A flaw in the Python wrapper for Metasploit, pymetasploit3, allows an attacker to insert newline characters into module options such as RHOSTS when calling console.run_module_with_output(). The added newlines break the intended command syntax, causing the Metasploit console to execute additional, unintended commands. This can result in the execution of arbitrary system commands outside the normal Metasploit flow, potentially compromising the security of any hosts the modules target as well as the integrity of the Metasploit sessions themselves.

The vulnerability affects installations of the pymetasploit3 project maintained by Dan McInerney. Versions up to and including 1.0.6 contain the flaw. Any deployment that relies on these versions for automated module execution or the remote provision of module options should be considered at risk.

The CVSS score of 9.3 denotes a high severity vulnerability. Although EPSS data is not available and the issue is not listed in the CISA KEV catalog, the potential for arbitrary command execution is significant. Based on the description, it is inferred that an attacker must be able to supply module options to console.run_module_with_output(), implying either a local user with write access to a Metasploit console or a remote user with authenticated access to supply those options. Successful exploitation would allow an attacker to run arbitrary commands on the system hosting the Metasploit framework, thereby gaining full control over the environment.