Command injection in pymetasploit3 can run arbitrary Metasploit commands

2 min readPublished 03 Apr 2026Updated 03 Apr 2026Source: CVEProject (cvelistV5)

CVE-2026-5463 News Python Security Tooling Command Injection

TL;DR — A newline-based command injection in pymetasploit3 can let attacker-controlled module option values break Metasploit console command structure and trigger unintended command execution.

What happened

pymetasploit3 is a Python automation library for interacting with Metasploit (commonly via Metasploit’s RPC/console interfaces) to run modules and manage sessions programmatically.

CVE-2026-5463 describes a command injection issue in console.run_module_with_output() affecting pymetasploit3 through version 1.0.6. Per the CVE record, an attacker who can control module option values (example given: RHOSTS) may inject newline characters, which breaks the intended command structure and can cause the Metasploit console to execute additional unintended commands.

The CVE record assigns this issue CVSS v4.0 9.3 (Critical) (and CVSS v3.1 8.6 (High)). This is especially high-risk in security automation contexts because exploitation tooling often runs with broad network reach and privileged credentials, so command injection in orchestration layers can quickly turn into environment-wide exposure.

Who is impacted

Projects using pymetasploit3 with versions <= 1.0.6.
Highest risk deployments are those where untrusted input can influence module option values passed into console.run_module_with_output() (e.g., multi-tenant “run-a-scan” services, chatops-driven automation, CI jobs parameterized by user-controlled data).

Component	Affected versions (per CVE record)	Fixed version referenced by source
`pymetasploit3`	`<= 1.0.6`	Not specified in the CVE record

What to do now

Follow vendor remediation guidance and apply the latest patched release available at the time of writing (the CVE record does not list a patched version).
Audit automation code paths that call console.run_module_with_output() and ensure module option values (e.g., RHOSTS) are not derived from untrusted input.
Add defensive input handling for module option fields used in automation (at minimum: reject or neutralize \r / \n characters and other command-structure delimiters before handing values to Metasploit console APIs).
Reduce blast radius: restrict network access to Metasploit RPC/console endpoints and run Metasploit automation in isolated environments with minimal credentials and minimal network reach.
If you suspect abuse, review Metasploit console / RPC activity for unexpected modules or console commands and follow your incident response process for credential rotation accessible to the automation environment.

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.