rapid7 · h00die · Oct 15, 2025 · Oct 15, 2025 · Oct 16, 2025 · Oct 16, 2025
diff --git a/documentation/modules/exploit/aix/local/xorg_x11_server.md b/documentation/modules/exploit/aix/local/xorg_x11_server.md
@@ -34,11 +34,11 @@ This table lists all vulnerable Xorg versions:
 
 ## Options
 
-**SESSION**
+### SESSION
 
 Which session to use, which can be viewed with `sessions`
 
-**WritableDir**
+### WritableDir
 
 A writable directory file system path. (default: `/tmp`)
 

diff --git a/documentation/modules/exploit/android/local/janus.md b/documentation/modules/exploit/android/local/janus.md
@@ -77,7 +77,7 @@ Number of signers: 1
 
 ## Options
 
-  **PACKAGE**
+### PACKAGE
 
   Select a package to infect.  A list of packages can be obtained by running `app_list` on meterpreter.  Using `ALL` will
   loop through all packages and attempt to exploit them until successful.  This can take a while, and cause lots of data to be

diff --git a/documentation/modules/exploit/freebsd/local/intel_sysret_priv_esc.md b/documentation/modules/exploit/freebsd/local/intel_sysret_priv_esc.md
@@ -34,11 +34,11 @@
 
 ## Options
 
-  **SESSION**
+### SESSION
 
   Which session to use, which can be viewed with `sessions`
 
-  **WritableDir**
+### WritableDir
 
   A writable directory file system path. (default: `/tmp`)
 

diff --git a/documentation/modules/exploit/freebsd/local/rtld_execl_priv_esc.md b/documentation/modules/exploit/freebsd/local/rtld_execl_priv_esc.md
@@ -31,7 +31,7 @@
 
 ## Options
 
-  **SESSION**
+### SESSION
 
   Which session to use, which can be viewed with `sessions`
 

diff --git a/documentation/modules/exploit/linux/http/asuswrt_lan_rce.md b/documentation/modules/exploit/linux/http/asuswrt_lan_rce.md
@@ -25,7 +25,7 @@
 
 ## Options
 
-  **ASUSWRTPORT**
+### ASUSWRTPORT
 
   AsusWRT HTTP portal port (default: `80`)
 

diff --git a/documentation/modules/exploit/linux/http/cisco_firepower_useradd.md b/documentation/modules/exploit/linux/http/cisco_firepower_useradd.md
@@ -24,12 +24,22 @@ https://software.cisco.com/download/release.html?mdfid=286259687&softwareid=2862
 
 ## Options
 
-**USERNAME** The username for Cisco Firepower Management console.
+### USERNAME
 
-**PASSWORD** The password for Cisco Firepower Management console.
+The username for Cisco Firepower Management console.
 
-**NEWSSHUSER** The SSH account to create. By default, this is random.
+### PASSWORD
 
-**NEWSSHPASS** The SSH password for the new account. By default, this is also random.
+The password for Cisco Firepower Management console.
 
-**SSHPORT** In case for some reason, the SSH changed, otherwise this is 22 by default.
+### NEWSSHUSER
+
+The SSH account to create. By default, this is random.
+
+### NEWSSHPASS
+
+The SSH password for the new account. By default, this is also random.
+
+### SSHPORT
+
+In case for some reason, the SSH changed, otherwise this is 22 by default.
diff --git a/documentation/modules/exploit/linux/http/cisco_rv32x_rce.md b/documentation/modules/exploit/linux/http/cisco_rv32x_rce.md
@@ -39,30 +39,30 @@ https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2
 
 ## Options
 
-**RHOSTS**
+### RHOSTS
 
 Configure the remote vulnerable system.
 
-**RPORT**
+### RPORT
 
 Configure the TCP port of the HTTP/HTTPS management web interface.
 
-**USE_SSL**
+### USE_SSL
 
 This flag controls whether the remote management web interface is accessible
 via HTTPS or not. Should be false for HTTP and true for HTTPS.
 
