Releases · projectdiscovery/nuclei-templates

16 Mar 07:17

princechaddha

v10.4.0

c31357c

Nuclei Templates v10.4.0 – Release Notes Latest

Latest

New Templates Added: `94` | CVEs Added: `47` | First-time contributions: `12`

🔥 Release Highlights 🔥

[CVE-2026-27971] Qwik - Unauthenticated RCE via server$ Deserialization (@omarkurt) [critical] 🔥
[CVE-2026-27944] Nginx UI < 2.3.3 - Information Disclosure (@omarkurt) [critical] 🔥
[CVE-2026-1603] Ivanti Endpoint Manager - Authentication Bypass (@dhiyaneshdk, @watchtowrlabs) [high] (KEV) (vKEV) 🔥
[CVE-2026-1492] WP User Registration & Membership <= 5.1.2 - Unauth Privilege Escalation (@omarkurt) [critical] (vKEV) 🔥
[CVE-2026-1357] WPvivid Backup & Migration <= 0.9.123 - Arbitrary File Upload (@omarkurt) [critical] (vKEV) 🔥
[CVE-2026-0770] Langflow < 1.3.0 - Remote Code Execution via validate_code() exec() (@affix) [critical] (vKEV) 🔥
[CVE-2025-71243] SPIP Saisies - Remote Code Execution (@omarkurt) [critical] 🔥
[CVE-2025-64328] FreePBX >= 17.0.2.36 && < 17.0.3 - Authenticated Command Injection (@_th3y) [critical] (KEV) (vKEV) 🔥
[CVE-2025-40554] SolarWinds Web Help Desk - Authentication Bypass (@Bushi-gg) [critical] 🔥
[CVE-2025-40552] SolarWinds Web Help Desk - Authentication Bypass (@watchtowr, @dhiyaneshdk) [critical] 🔥
[CVE-2025-40536] SolarWinds Web Help Desk < 12.8.8 Hotfix 1 (HF1) - Security Control Bypass (@inokii) [high] (KEV) (vKEV) 🔥
[CVE-2024-37261] WP-Lister Lite for Amazon <= 2.6.16 - Cross-Site Scripting (@Kazgangap) [medium] (vKEV) 🔥
[CVE-2024-9643] Four-Faith F3x36 - Authentication Bypass (@trader642) [critical] (vKEV) 🔥
[CVE-2023-3452] WordPress Canto Plugin <= 3.0.4 - File Inclusion (@omarkurt) [critical] 🔥
[CVE-2021-28481] Microsoft Exchange - Pre-Auth SSRF / ACL Bypass (ProxyNotFound) (@daffainfo) [critical] (vKEV) 🔥
[CVE-2021-28480] Microsoft Exchange - Pre-Auth SSRF / ACL Bypass (ProxyNotFound) (@daffainfo) [critical] 🔥

What's Changed

Bug Fixes

Corrected wrong PoC in CVE-2025-54253 (template was using the PoC for CVE-2025-49533) (Issue #14783)
Fixed @Host variable generation in multiple UniFi templates causing malformed requests (PR #15575)
Fixed invalid reference URL in CVE-2021-37704 (PR #15524)
Fixed broken reference URL in cpanel backup config template (PR #15379)
Fixed malformed matcher formatting in CVE-2025-40554 (PR #15375)

False Negatives

Fixed exposed-svn.yaml failing to detect valid SVN repositories despite receiving 200 OK responses (Issue #15060)

False Positives

Reduced false positives in CVE-2025-14847 triggering on non-MongoDB services due to blind payload injection and flawed matcher logic (Issues #15519, #15560, PRs #15520, #15579)
Fixed version comparison logic in CVE-2026-25892 causing false positives on non-vulnerable versions (Issue #15356, PR #15462)
Fixed CVE-2024-2473 executing without confirming the target plugin is present (Issue #15525)
Fixed CVE-2021-24527 generating false positive results (Issue #13607)
Reduced false positives in the following templates:
- CVE-2021-37833 HotelDruid fingerprint matcher (PR #15597)
- CVE-2023-45648 Apache Tomcat version matcher (PR #15591)
- laravel-env exposure via negative HTML body matcher (PR #15598)
- checkmk-info-disclosure (PR #15564)
- Charset detection template via missing Content-Type check (PR #15533)
- CVE-2024-27198 JetBrains TeamCity (PR #15425)
- CVE-2024-4295 (PR #11442)

