CVE-2026-5463: Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attack

Description

Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading to arbitrary command execution and manipulation of Metasploit sessions.

Affected Products

Vendor	Product	Versions
rapid7	pymetasploit3	0

References

Related News (1 articles)

Tier C

VulDB7d ago

CVE-2026-5463 | Dan McInerney pymetasploit3 up to 1.0.6 console.run_module_with_output command injection

→ No new info (linked only)

CVSS 3.18.6 NONE

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-77

PublishedApr 3, 2026

Last enriched7d agov2

Trending Score16

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (3)

Version History

Last enriched 7d ago

v2Tier C7d ago

Updated severity to CRITICAL and marked the vulnerability as actively exploited.

severityactivelyExploited

via VulDB

v17d ago

Initial creation