-**PAYLOAD**
+### PAYLOAD
 
 Configure the Metasploit payload that you want to stage. Must be for MIPS64
 arch.  Set payload Options accordingly.
 
-**SRVHOST**
+### SRVHOST
 
 The module stages the payload via a web server. This is the binding interface
 IP. Default can be set to 0.0.0.0. 
 
-**HTTPDelay**
+### HTTPDelay
 
 This configures how long the module should wait for the incoming HTTP
 connection to the HTTP stager.

diff --git a/documentation/modules/exploit/linux/http/craftcms_preauth_rce_cve_2025_32432.md b/documentation/modules/exploit/linux/http/craftcms_preauth_rce_cve_2025_32432.md
@@ -75,8 +75,10 @@ ddev launch
 
 The module has the following option:
 
-- **ASSET_ID**: This option is required for older versions of Craft CMS, particularly in the 3.x series.
-    It specifies the asset ID for the Craft CMS instance. For 3.x versions, this ID must be set correctly to exploit the vulnerability.
+### ASSET_ID
+
+This option is required for older versions of Craft CMS, particularly in the 3.x series.
+It specifies the asset ID for the Craft CMS instance. For 3.x versions, this ID must be set correctly to exploit the vulnerability.
 
 For example, if you are targeting a Craft CMS version from the `>= 3.0.0`, `< 3.9.14`, make sure to specify the correct `ASSET_ID`.
 This is necessary for successful exploitation when dealing with these versions.

diff --git a/documentation/modules/exploit/linux/http/goahead_ldpreload.md b/documentation/modules/exploit/linux/http/goahead_ldpreload.md
@@ -30,7 +30,7 @@ gcc ./cgitest.c -o cgi-bin/cgitest
 
 ## Options
 
-  **TARGET_URI**
+### TARGET_URI
 
   Optional. The full path to a CGI endpoint on the target server.
 

diff --git a/documentation/modules/exploit/linux/http/hp_van_sdn_cmd_inject.md b/documentation/modules/exploit/linux/http/hp_van_sdn_cmd_inject.md
@@ -18,23 +18,23 @@ Tested on 2.7.18.0503.
 
 ## Options
 
-**RPORT**
+### RPORT
 
 Set this to the port for the REST API, usually 8081.
 
-**WEBUI_PORT**
+### WEBUI_PORT
 
 Set this to the port for the web UI, usually 8443.
 
-**TOKEN**
+### TOKEN
 
 Set this to the service token. Defaults to `AuroraSdnToken37`.
 
-**USERNAME**
+### USERNAME
 
 Set this to the service username. Defaults to `sdn`.
 
-**PASSWORD**
+### PASSWORD
 
 Set this to the service password. Defaults to `skyline`.
 

diff --git a/documentation/modules/exploit/linux/http/ipfire_bashbug_exec.md b/documentation/modules/exploit/linux/http/ipfire_bashbug_exec.md
@@ -16,11 +16,11 @@
 
 ## Options
 
-  **PASSWORD**
+### PASSWORD
 
   Password is set at install.  May be blank, 'admin', or 'ipfire'.
 
-  **CMD**
+### CMD
 
   This is the command to run on the system.
 

diff --git a/documentation/modules/exploit/linux/http/ipfire_oinkcode_exec.md b/documentation/modules/exploit/linux/http/ipfire_oinkcode_exec.md
@@ -21,7 +21,7 @@ This module has been verified against:
 
 ## Options
 
-  **PASSWORD**
+### PASSWORD
 
   Password is set at install.  May be blank, 'admin', or 'ipfire'.
 
@@ -45,4 +45,4 @@ This module has been verified against:
     uid=99(nobody) gid=99(nobody) groups=99(nobody),16(dialout),23(squid)
     whoami
     nobody
-  ```
+  ```
diff --git a/documentation/modules/exploit/linux/http/ipfire_pakfire_exec.md b/documentation/modules/exploit/linux/http/ipfire_pakfire_exec.md
@@ -20,10 +20,10 @@
 
 ## Options
 
-  **USERNAME**
+### USERNAME
   Username of the administrative user you are authenticating to the web portal as.
 