Enhancements

Enriched classification metadata (CVE IDs, CVSS scores, CPEs, NVD references) across multiple templates (PRs #15578, #15589, #15369, #15370, #15371)
Updated ClawdBot Gateway exposure template with improved detection logic (PR #15548)
Renamed Forcepoint Login panel template to follow naming conventions (PR #15582)

Templates Added

[CVE-2026-27971] Qwik - Unauthenticated RCE via server$ Deserialization (@omarkurt) [critical] 🔥
[CVE-2026-27944] Nginx UI < 2.3.3 - Information Disclosure (@omarkurt) [critical] 🔥
[CVE-2026-27645] Changedetection.io RSS Single Watch - Cross-Site Scripting (@0x_Akoko) [medium]
[CVE-2026-25512] Group-Office < 26.0.5 - Remote Code Execution (@omarkurt) [critical]
[CVE-2026-23829] Mailpit < 1.28.2 - SMTP CRLF Injection (@omarkurt) [medium]
[CVE-2026-2413] Ally – Web Accessibility & Usability <= 4.0.3 - SQL Injection (@Shivam Kamboj) [high]
[CVE-2026-1603] Ivanti Endpoint Manager - Authentication Bypass (@dhiyaneshdk, @watchtowrlabs) [high] (KEV) (vKEV) 🔥
[CVE-2026-1492] WordPress User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation (@omarkurt) [critical] (vKEV) 🔥
[CVE-2026-1357] WPvivid Backup & Migration <= 0.9.123 - Arbitrary File Upload (@omarkurt) [critical] (vKEV) 🔥
[CVE-2026-0829] Frontend File Manager Plugin <= 23.5 - Unauthenticated Arbitrary Email Sending (@0x_Akoko) [high]
[CVE-2026-0770] Langflow < 1.3.0 - Remote Code Execution via validate_code() exec() (@affix) [critical] (vKEV) 🔥
[CVE-2025-71243] SPIP Saisies - Remote Code Execution (@omarkurt) [critical] 🔥
[CVE-2025-69971] FUXA <= 1.2.7 - Hardcoded JWT Secret Authentication Bypass (@trader642) [critical]
[CVE-2025-64328] FreePBX >= 17.0.2.36 && < 17.0.3 - Authenticated Command Injection (@_th3y) [critical] (KEV) (vKEV) 🔥
[CVE-2025-62780] ChangeDetection.io <= v0.50.33 - Stored XSS via Watch API (@0x_Akoko) [medium]
[CVE-2025-62613] VDO.Ninja - DOM-Based Cross-Site Scripting (@0x_Akoko) [medium]
[CVE-2025-54726] WordPress JS Archive List <= 6.1.5 - SQL Injection (@Shivam Kamboj) [high]
[CVE-2025-48281] MyStyle Custom Product Designer <= 3.21.1 - SQL Injection (@Shivam Kamboj) [critical]
[CVE-2025-40554] SolarWinds Web Help Desk - Authentication Bypass (@Bushi-gg) [critical] 🔥
[CVE-2025-40552] SolarWinds Web Help Desk - Authentication Bypass (@watchtowr, @dhiyaneshdk) [critical] 🔥
[CVE-2025-40536] SolarWinds Web Help Desk < 12.8.8 Hotfix 1 (HF1) - Security Control Bypass (@inokii) [high] (KEV) (vKEV) 🔥
[CVE-2025-32355] Rocket TRUfusion Enterprise - Server Side Request Forgery (@princechaddha, @rcesecurity, @dhiyaneshdk) [high]
[CVE-2025-27506] NocoDB < 0.258.0 - Reflected XSS in Password Reset (@0x_Akoko) [medium]
[CVE-2025-22785] Course Booking System <= 6.0.6 - SQL Injection (@Shivam Kamboj) [critical]
[CVE-2024-43965] SendGrid for WordPress <= 1.4 - SQL Injection (@Shivam Kamboj) [critical]
[CVE-2024-37261] WP-Lister Lite for Amazon <= 2.6.16 - Cross-Site Scripting (@Kazgangap) [medium] (vKEV) 🔥
[CVE-2024-30502] WP Travel Engine <= 5.7.9 - SQL Injection (@Shivam Kamboj) [critical]
[CVE-2024-30498] CRM Perks Forms <= 1.1.4 - SQL Injection (@Shivam Kamboj) [critical]
