LOWAi
Global

Weekly Metasploit Update: Modules for Audiobookshelf, LiteLLM, Next.js, Dalfox and more

·Source: Rapid7

Updated:

Executive Summary

Help shape the future of Metasploit Framework We are planning future work in relation to the evasion capabilities present in Metasploit Framework, and how they function/are presented to users. We are currently accepting responses to our feedback form, which means that you can shape the future of how evasive capabilities are implemented in Metasploit Framework. The proposal for the changes can be f

Analysis

Help shape the future of Metasploit Framework We are planning future work in relation to the evasion capabilities present in Metasploit Framework, and how they function/are presented to users. We are currently accepting responses to our feedback form, which means that you can shape the future of how evasive capabilities are implemented in Metasploit Framework. The proposal for the changes can be found here , and you can submit your responses to the form here . The form will stop accepting responses on the 1st of July, 2026. New module content and improvements have also been added this week. This includes a Next.js Middleware Authorization Bypass scanner, LiteLLM Proxy SQL Injection, an unauthenticated API authentication bypass scanner for Audiobookshelf, a deserialization RCE in Dalfox, and improvements to service and host reporting in bruteforce-related modules. New module content (4) Audiobookshelf Unauthenticated API Authentication Bypass Scanner Authors: Kenneth LaCroix and swiftbird07 Type: Auxiliary Pull request: #21565 contributed by kenlacroix Path: scanner/http/audiobookshelf_auth_bypass AttackerKB reference: CVE-2025-25205 Description: Adds audiobookshelf_auth_bypass, a detection module for CVE-2025-25205 — an unauthenticated API authentication bypass in Audiobookshelf (self-hosted audiobook/podcast server), affecting versions 2.17.0 – 2.19.0 (fixed in 2.19.1). BerriAI LiteLLM Proxy Pre-Auth SQL Injection Scanner Authors: Kenneth LaCroix and Tencent YunDing Security Lab Type: Auxiliary Pull request: #21567 contributed by kenlacroix Path: scanner/http/litellm_proxy_sqli AttackerKB reference: CVE-2026-42208 Description: Adds auxiliary/scanner/http/litellm_proxy_sqli, a detection module for CVE-2026-42208 (CVSS 9.3, on the CISA KEV list) — a pre-authentication SQL injection in BerriAI LiteLLM proxy. Next.js Middleware Authorization Bypass Scanner Authors: Kenneth LaCroix, Rachid Allam, and Yasser Allam Type: Auxiliary Pull request: #21566 contributed by kenlacroix Path: scanner/http/nextjs_middleware_auth_bypass AttackerKB reference: CVE-2025-29927 Description: Adds nextjs_middleware_auth_bypass, a detection module for CVE-2025-29927 (CVSS 9.1) — an authorization bypass in self-hosted Next.js applications. Dalfox Found-Action Deserialization RCE Authors: Emmanuel David and Takahiro Yokoyama Type: Exploit Pull request: #21493 contributed by Takahiro-Yoko Path: linux/http/dalfox_server_rce_cve_2026_45087 AttackerKB reference: CVE-2026-45087 Description: This adds an exploit module for Dalfox Server versions <= 2.12.0 which are vulnerable to an unauthenticated RCE tracked as CVE-2026-45087. The vulnerability allows attackers to send arbitrary commands via found-action post parameter which gets deserialized and run in the context of the user running the server. Enhancements and features (2) #21396 from g0tmi1k - This makes improvements to the auth_brute mixin. It adds report_host and report_service calls to the mixin and removes duplicate printing of IP:PORT in the print_brute statements. #21562 from zeroSteiner - Updated the usage of rex-socket's recvfrom method to align with the standard library implementation. This also allows rex-socket to now be used as a drop-in replacement for Ruby's UDPSocket. Documentation You can find the latest Metasploit documentation on our docsite at docs.metasploit.com . Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requests 6.4.140...6.4.141 Full diff 6.4.140...6.4.141 If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Indicators of Compromise (5)

CVE (4)
CVE-2025-25205
CVE-2026-42208
CVE-2025-29927
CVE-2026-45087
Domain (1)
docs.metasploit.com
Source Attribution

Originally published by Rapid7 on Jun 26, 2026.

Related Threats