-  **PASSWORD**
+### PASSWORD
   Password for the administrative user you are authenticating to the web portal as.
 
 ## Scenarios

diff --git a/documentation/modules/exploit/linux/http/ipfire_proxy_exec.md b/documentation/modules/exploit/linux/http/ipfire_proxy_exec.md
@@ -17,7 +17,7 @@
 
 ## Options
 
-  **PASSWORD**
+### PASSWORD
 
   Password is set at install.  May be blank, 'admin', or 'ipfire'.
 
@@ -44,4 +44,4 @@
     uid=99(nobody) gid=99(nobody) groups=99(nobody),16(dialout),23(squid)
     whoami
     nobody
-  ```
+  ```
diff --git a/documentation/modules/exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth.md b/documentation/modules/exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth.md
@@ -21,7 +21,7 @@
 
 ## Options
 
-  **PAYLOAD**
+### PAYLOAD
 
   The `generic` and `netcat` payload types are valid.
 

diff --git a/documentation/modules/exploit/linux/http/nagios_xi_chained_rce.md b/documentation/modules/exploit/linux/http/nagios_xi_chained_rce.md
@@ -30,11 +30,11 @@ anyway.
 
 ## Options
 
-  **USER_ID**
+### USER_ID
 
   If you wish to exploit a particular ```USER_ID```, that can be specified here.  Default is 1, which is most likely the admin account.
 
-  **API_TOKEN**
+### API_TOKEN
 
   The SQLi included only works for MySQL, which should work in most cases.  However, if you experience a different backend, you can enumerate the user
   table via sqlmap: ```sqlmap -u "http://[ip]/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=resolve&host=a&service=" -p service -T xi_users --dump```.

diff --git a/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md b/documentation/modules/exploit/linux/http/netgear_dnslookup_cmd_exec.md
@@ -17,15 +17,15 @@
 
 ## Options
 
-  **USERNAME**
+### USERNAME
 
   The `USERNAME` option sets the username to authenticate the request with.
   The command injection will __not__ succeed if the username and password are not correct.
   The default username for NETGEAR Routers is `admin`. If you don't know the credentials,
   your best bet will be to use the default username and password.
 
 
-  **PASSWORD**
+### PASSWORD
 
   The `PASSWORD`options sets the password to authenticate the request with.
   The command injection will __not__ succeed if the username and password are not correct.

diff --git a/documentation/modules/exploit/linux/http/netgear_r7000_cgibin_exec.md b/documentation/modules/exploit/linux/http/netgear_r7000_cgibin_exec.md
@@ -17,7 +17,7 @@ Netgear R7000 and R6400 routers running firmware version `1.0.7.2_1.1.93` and po
 
 ## Options
 
-  **PAYLOAD**
+### PAYLOAD
 
   The valid payloads are `meterpreter` payloads _only_. The payload uses the `wget` flavor and pipes the downloaded binary to `sh`
 

diff --git a/documentation/modules/exploit/linux/http/op5_config_exec.md b/documentation/modules/exploit/linux/http/op5_config_exec.md
@@ -24,11 +24,11 @@ Just a few quick notes on setting up a vulnerable lab with this software.
 
 ## Options
 
-  **PASSWORD**
+### PASSWORD
 
   Password is 'monitor' by default.
 
-  **USERNAME**
+### USERNAME
 
   Documentation was unclear on this.  Installing just the app, the
   username was 'monitor' by default.  However it looks like if you
@@ -60,4 +60,4 @@ Just a few quick notes on setting up a vulnerable lab with this software.
     monitor
     id
     uid=299(monitor) gid=48(apache) groups=48(apache),14(uucp),488(smstools) context=system_u:system_r:initrc_t:s0
-  ```
+  ```
diff --git a/documentation/modules/exploit/linux/http/pandora_ping_cmd_exec.md b/documentation/modules/exploit/linux/http/pandora_ping_cmd_exec.md
@@ -26,11 +26,11 @@ Launch metasploit and set the appropriate options:
 
 ## Options
 
-  **USERNAME**
+### USERNAME
 
   The username for Pandora FMS.
 