[CVE-2024-30464] WPZOOM Social Icons Widget <= 4.2.15 - Missing Authorization (@pussycat0x) [medium]
[CVE-2024-12025] WordPress Collapsing Categories <= 3.0.8 - SQL Injection (@Shivam Kamboj) [high]
[CVE-2024-9765] EKC Tournament Manager WordPress plugin - Path Traversal (@Sourabh-Sahu) [medium]
[CVE-2024-9643] Four-Faith F3x36 - Authentication Bypass (@trader642) [critical] (vKEV) 🔥
[CVE-2024-8625] WordPress TS Poll < 2.4.0 - SQL Injection (@riteshs4hu) [high]
[CVE-2023-50839] JS Help Desk <= 2.8.1 - SQL Injection (@Shivam Kamboj) [critical]
[CVE-2023-40600] EWWW Image Optimizer <= 7.2.0 - Unauthenticated Information Disclosure (@Shivam Kamboj) [medium]
[CVE-2023-32590] Subscribe to Category <= 2.7.4 - SQL Injection (@Shivam Kamboj) [critical]
[CVE-2023-7337] JS Help Desk <= 2.8.2 - SQL Injection (@Shivam Kamboj) [critical]
[CVE-2023-6030] LogDash Activity Log <= 1.1.3 - SQL Injection (@Shivam Kamboj) [critical]
[CVE-2023-5652] WP Hotel Booking <= 2.0.7 - SQL Injection (@Shivam Kamboj) [critical]
[CVE-2023-5203] WP Sessions Time Monitoring Full Automatic <= 1.0.8 - SQL Injection (@Shivam Kamboj) [critical]
[CVE-2023-3643] CAREL Boss Mini <= 1.4.0 - Local File Inclusion (@Kazgangap) [critical]
[CVE-2023-3452] WordPress Canto Plugin <= 3.0.4 - File Inclusion (@omarkurt) [critical] 🔥
[CVE-2022-44588] Cryptocurrency Widgets Pack <= 1.8.1 - SQL Injection (@Shivam Kamboj) [critical]
[CVE-2022-1453] RSVPMaker <= 9.2.5 - SQL Injection (@Shivam Kamboj) [critical]
[CVE-2022-0439] Email Subscribers & Newsletters <= 5.3.1 - Authenticated SQL Injection (@Shivam Kamboj) [high]
[CVE-2021-28481] Microsoft Exchange - Pre-Auth SSRF / ACL Bypass (ProxyNotFound) (@daffainfo) [critical] (vKEV) 🔥
[CVE-2021-28480] Microsoft Exchange - Pre-Auth SSRF / ACL Bypass (ProxyNotFound) (@daffainfo) [critical] 🔥
[apache-syncope-default-login] Apache Syncope - Default Login (@icarot) [high]
[circutor-default-login] Circutor Line-TCPRS1 - Default Login (@s4e-io) [high]
[gitness-default-login] Gitness - Default Login (@0x_Akoko) [high]
[carel-boss-mini-panel] CAREL Boss Mini - Login Panel Detected (@Kazgangap) [info]
[hpe-autopass-panel] HPE AutoPass License Server - Panel Detection (@Kylianghd) [info]
[recoverpoint-panel] Dell EMC RecoverPoint Panel - Detect (@rxerium) [info]
[ypareo-panel] YPAREO Panel - Detect (@righettod) [info]
[interswitch-webpay] Interswitch Webpay - Credentials Exposure (@LloydCoder) [info]
[paystack-secret-live] Paystack Secret/Live Key - Exposure (@LloydCoder) [info]
[remita-credentials] Remita Merchant ID & API Key - Exposure (@LloydCoder) [low]
[sportybet-api] SportyBet / BetKing Admin or API Token - Exposure (@LloydCoder) [info]
[wix-detect] Wix Detection (@chirag Mistry) [info]
[apache-syncope-detect] Apache Syncope - Detect (@icarot) [info]
[bentoml-detect] BentoML Prediction Service - Detection (@rxerium) [info]
[bigcommerce-detect] BigCommerce Detection (@chirag Mistry) [info]
[bitrix-detect] Bitrix Detection (@chirag Mistry) [info]
[blogger-detect] Blogger Detection (@chirag Mistry) [info]
[cloudflare-speedtest] Cloudflare Speedtest - Detect (@dhiyaneshdk) [info]
[comfyui...

