CVE-2026-5463HIGH 8.6EPSS p77.3%

CVE-2026-5463CVE-2026-5463

danmcinerney / pymetasploit3

Description

Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading to arbitrary command execution and manipulation of Metasploit sessions.

Scoring

CVSS 3.18.6 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
EPSS1.92% probability of exploitation · percentile 77.3% · 2026-06-19T12:03:05Z
Published2026-04-03
Last modified2026-06-02

Underlying weaknesses· 1

CWE-77

References

  1. https://github.com/DanMcInerney/pymetasploit3
  2. https://pypi.org/project/pymetasploit3/

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-61492
CVE
CVE-2026-35386
CVE
CVE-2026-5974
CVE
CVE-2026-6942
CVE
CVE-2025-69902
CVE
CVE-2026-45497
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.