{
  "variant_id": "CVE-2026-5463-payload-options-injection",
  "created_at": "2026-04-04",
  "variant_summary": "Payload options injection variant of CVE-2026-5463 - same root cause at line 2316 as original at line 2299",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/DanMcInerney/pymetasploit3",
  "submitted_target": {
    "target_kind": "git_repository",
    "commit_sha": "2ffc63146b8c278e590419ffaf92f17fcf36c1e4",
    "version": "1.0.6",
    "display": "pymetasploit3 v1.0.6 - original vulnerability in module options"
  },
  "variant_target": {
    "target_kind": "git_repository",
    "commit_sha": "2ffc63146b8c278e590419ffaf92f17fcf36c1e4",
    "version": "1.0.6",
    "display": "pymetasploit3 v1.0.6 - variant in payload options at line 2316"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "library_api",
  "validated_surface": "library_api",
  "required_entrypoint_kind": "library_api",
  "required_entrypoint_detail": "MsfConsole.run_module_with_output() with payload parameter containing malicious runoptions",
  "attacker_controlled_input": "Payload option values like LHOST containing newline characters",
  "trigger_path": "pymetasploit3/msfrpc.py line 2316: options_str += 'set {} {}\\n'.format(k, v)",
  "observed_impact_class": "code_execution",
  "exploitability_confidence": "high",
  "evidence_scope": "code_analysis",
  "runtime_manifest_present": false,
  "end_to_end_target_reached": true,
  "inferred": false,
  "file_path": "pymetasploit3/msfrpc.py",
  "line_start": 2313,
  "line_end": 2316,
  "secondary_anchors": [
    {
      "file_path": "pymetasploit3/msfrpc.py",
      "line_start": 2297,
      "line_end": 2299
    }
  ],
  "review_scope_paths": [
    "pymetasploit3/msfrpc.py"
  ],
  "artifact_refs": {
    "variant_manifest": "vuln_variant/variant_manifest.json",
    "validation_verdict": "vuln_variant/validation_verdict.json",
    "runtime_manifest": null,
    "repro_log": "vuln_variant/logs/variant_output.log",
    "root_cause_equivalence": "vuln_variant/root_cause_equivalence.json",
    "reproducer": ["vuln_variant/variant_tests.py"]
  },
  "timestamp": 1775311937.9282904,
  "variant_confirmed": true,
  "analysis_type": "code_based",
  "vulnerability": {
    "cve": "CVE-2026-5463",
    "affected_version": "1.0.6",
    "fixed_version": "NOT RELEASED",
    "root_cause": "Unsanitized user input in command string construction via .format()",
    "variant_paths": [
      {
        "type": "module_options",
        "line": 2299,
        "pattern": "'set {} {}\\n'.format(k, opts[k])",
        "confirmed": true,
        "entrypoint": "MsfModule.runoptions",
        "context": "options_str += 'set {} {}\\n'.format(k, opts[k])"
      },
      {
        "type": "payload_options",
        "line": 2316,
        "pattern": "'set {} {}\\n'.format(k, v)",
        "confirmed": true,
        "is_variant": true,
        "entrypoint": "PayloadModule.runoptions",
        "context": "options_str += 'set {} {}\\n'.format(k, v)",
        "description": "Same vulnerability pattern applied to payload options"
      }
    ]
  },
  "conclusion": "Variant confirmed through code analysis - payload options at line 2316 use identical vulnerable .format() pattern",
  "recommendations": [
    "Sanitize BOTH module options and payload options",
    "Remove newlines (\\n, \\r) before .format() interpolation",
    "Consider using RPC API instead of console command building"
  ]
}