Contributors

chirag, affix, and 32 other contributors

Assets 3

16 Feb 09:25

princechaddha

v10.3.9

fc9d1be

Nuclei Templates v10.3.9 – Release Notes

New Templates Added: `182` | CVEs Added: `116` | First-time contributions: `7`

🔥 Release Highlights 🔥

[CVE-2026-25892] Adminer 4.6.2 - 5.4.1 Unauthenticated Persistent DoS (@dhiyaneshdk) [high] 🔥
[CVE-2026-23744] MCPJam Inspector - Remote Code Execution (@louay-075) [critical] 🔥
[CVE-2026-22812] OpenCode < 1.0.216 - Unauthenticated Remote Code Execution (@princechaddha) [high] 🔥
[CVE-2026-21891] ZimaOS - Authentication Bypass (@dhiyaneshdk) [critical] 🔥
[CVE-2026-21877] n8n >= 0.123.0 and < 1.121.3 - Remote Code Execution (@s4e-io) [critical] 🔥
[CVE-2026-1731] BeyondTrust Remote Support - Unauth WebSocket RCE (@attackerkb, @hacktron, @pdteam) [critical] (KEV) 🔥
[CVE-2026-1207] Django RasterField - SQL Injection (@omarkurt) [high] 🔥
[CVE-2025-54068] Laravel Livewire v3 - Remote Command Execution (@flame-11) [critical] 🔥
[CVE-2025-40551] SolarWinds Web Help Desk < 2026.1 - Unauthenticated JNDI Injection RCE (@Horizon3.ai) [critical] (KEV) 🔥
[CVE-2025-14528] D-Link DIR-803 - Authentication Bypass (@dhiyaneshdk) [high] 🔥
[CVE-2025-2611] ICTBroadcast - Command Injection (@Chocapikk) [critical] (vKEV) 🔥
[CVE-2024-8943] LatePoint <= 5.0.12 - Authentication Bypass (@daffainfo) [critical] (vKEV) 🔥
[CVE-2024-8911] LatePoint <= 5.0.11 - SQL Injection (@daffainfo) [critical] (vKEV) 🔥
[CVE-2024-6671] WhatsUp Gold GetStatisticalMonitorList SQLi - Authentication Bypass (@daffainfo, @jjcho) [critical] (vKEV) 🔥
[CVE-2024-6250] LOLLMS WebUI - Absolute Path Traversal (@ritikchaddha) [high] 🔥
[CVE-2024-0705] Stripe Payment Plugin for WooCommerce <= 3.7.9 - Unauth SQL Injection (@Shivam Kamboj) [critical] 🔥
[CVE-2023-35708] MOVEit Transfer - SQL Injection (@daffainfo, @jjcho) [critical] (vKEV) 🔥
[CVE-2022-31678] VMWare Cloud Foundation NSX-V - XML External Entity (XXE) (@daffainfo) [critical] (vKEV) 🔥
[CVE-2022-3236] Sophos Firewall <= 19.0 MR1 - Remote Code Execution (@daffainfo) [critical] (KEV) 🔥
[CVE-2021-22017] vCenter Server - Improper Access Control (@daffainfo) [medium] (KEV) 🔥
[CVE-2019-13608] Citrix StoreFront Server - XML External Entity (@daffainfo) [high] (KEV) 🔥
[CVE-2017-9841] PHPUnit - Remote Code Execution (@Random_Robbie, @pikpikcu) [critical] (KEV) 🔥

What's Changed

Bug Fixes

Fixed incorrect tag formatting (- appearing as a tag) in CVE-2019-17444 template (PR #15306)
Fixed incorrect reference in authentik-panel template (PR #15298)
Fixed port format in unauth-java-message-broker-detect template (PR #15117)
Fixed tag formatting (double comma) in templates (PR #15118)
Fixed formatting of tags in CVE-2019-5591 template (PR #15119)
Fixed port used on CVE-2014-0160 Heartbleed — was testing port 443 twice instead of testing plain HTTP port (PR #14653)
Fixed path for gude-default-login template (PR #15134)
Moved CVE-2024-43283.yaml to correct directory http/cves/2024 (PR #15100)
Updated CVE-2025-68645.yaml (PR #15109)
Updated CVE-2024-13094.yaml with new alert script (PR #15299)
Updated CVE-2021-24527.yaml (PR #14980)

False Negatives

Fixed false negative in CVE-2025-24963 on Linux targets (Ubuntu/Debian) due to strict /etc/passwd matching (PR #15301, Issue #15205)

