Rapid7 Metasploit Pro vulnerabilities
5 known vulnerabilities affecting rapid7/metasploit_pro.
Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM2LOW1
Vulnerabilities
Page 1 of 1
CVE-2026-7373P3HIGHCVSS 8.5v5.0.02026-05-15
CVE-2026-7373 [HIGH] CWE-284 CVE-2026-7373: Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows a user to gai
Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows a user to gain SYSTEM level control of a Windows host. When started the metasploitPostgreSQL service would start the postgres.exe child process which would in turn load an OpenSSL configuration file from a static location. This static location would be writable by a p
nvd
CVE-2017-5235P4HIGHCVSS 7.8vAll versions prior to version 4.13.0-20170221012017-03-02
CVE-2017-5235 [HIGH] CWE-426 CVE-2017-5235: Rapid7 Metasploit Pro installers prior to version 4.13.0-2017022101 contain a DLL preloading vulnera
Rapid7 Metasploit Pro installers prior to version 4.13.0-2017022101 contain a DLL preloading vulnerability, wherein it is possible for the installer to load a malicious DLL located in the current working directory of the installer.
nvd
CVE-2020-7354P4MEDIUMCVSS 5.4≥ 4.17.1-20200427, ≤ 4.17.1-202004272020-06-25
CVE-2020-7354 [MEDIUM] CWE-79 CVE-2020-7354: Cross-site Scripting (XSS) vulnerability in the 'host' field of a discovered scan asset in Rapid7 Me
Cross-site Scripting (XSS) vulnerability in the 'host' field of a discovered scan asset in Rapid7 Metasploit Pro allows an attacker with a specially-crafted network service of a scan target to store an XSS sequence in the Metasploit Pro console, which will trigger when the operator views the record of that scanned host in the Metasploit Pro interface.
nvd
CVE-2023-0599P4MEDIUMCVSS 4.8≤ 4.21.22023-02-01
CVE-2023-0599 [MEDIUM] CWE-79 CVE-2023-0599: Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerabil
Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization. Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metasploit Pro user using a specially crafted request. Note
nvd
CVE-2019-5642P4LOWCVSS 3.3≥ unspecified, ≤ 4.16.0-20190819012019-11-06
CVE-2019-5642 [LOW] CWE-732 CVE-2019-5642: Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, where
Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers from an instance of CWE-732, wherein the unique server.key is written to the file system during installation with world-readable permissions. This can allow other users of the same system where Metasploit Pro is installed to intercept otherwise private communications to the Metasploit Pro
nvd