CVE-2026-5463
Published: 03 April 2026
Summary
CVE-2026-5463 is a high-severity Command Injection (CWE-77) vulnerability in Pypi (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 17.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates information input validation at entry points like module options, directly preventing newline character injection that enables command structure breakage in pymetasploit3.
SI-2 requires timely flaw remediation, such as upgrading pymetasploit3 beyond version 1.0.6 to eliminate the command injection vulnerability.
SI-9 enforces input restrictions on fields like RHOSTS, blocking malicious payloads such as newlines that lead to unintended Metasploit console command execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in pymetasploit3 client library enables arbitrary command execution in Metasploit console (T1059), achieved via exploitation of vulnerable client software (T1203).
NVD Description
Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading…
more
to arbitrary command execution and manipulation of Metasploit sessions.
Deeper analysisAI
CVE-2026-5463 is a command injection vulnerability in the console.run_module_with_output() function of pymetasploit3 through version 1.0.6. Attackers can inject newline characters into module options such as RHOSTS, which breaks the intended command structure of the Metasploit console and causes execution of additional unintended commands. This may result in arbitrary command execution and manipulation of Metasploit sessions. The issue carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L) and maps to CWE-77: Command Injection.
Any attacker able to supply input to the run_module_with_output() function, such as by controlling module options like RHOSTS, can exploit this vulnerability over the network with low complexity, no required privileges, and no user interaction. Successful exploitation enables execution of arbitrary commands within the Metasploit console, achieving high integrity impact through session manipulation, low confidentiality impact, and low availability impact.
Mitigation details are available via the project's GitHub repository at https://github.com/DanMcInerney/pymetasploit3 and PyPI page at https://pypi.org/project/pymetasploit3/. The vulnerability affects pymetasploit3 through version 1.0.6, so upgrading to a later version, if available, is advised.
Details
- CWE(s)