False Positives

Reduced false positives in wp-wps-hide-login-log template that triggered on non-WordPress SPA sites (PR #15096, Issue #15089)
Fixed false positives in CVE-2021-35042 matcher — status_code == 500 alone was triggering on generic 500 pages (PR #15250)
Made matchers for weak-csp-detect more granular to avoid duplicate matching results (PR #15123)
Improved weak CSP detection logic, fixed matcher conditions and corrected regex typo (PR #15014)

Enhancements

Enhanced Cisco UCM username enumeration template to extract usernames, emails, and phone numbers added 3 new Cisco UCM templates (PR #15049)
Refactored Open WebUI template to make detection more generic (PR #15251)
Rewrote templates from RAW HTTP to normal HTTP for clustering support, saving ~150 requests per scan (PR #14743)
Added additional path to Tomcat detection for malformed URL error page disclosure (PR #15056)
Added various DNS templates — DMARC, SPF, DKIM, etc. (PR #14784)
Added ACME Challenge Detect template (PR #15058)

Templates Added

[CVE-2026-25892] Adminer 4.6.2 - 5.4.1 Unauthenticated Persistent DoS (@dhiyaneshdk) [high] 🔥
[CVE-2026-24128] XWiki Platform Distribution Flavor Main - Cross-Site Scripting (@ritikchaddha) [medium]
[CVE-2026-23744] MCPJam Inspector - Remote Code Execution (@louay-075) [critical] 🔥
[CVE-2026-22812] OpenCode < 1.0.216 - Unauthenticated Remote Code Execution (@princechaddha) [high] 🔥
[CVE-2026-21891] ZimaOS - Authentication Bypass (@dhiyaneshdk) [critical] 🔥
[CVE-2026-21877] n8n >= 0.123.0 and < 1.121.3 - Remote Code Execution (@s4e-io) [critical] 🔥
[CVE-2026-1731] BeyondTrust Remote Support - Unauthenticated WebSocket RCE (@attackerkb, @hacktron, @pdteam) [critical] (KEV) 🔥
[CVE-2026-1207] Django RasterField - SQL Injection (@omarkurt) [high] 🔥
[CVE-2026-0594] WordPress List Site Contributors < 1.1.8 - Reflected XSS (@m4sh_wacker) [medium]
[CVE-2025-68509] User Submitted Posts <= 20251121 - Unauthenticated Open Redirect (@Shivam Kamboj) [medium]
[CVE-2025-66744] Yonyou YonBIP - Path Traversal (@dhiyaneshdk) [high]
[CVE-2025-54068] Laravel Livewire v3 - Remote Command Execution (@flame-11) [critical] 🔥
[CVE-2025-40551] SolarWinds Web Help Desk < 2026.1 - Unauthenticated JNDI Injection RCE (@Horizon3.ai) [critical] (KEV) 🔥
[CVE-2025-32257] 1 Click WordPress Migration <= 2.2 - Unauthenticated Information Disclsoure (@pussycat0x) [medium]
[CVE-2025-28242] DAEnetIP4 METO v1.25 - Session Hijacking (@0x_Akoko) [high]
[CVE-2025-24786] WhoDB < 0.45.0 - Path Traversal (@basicbeny) [high]
[CVE-2025-24582] 12 Step Meeting List < 3.16.6 - Unauthenticated Sensitive Information Exposure (@pussycat0x) [medium]
[CVE-2025-22214] Landray EIS SQL注入漏洞 (@ark) [critical]
[CVE-2025-15503] Sangfor OSM - Arbitrary File Upload (@ark) [critical]
[CVE-2025-14528] D-Link DIR-803 - Authentication Bypass (@dhiyaneshdk) [high] 🔥
[CVE-2025-14155] Premium Addons for Elementor - Unauthenticated Information Disclosure (@dhiyaneshdk) [medium]
[CVE-2025-13956] LearnPress < 4.3.2 - Broken Access Control (@pussycat0x) [medium]
[CVE-2025-13138] WP Directory Kit <= 1.4.3 - Unauthenticated SQL Injection (@Shivam Kamboj) [high]