-  **PASSWORD**
+### PASSWORD
 
   The password for Pandora FMS.
 

diff --git a/documentation/modules/exploit/linux/http/panos_readsessionvars.md b/documentation/modules/exploit/linux/http/panos_readsessionvars.md
@@ -24,9 +24,9 @@ This VM is not generally available, but the specific disk image used was `PA-VM-
 
 ## Options
 
-**CBHOST** The callback listener address if the default is not accurate (port forwarding, etc)
+### CBHOST The callback listener address if the default is not accurate (port forwarding, etc)
 
-**CBPORT** The callback listener port
+### CBPORT The callback listener port
 
 
 ## Scenarios

diff --git a/documentation/modules/exploit/linux/http/php_imap_open_rce.md b/documentation/modules/exploit/linux/http/php_imap_open_rce.md
@@ -312,7 +312,7 @@ Make sure `php-imap` is installed and enabled.  Create `imap.php` with the follo
 
 ## Options
 
-  **TARGETURI**
+### TARGETURI
 
   The URI for the target.  This may change by target.  Default is ` `.
   Prestashop should be the admin URI, similar to `/admin2769gx8k3`.

diff --git a/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md b/documentation/modules/exploit/linux/http/pulse_secure_cmd_exec.md
@@ -21,7 +21,7 @@ Id  Name
 
 ## Options
 
-**SID**
+### SID
 
 Set this to a valid administrator session ID. Typically retrieved using
 the `auxiliary/gather/pulse_secure_file_disclosure` module.

diff --git a/documentation/modules/exploit/linux/http/qnap_qcenter_change_passwd_exec.md b/documentation/modules/exploit/linux/http/qnap_qcenter_change_passwd_exec.md
@@ -36,11 +36,11 @@
 
 ## Options
 
-  **USERNAME**
+### USERNAME
 
   Username for the application. (default: `admin`)
 
-  **PASSWORD**
+### PASSWORD
 
   Password for the application. (default: `admin`)
 

diff --git a/documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md b/documentation/modules/exploit/linux/http/supervisor_xmlrpc_exec.md
@@ -32,15 +32,15 @@
 
 ## Options
 
-  **HttpUsername**
+### HttpUsername
 
   Username for HTTP basic auth which is set in the conf file(optional)
 
-  **HttpPassword**
+### HttpPassword
 
   Password for HTTP basic auth which is set in the conf file(optional)
 
-  **TARGETURI**
+### TARGETURI
 
   The path to the XML-RPC endpoint
 

diff --git a/documentation/modules/exploit/linux/http/tiki_calendar_exec.md b/documentation/modules/exploit/linux/http/tiki_calendar_exec.md
@@ -66,7 +66,7 @@ vs
 
 ## Options
 
-  **PASSWORD**
+### PASSWORD
 
   Password is set at first login. Default for admin is 'admin'.
 

diff --git a/documentation/modules/exploit/linux/http/unraid_auth_bypass_exec.md b/documentation/modules/exploit/linux/http/unraid_auth_bypass_exec.md
@@ -25,7 +25,9 @@ according to the [UnRAID Getting Started](https://wiki.unraid.net/UnRAID_6/Getti
 
 ## Options
 
-  **TARGETURI** : The URI of the Unraid application
+### TARGETURI
+
+The URI of the Unraid application
 
 ## Scenarios
-Original file line number
+Diff line change
@@ Expand Up / @@ -21,7 +21,7 @@ Id Name @@
     ## Options
-    **SID**
+    ### SID
     Set this to a valid administrator session ID. Typically retrieved using
     the `auxiliary/gather/pulse_secure_file_disclosure` module.
@@ Expand Down @@