Platform
python
Component
pymetasploit3
Fixed in
1.0.7
1.0.7
A critical Command Injection vulnerability has been identified in pymetasploit3, a Python library used for Metasploit framework automation, affecting versions up to 1.0.6. This flaw allows attackers to inject arbitrary commands by manipulating module options, such as RHOSTS, within the Metasploit console. Successful exploitation could lead to unauthorized command execution and compromise Metasploit sessions, potentially granting attackers significant control over the system.
The impact of CVE-2026-5463 is severe due to the potential for arbitrary command execution within the context of the Metasploit framework. An attacker exploiting this vulnerability could execute malicious commands on the system running pymetasploit3, potentially gaining persistent access, stealing sensitive data, or disrupting operations. The ability to manipulate Metasploit sessions further amplifies the risk, as attackers could leverage compromised sessions to pivot to other systems within the network. This vulnerability shares similarities with other command injection flaws where improper input validation allows attackers to inject and execute arbitrary code.
This vulnerability was publicly disclosed on 2026-04-03. The exploitation context is currently unclear, but the Command Injection nature of the vulnerability makes it a potential target for automated scanning and exploitation. The EPSS score is pending evaluation. Public proof-of-concept (PoC) code is not yet available, but given the ease of command injection exploitation, it is likely to emerge. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
1.78% (83% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5463 is to upgrade pymetasploit3 to a version that addresses the vulnerability. Unfortunately, a specific fixed version isn't provided in the input. Until a patched version is available, consider implementing input validation and sanitization within your Metasploit modules to prevent the injection of malicious characters. Additionally, restrict access to the Metasploit console and monitor for suspicious activity. Web Application Firewalls (WAFs) configured to detect command injection attempts might offer some protection, though this is not a primary defense. After upgrading, verify the fix by attempting to inject newline characters into module options and confirming that the commands are not executed as intended.
Update the pymetasploit3 library to a version later than 1.0.6. This will fix the command injection vulnerability. You can update using pip: `pip install --upgrade pymetasploit3`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5463 is a Command Injection vulnerability in pymetasploit3 versions up to 1.0.6, allowing attackers to inject commands via module options like RHOSTS, potentially leading to arbitrary code execution.
You are affected if you are using pymetasploit3 version 1.0.6 or earlier. Upgrade to a patched version as soon as one is available.
Upgrade pymetasploit3 to a version that addresses the vulnerability. Until a patched version is available, implement input validation and sanitization within your Metasploit modules.
While active exploitation has not been confirmed, the vulnerability's nature makes it a likely target for exploitation. Monitor security advisories and threat intelligence feeds.
Refer to the Metasploit project's official website and security advisories for updates and information regarding CVE-2026-5463.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.