[CVE-2025-11368] LearnPress < 4.3.0 - Arbitrary Callback Execution to Information Exposure (@pussycat0x) [medium]
[CVE-2025-10353] Melis Technology Melis Platform - Unrestricted File Upload & Remote Code Execution (@ohmygod20260203) [critical]
[CVE-2025-10090] Jinher OA - SQL Injection (@dhiyaneshdk) [high]
[CVE-2025-8266] ChanCMS <= 3.1. - Remote Code Execution (@ark) [critical]
[CVE-2025-4652] Broadstreet WordPress plugin - Reflected XSS (@Sourabh-Sahu) [medium]
[CVE-2025-4078] Wangshen SecGate 3600 Path Traversal Vulnerability (@ark) [medium]
[CVE-2025-2611] ICTBroadcast - Command Injection (@Chocapikk) [critical] (vKEV) 🔥
[CVE-2025-1338] NUUO Camera <=20250203 - OS Command Injection (@ark) [critical]
[CVE-2025-1303] Plugin Oficial – Getnet para WooCommerce <= 1.8.0 - Cross-Site Scripting (@Shivam Kamboj) [medium]
[CVE-2025-1232] Site Reviews < 7.2.5 - Unauthenticated Stored XSS (@0x_Akoko) [high]
[CVE-2024-43283] Contest Gallery - Broken Access Control (@popcorn94) [medium]
[CVE-2024-37259] WP Extended < 3.0.0 - Stored Cross-Site Scripting (@0xanis) [medium]
[CVE-2024-32128] WordPress Realtyna Organic IDX Plugin <= 4.14.4 - Unauthenticated SQL Injection (@Shivam Kamboj) [critical]
[CVE-2024-30490] ProfileGrid <= 5.7.8 - SQL Injection (@Shivam Kamboj) [critical]
[CVE-2024-14015] Studiocart <= 2.9.0 - Cross-Site Scripting (@Shivam Kamboj) [medium]
[CVE-2024-13727] MemberSpace WordPress - Cross-Site Scripting (@Sourabh-Sahu) [medium]
[CVE-2024-13634] Post Sync Plugin <= 1.1 - Cross-Site Scripting (@Sourabh-Sahu) [medium]
[CVE-2024-13630] NewsTicker <= 1.0 - Reflected Cross-Site Scripting (@Sourabh-Sahu) [medium]
[CVE-2024-13628] WP Pricing Table - Reflected XSS (@Sourabh-Sahu) [medium]
[CVE-2024-13627] OWL Carousel Slider - Cross-Site Scripting (@Sourabh-Sahu) [medium]
[CVE-2024-13625] Tube Video Ads Lite - Reflected XSS (@Sourabh-Sahu) [high]
[CVE-2024-13619] LifterLMS < 8.0.1 - Cross-Site Scripting (@Shivam Kamboj) [medium]
[CVE-2024-13609] WordPress 1 Click Migration Plugin < 2.3 - Information Exposure (@pussycat0x) [medium]
[CVE-2024-13570] WordPress Stray Random Quotes <= 1.9.9 - Cross-Site Scripting (@Sourabh-Sahu) [medium]
[CVE-2024-13569] WordPress Front End Users - Reflected XSS (@Sourabh-Sahu) [high]
[CVE-2024-13543] Zarinpal Paid Download - Reflected XSS (@Sourabh-Sahu) [medium]
[CVE-2024-13492] Guten Free Options - Cross Site Scripting (@Sourabh-Sahu) [medium]
[CVE-2024-13352] Legull WordPress - Cross-Site Scripting (@Sourabh-Sahu) [high]
[CVE-2024-13331] WP Dream Carousel < 1.0.1b - Cross-Site Scripting (@Sourabh-Sahu) [medium]
[CVE-2024-13330] JustRows WordPress - Cross-Site Scripting (@Sourabh-Sahu) [high]
[CVE-2024-13328] Giga Messenger WordPress - Cross-Site Scripting (@Sourabh-Sahu) [medium]
[CVE-2024-13327] Musicbox WordPress - Reflected XSS (@Sourabh-Sahu) [medium]
[CVE-2024-13326] iBuildApp <= 0.2.0 - Reflected Cross-Site Scripting (@Sourabh-Sahu) [medium]
[CVE-2024-13325] Glossy WordPress - Reflected XSS (@Sourabh-Sahu) [medium]
[CVE-2024-13226] A5 Custom Login Page - Reflected XSS (@Sourabh-Sahu) [medium]
[CVE-2024-13225] ECT Home Page Products - Reflected XSS (@Sourabh-Sahu) [medium]
[CVE-2024-13224] SlideDeck 1 ...

