CVE-2026-5463

Name of the Vulnerable Software and Affected Versions pymetasploit3 versions through 1.0.6

Description A command injection issue exists in the console.run module with output() function of pymetasploit3. Attackers can inject newline characters into module options, such as the RHOSTS parameter, disrupting command parsing and potentially enabling arbitrary command execution and manipulation of Metasploit sessions.

Recommendations Update pymetasploit3 to a version later than 1.0.6.