality impact, and low availability impact.

Mitigation details are available via the project's GitHub repository at https://github.com/DanMcInerney/pymetasploit3 and PyPI page at https://pypi.org/project/pymetasploit3/. The vulnerability affects pymetasploit3 through version 1.0.6, so upgrading to a later version, if available, is advised.

Details

CWE(s)
CWE-77

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

Command injection in pymetasploit3 client library enables arbitrary command execution in Metasploit console (T1059), achieved via exploitation of vulnerable client software (T1203).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

References