Contributors

morgan, righettod, and 36 other contributors

Assets 3

26 Jan 12:48

princechaddha

v10.3.8

43df6aa

Nuclei Templates v10.3.8 – Release Notes

New Templates Added: `457` | CVEs Added: `43` | First-time contributions: `13`

🔥 Release Highlights 🔥

[CVE-2026-23760] SmarterTools SmarterMail - Admin Password Reset (@watchtowr, @dhiyaneshdk) [critical] (vKEV) 🔥
[CVE-2026-23550] Modular DS - Broken Access Control (@dhiyaneshdk) [high] (vKEV) 🔥
[CVE-2026-22200] osTicket - Arbitrary File Read (@dhiyaneshdk) [high] 🔥
[CVE-2026-21858] n8n Webhooks - Remote Code Execution (@rxerium) [critical] (vKEV) 🔥
[CVE-2025-66516] Apache Tika - XML External Entity Injection (@MathematicianGoat) [high] 🔥
[CVE-2025-56520] Dify v1.6.0 - Server-Side Request Forgery (@0x_Akoko) [high] 🔥
[CVE-2025-52694] Advantech WISE-IoTSuite/SaaS - SQL Injection (@Loi Nguyen Thang) [critical] 🔥
[CVE-2025-27817] Apache Kafka Client - Arbitrary File Read (@0x_Akoko) [high] 🔥
[CVE-2025-25570] Vue Vben Admin - Default Credentials (@0x_Akoko) [critical] 🔥
[CVE-2025-8110] Gogs <= 0.13.3 - Remote Code Execution (@rxerium) [high] (kev) 🔥
[CVE-2025-4210] Casdoor - Authorization Bypass (@theamanrawat) [high] (vKEV) 🔥
[CVE-2023-52163] Digiever DS-2105 Pro - Command Injection (@rajesh-social-tech) [high] (kev) 🔥
[CVE-2022-4223] pgAdmin < 6.17 - Unauthenticated Remote Code Execution (@0x_Akoko) [critical] 🔥
[CVE-2020-26935] phpMyAdmin < 5.0.3 - SQL Injection (@0x_Akoko) [critical] 🔥
[CVE-2020-9039] Couchbase Server - Broken Access Control (@pussycat0x) [critical] 🔥
[CVE-2020-5722] Grandstream UCM6200 - SQL Injection (@theamanrawat) [critical] (kev) 🔥

What's Changed

Bug Fixes

Fixed copyright year detection from 2025 to 2026 in old-copyright.yaml (PR #14977)
Corrected CVE ID by renaming CVE-2025-54253.yaml to CVE-2025-49533.yaml (PR #14963)
Fixed file path by renaming CVE-2020-26935.yaml to proper directory (PR #14993)
Fixed file path for pear-registry-exposed.yaml (PR #14984)
Revised CVE-2025-61882 details and references (PR #14972)
Updated php-backup-files.yaml (PR #14973)
Updated CVE-2026-23760.yaml tags (PR #15023)
Fixed author name in CVE-2025-60188.yaml (PR #15042)

False Negatives

Fixed multiple regex-based templates triggering incorrectly on valid CSS (Issue #13131)

False Positives

Reduced false positives in the following templates:
- CVE-2022-42475 - Fixed detection when connection is dropped by firewall (PR #15027, Issue #14988)
- CVE-2024-2473 - Added missing "condition: and" to prevent early matching (PRs #14976, #14962, Issue #14950)
- coinbase-phish & hotjar-rum-detect (PR #15059)
- CVE-2023-30150.yaml (PR #14998)
- dot-credentials-exposure (Issue #14922)
- CVE-2023-34048 - Fixed false positives on ESXi hosts (Issue #14710)
- postgres-history-exposure (PR #14861, Issue #14844)
- xinclude-injection:linux - Reduced false positives with stricter regex (PR #14925, Issue #14775)

Enhancements

Updated detect-sentry.yaml with new matchers (PR #14955)

