Home / Vulnerability Intelligence / CVE-2026-5463

CVE-2026-5463 - Vulnerability Analysis

HighCVSS: 8.6

Last Updated: April 3, 2026

pymetasploit3 - Command Injection

Published: April 3, 2026Updated: April 3, 2026Remote Exploitable

Overview

pymetasploit3 through version 1.0.6 contains a command injection caused by injection of newline characters into module options in console.run_module_with_output(), letting attackers execute arbitrary commands and manipulate Metasploit sessions, exploit requires crafted input.

Severity & Score

Severity: High

CVSS Score: 8.6

EPSS Score: 84.9%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary commands and manipulate Metasploit sessions, potentially compromising the system.

Mitigation

Update to the latest version beyond 1.0.6.

References

Social Media Activity(2 posts)

OffSequence

@offseq

Apr 3, 2026

⚠️ CRITICAL vuln: pymetasploit3 ≤1.0.6 (CVE-2026-5463) lets attackers inject commands via newline chars in console.run_module_with_output(), risking full session compromise. Avoid untrusted input, watch for patches. https://radar.offseq.com/threat/cve-2026-5463-cwe-77-improper-neutralization-of-sp-6f7ed040 #OffSeq #CVE20265463 #infosec

View original post

TheHackerWire

@thehackerwire

Apr 3, 2026

🟠 CVE-2026-5463 - High (8.6) Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-5463/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-5463
Severity: High
CVSS Score: 8.6
Type: command_injection
Status: unconfirmed
EPSS: 84.9%
Social Posts: 2

CWE

CWE-77

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

EPSS Score

84.9%Probability of exploitation in the next 30 days