Metasploit Pro Version 5.0.0-2026061601 Release Notes

Software release date: June 16, 2026 | Release notes published: June 18, 2026

New Module Content (20)

• #21035  - Adds a new exploit module for CVE-2023-7102, an unauthenticated remote code execution vulnerability in Barracuda Email Security Gateway (ESG) appliances. The flaw resides in the Amavis scanner’s use of the Perl Spreadsheet::ParseExcel library, which allows eval injection via malicious Excel number format strings. The module uses Rex::OLE to craft a minimal BIFF8 XLS file with the payload embedded in a FORMAT record and delivers it via SMTP.
• #21039  - Adds a new post module for Windows that enumerates kernel object pointers exposed through NtQuerySystemInformation on x64 systems. The module collects observable handle metadata and provides analysis of pointer distribution, object types, and ALPC usage, then saves the results to a CSV loot file for review. Also introduces a reusable Windows kernel handle-enumeration library.
• #21041  - Adds an exploit module for an authenticated remote code execution vulnerability in GestioIP 3.5.7 (CVE-2024-48760). An attacker with admin credentials can abuse the unsafe upload handler at /api/upload.cgi to overwrite the script itself with a backdoor, which is then invoked to execute attacker-supplied commands.
• #21155  - Adds a new exploit module for CVE-2022-28368, an unauthenticated remote code execution vulnerability in dompdf prior to 1.2.1. When remote resource loading is enabled, dompdf preserves the .php extension when caching fonts fetched via CSS @font-face rules, allowing an attacker to drop a PHP webshell in the font cache directory and trigger it with a follow-up request.
• #21165  - Adds an exploit for CVE-2026-24479, a zip slip vulnerability in HustOJ, an open source online judge platform, prior to version 26.01.24.
• #21177  - Adds a Linux post module for Tenable Security Center that retrieves credential hashes and cracks them.
• #21204  - Adds an auxiliary module targeting CVE-2026-3055, an info leak in Citrix NetScaler (when configured as a SAML IdP). Similar to other CitrixBleed vulnerabilities, the module can leak memory and potentially discover session cookies.
• #21206  - Adds a new Linux persistence module that establishes persistence by writing a Vim plugin to the target user’s ~/.vim/plugin/ directory. The next time that user launches Vim, the plugin executes the configured payload and opens a new session as that user.
• #21212  - Adds a new exploit module exploit/multi/misc/clickfix_server that runs an HTTP server to deliver a ClickFix-style social-engineering page which copies a generated command payload to the victim’s clipboard that they are prompted to execute.
• #21267  - Adds a module to exploit CVE-2026-4257, resulting in remote code execution on WordPress sites with the Contact Form by Supsystic plugin. Versions 1.7.36 and earlier are vulnerable.
• #21271  - Adds an Ollama LLM auxiliary scanner module to enumerate which LLMs are installed and details about them.
• #21322  - Adds a new auxiliary module that exploits a path traversal vulnerability (CVE-2025-6793) in Marvell QConvergeConsole to read arbitrary files from the target host. Versions 5.5.0.85 and earlier are vulnerable, and no authentication is required to exploit the issue.
• #21362  - Adds a new exploit module for Dolibarr ERP/CRM (CVE-2023-30253), an authenticated PHP code injection vulnerability affecting versions before 17.0.1. The module abuses the Website module to inject a payload that bypasses Dolibarr’s PHP tag filter by using uppercase <?PHP tags instead of the filtered lowercase form. Valid credentials with access to the Website module are required.
• #21417  - Adds an exploit module for cPanel/WHM authentication bypass leading to root RCE (CVE-2026-41940).
• #21434  - Adds two new local privilege escalation modules for the DirtyFrag Linux kernel vulnerabilities. The first targets CVE-2026-43284, a page-cache write vulnerability in the xfrm/ESP fragmentation path. The second targets CVE-2026-43500, a page-cache corruption vulnerability in the RxRPC/rxkad subsystem.
• #21463  - Adds a new auxiliary module for CVE-2026-20182, an authentication bypass in the Cisco Catalyst SD-WAN Controller.
• #21465  - Adds a new persistence module that achieves persistence by installing a malicious extension into a user’s VS Code extensions directory. The next time the target opens VS Code, the extension executes and delivers a shell back to the attacker.
• #21497  - Adds a new exploit module exploit/multi/http/apache_activemq_jolokia_rce targeting CVE-2026-34197 in Apache ActiveMQ. The module abuses the Jolokia JMX-over-HTTP API exposed at /api/jolokia/ by calling the addNetworkConnector() MBean operation with a crafted brokerConfig=xbean:http://... URI. ActiveMQ fetches the attacker-controlled URL and instantiates it as a Spring XML application context, achieving remote code execution via a java.lang.ProcessBuilder bean. Authentication is required to exploit this vulnerability.
• #21515  - Adds an exploit module for the Gogs rebase remote code execution vulnerability. The module leverages an argument injection flaw in the pull request merge workflow of Gogs versions <= 0.14.2 and <= 0.15.0+dev.
• #21547  - Adds an exploit module for CVE-2026-41679 targeting Paperclip AI. An unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in authenticated mode with default configuration. The entire chain is six API calls.

