Weekly Metasploit Update: Modules for Audiobookshelf, LiteLLM, Next.js, Dalfox and more

Help shape the future of Metasploit FrameworkWe are planning future work in relation to the evasion capabilities present in Metasploit Framework, and how they function/are presented to users. We are currently accepting responses to our feedback form, which means that you can shape the future of how evasive capabilities are implemented in Metasploit Framework. The proposal for the changes can be found here, and you can submit your responses to the form here. The form will stop accepting responses on the 1st of July, 2026.New module content and improvements have also been added this week. This includes a Next.js Middleware Authorization Bypass scanner, LiteLLM Proxy SQL Injection, an unauthenticated API authentication bypass scanner for Audiobookshelf, a deserialization RCE in Dalfox, and improvements to service and host reporting in bruteforce-related modules.New module content (4)Audiobookshelf Unauthenticated API Authentication Bypass ScannerAuthors: Kenneth LaCroix and swiftbird07Type: AuxiliaryPull request: #21565 contributed by kenlacroixPath: scanner/http/audiobookshelf_auth_bypassAttackerKB reference: CVE-2025-25205Description: Adds audiobookshelf_auth_bypass, a detection module for CVE-2025-25205 — an unauthenticated API authentication bypass in Audiobookshelf (self-hosted audiobook/podcast server), affecting versions 2.17.0 – 2.19.0 (fixed in 2.19.1).BerriAI LiteLLM Proxy Pre-Auth SQL Injection ScannerAuthors: Kenneth LaCroix and Tencent YunDing Security LabType: AuxiliaryPull request: #21567 contributed by kenlacroixPath: scanner/http/litellm_proxy_sqliAttackerKB reference: CVE-2026-42208Description: Adds auxiliary/scanner/http/litellm_proxy_sqli, a detection module for CVE-2026-42208 (CVSS 9.3, on the CISA KEV list) — a pre-authentication SQL injection in BerriAI LiteLLM proxy.Next.js Middleware Authorization Bypass ScannerAuthors: Kenneth LaCroix, Rachid Allam, and Yasser AllamType: AuxiliaryPull request: #21566 contributed by kenlacroixPath: scanner/http/nextjs_middleware_auth_bypassAttackerKB reference: CVE-2025-29927Description: Adds nextjs_middleware_auth_bypass, a detection module for CVE-2025-29927 (CVSS 9.1) — an authorization bypass in self-hosted Next.js applications.Dalfox Found-Action Deserialization RCEAuthors: Emmanuel David and Takahiro YokoyamaType: ExploitPull request: #21493 contributed by Takahiro-YokoPath: linux/http/dalfox_server_rce_cve_2026_45087AttackerKB reference: CVE-2026-45087Description: This adds an exploit module for Dalfox Server versions <= 2.12.0 which are vulnerable to an unauthenticated RCE tracked as CVE-2026-45087. The vulnerability allows attackers to send arbitrary commands via found-action post parameter which gets deserialized and run in the context of the user running the server.Enhancements and features (2)#21396 from g0tmi1k - This makes improvements to the auth_brute mixin. It adds report_host and report_service calls to the mixin and removes duplicate printing of IP:PORT in the print_brute statements.#21562 from zeroSteiner - Updated the usage of rex-socket's recvfrom method to align with the standard library implementation. This also allows rex-socket to now be used as a drop-in replacement for Ruby's UDPSocket.DocumentationYou can find the latest Metasploit documentation on our docsite at docs.metasploit.com.Get itAs always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:Pull Requests 6.4.140...6.4.141Full diff 6.4.140...6.4.141If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit ProArticle TagsMetasploitMetasploit Weekly WrapupSimon JanuszAuthor PostsRelated blog postsProducts and ToolsWeekly Metasploit Update: NTLM Relay Priv Esc, MCP Server Integration, Paperclip AI RCE Chain, and moreAlan David FosterProducts and ToolsWeekly Metasploit Update: New Kerberos/Certificate tracing options, and multiple new modulesSpencer McIntyreProducts and ToolsWeekly Metasploit Update: Apache ActiveMQ RCE, Gogs Rebase RCE, and Windows Kernel Pointer EnumBrendan WattersProducts and ToolsMetasploit Wrap Up 05/29/2026Spencer McIntyreSee all posts