Enhancements and Features (21)

• Pro: Adds multiple improvements to the backup functionality in Metasploit Pro. Better progress tracking is now available, and backups larger than 4GB can be generated.
• Pro: Adds a tooltip to the bruteforce results page summarizing what the value of “successful logins” means.
• #20881  - Adds support for cracking Kerberos type hashes in Metasploit, specifically timeroasting, krb5tgs*, and krb5asrep.
• #21087  - The new payloads_manager plugin lets you maintain a local archive of custom payloads and stage them into the data directory. Use the fetch or add subcommands to download or import a payload, then select to symlink it into place so it’s available to other modules. The plugin tracks each payload’s name, hash, tags, and description in a database.
• #21198  - Adds a CertificateTracePresenter implementing certificate tracing using the presenter pattern aligned with existing Metasploit conventions. This can be enabled by setting the CertificateTrace datastore option when using modules like icpr_cert and get_ticket to see the X.509 certificates being sent and received.
• #21222  - Standardizes log output across many Metasploit modules to improve the host and port log details when IPv6 addresses are present.
• #21254  - Nmap imports will now include the domain name if supplied by the user for the scan.
• #21266  - Improves how SMB services are logged. If the service is detected but authentication fails, the client still logs what dialect was negotiated so the service is recorded even if authentication was not possible.
• #21292  - Updates the RPC notes command to allow data to return a hash value where applicable.
• #21305  - Updates the services RPC endpoint to additionally report the resource and parent services fields.
• #21412  - Updates Metasploit’s post modules to now run against the last opened alive session by default, unless explicitly specified.
• #21414  - Backports the Python components of the Copy Fail (CVE-2026-31431) exploit to work with Python 2.7 interpreters, effectively supporting older targets.
• #21447  - Updates Metasploit’s documentation to describe how a Kerberoast attack can be performed entirely with Metasploit. Also updates the Kerberoast module to correctly log the realm to the database regardless of whether an existing LDAP session was used.
• #21458  - Updates the Sinatra, Rack, and Thin web service dependencies to support an upcoming Rails 8 upgrade.
• #21460  - Consolidates code used by Windows exec payloads to provide a more consistent experience.
• #21466  - Introduces KerberosTicketTrace support as a datastore option for Metasploit’s Kerberos authentication flows. Enabling KerberosTicketTrace allows users to see AS-REQ, AS-REP, TGS-REQ, TGS-REP, and KRB-ERROR messages as they are sent and received. Inbound messages are colored blue and outgoing messages are colored red, matching the existing HttpTrace functionality. Coloring can be toggled with the KerberosTicketTraceColors datastore option.
• #21488  - Updates HTTP login scanners to report the detected service hierarchy.
• #21504  - Adds missing CVE references to seven existing modules: gladinet_storage_access_ticket_forge (CVE-2025-14611), cassandra_web_file_read (CVE-2020-36939), pretalx_file_read_cve_2023_28459 (CVE-2023-28459 and CVE-2023-28458), centreon_pollers_auth_rce (CVE-2019-19699), wp_responsive_thumbnail_slider_upload (CVE-2015-10144), xerte_unauthenticated_template_import_rce (CVE-2026-32985), and solarwinds_storage_manager_sql (CVE-2012-2576).
• #21526  - Makes stability and logging improvements to the ipmi_cipher_zero, ipmi_dumphashes, and ipmi_version modules.
• #21528  - Updates Metasploit module metadata by adding Exploit-DB (EDB) reference IDs to existing modules that already have CVE references, improving cross-referencing for higher-fidelity vulnerability tracking.
• #21535  - Updates multiple HTTP login scanners to validate the remote target as a prerequisite to running login attempts.

Bugs Fixed (21)

• Pro: Fixes a double-rendering issue during polling on the task chains edit action by only invoking render for HTML requests, letting non-HTML formats fall through to default rendering.
• #20618  - Updates the MSSQL modules to no longer crash when running stored procedures like EXEC sp_linkedservers; against a remote host.
• #21285  - Updates the RPC creds command to now also return the associated realm key and value.
• #21345  - Fixes an issue in the smb_enumshares module that prevented it from working against certain SMB 1 targets such as Metasploitable 2.
• #21390  - Refines SMB-to-LDAP relay attack reporting by demoting anonymous authentication messages from print_good to print_status, reflecting that anonymous sessions do not grant additional privileges. Also skips the #on_relay_success callback for these sessions to prevent modules from acting on unprivileged access.
• #21432  - Fixes a bug in modules that invoke other modules that prevented datastore options from being validated.
• #21443  - Bumps the Metasploit-credentials gem to address an issue in how Kerberos hashes were being handled.
• #21448  - Fixes an issue where CIDR range filters in the addresses parameter of the db.hosts RPC endpoint were not processed correctly.
• #21474  - Fixes a crash in msfdb init on Windows.
• #21475  - Fixes an msfdb installation error on Windows.
• #21484  - Fixes Python SSL command shell payloads that failed with AttributeError: module 'ssl' has no attribute 'wrap_socket'.
• #21487  - Updates to a newer version of RubyZip to support zip files larger than 4GB.
• #21489  - Improves the GitLab version scanner by handling additional exceptions for non-GitLab targets and adding additional version fingerprints for real GitLab targets.
• #21502  - Fixes a crash in the scanner/snmp/snmp_enum module when the system date was read as null.
• #21506  - Adds a guard clause when running uname -r in the WSL startup_folder persistence module.
• #21514  - Fixes references to outdated msfvenom options.
• #21540  - Extends MSSQL coverage by improving NULL handling in the TDS row parser.
• #21543  - Fixes a false positive in the WebDAV upload PHP module that was reported based solely on the response code.
• #21549  - Adds the missing GHSA reference (https://github.com/advisories/GHSA-hxj9-549w-4pcq ) to modules/auxiliary/scanner/smtp/smtp_relay.rb.
• #21557  - Fixes a db_import crash when importing zip files.
• #21564  - Fixes a crash in the smb_version module when run against SMBv1 targets.

Offline Update

• https://updates.metasploit.com/packages/4193f0e75d40a3676d4249e9d10442efc3c8a13e50bd46900a58f94975adc836.bin 

Metasploit Framework and Pro Installers

• https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version