Templates Added

[CVE-2026-23760] SmarterTools SmarterMail - Admin Password Reset (@watchtowr, @dhiyaneshdk) [critical] (vKEV) 🔥
[CVE-2026-23550] Modular DS - Broken Access Control (@dhiyaneshdk) [high] (vKEV) 🔥
[CVE-2026-22200] osTicket - Arbitrary File Read (@dhiyaneshdk) [high] 🔥
[CVE-2026-21859] Mailpit < 1.28.3 - Server-Side Request Forgery (@omarkurt) [high]
[CVE-2026-21858] n8n Webhooks - Remote Code Execution (@rxerium) [critical] (vKEV) 🔥
[CVE-2025-66516] Apache Tika - XML External Entity Injection (@MathematicianGoat) [high] 🔥
[CVE-2025-66472] XWiki DeleteApplication - Cross-Site Scripting (@ritikchaddha) [medium]
[CVE-2025-56520] Dify v1.6.0 - Server-Side Request Forgery (@0x_Akoko) [high] 🔥
[CVE-2025-56132] LiquidFiles < 4.2 - User Enumeration via Password Reset (@dhiyaneshdk) [high]
[CVE-2025-55303] Astro - Unauthorized Third-Party Image Access (@theamanrawat) [medium]
[CVE-2025-52694] Advantech WISE-IoTSuite/SaaS - SQL Injection (@Loi Nguyen Thang) [critical] 🔥
[CVE-2025-46550] YesWiki < 4.5.4 - Cross-Site Scripting (@MuhammadWaseem) [medium]
[CVE-2025-46549] YesWiki <= 4.5.1 - Cross-Site Scripting (@MuhammadWaseem) [medium]
[CVE-2025-46349] YesWiki Reflected XSS via File Upload (@mahmoud Gamal) [high]
[CVE-2025-36845] Eveo URVE Web Manager - Server-Side Request Forgery (@dhiyaneshdk) [high]
[CVE-2025-27817] Apache Kafka Client - Arbitrary File Read (@0x_Akoko) [high] 🔥
[CVE-2025-25570] Vue Vben Admin - Default Credentials (@0x_Akoko) [critical] 🔥
[CVE-2025-13418] Responsive Pricing Table <= 5.1.12 - Cross-Site Scripting (@Shivam Kamboj, @jay Jani) [medium]
[CVE-2025-11580] PowerJob List - Authorization Bypass (@dhiyaneshdk) [medium]
[CVE-2025-8110] Gogs <= 0.13.3 - Remote Code Execution (@rxerium) [high] (kev) 🔥
[CVE-2025-4210] Casdoor - Authorization Bypass (@theamanrawat) [high] (vKEV) 🔥
[CVE-2025-3472] Ocean Extra <= 2.4.6 - Unauthenticated Shortcode Execution (@theamanrawat) [medium]
[CVE-2024-56159] Astro - Information Disclosure (@theamanrawat) [medium]
[CVE-2024-29137] WordPress Tourfic Plugin <= 2.11.7 - Cross-Site Scripting (@Shivam Kamboj) [high] 🔥
[CVE-2024-23055] Plone Docker - Host Header Injection (@theamanrawat) [medium]
[CVE-2023-52163] Digiever DS-2105 Pro - Command Injection (@rajesh-social-tech) [high] (kev) 🔥
[CVE-2023-33960] OpenProject < 12.5.4 - Project Identifiers Exposure (@0x_Akoko) [medium]
[CVE-2022-41697] Ghost CMS - User Enumeration (@ritikchaddha) [medium] 🔥
[CVE-2022-4223] pgAdmin < 6.17 - Unauthenticated Remote Code Execution (@0x_Akoko) [critical] 🔥
[CVE-2022-0188] CMP WordPress < 4.0.19 - Broken Access Control (@pussycat0x) [medium]
[CVE-2021-37598] WP Cerber < 8.9.3 - Broken Access Control (@theamanrawat) [medium]
[CVE-2021-22881] Ruby on Rails - Open Redirect via Host Header Injection (@theamanrawat) [medium] 🔥
[CVE-2021-21246] OneDev < 4.0.3 - User Access Token Leak (@dhiyaneshdk) [high]
[CVE-2020-26935] phpMyAdmin < 5.0.3 - SQL Injection (@0x_Akoko) [critical] 🔥
[CVE-2020-19363] Vtiger CRM v7.2.0 - Directory Listing (@0x_Akoko) [medium] 🔥
[CVE-2020-16248] Prometheus Blackbox Exporter - Server-Side Request Forgery (SSRF) (@dhiyaneshdk) [medium] 🔥
[CVE-2020-15081] PrestaShop < 1.7.6.6 - Information Exposure via Upload Directory (@0x_Akoko) [low] 🔥
[CVE-2020-9314] Oracle iPlanet Web Server 7.0.x - Image Injection (@dhiyaneshdk) [medium]
[CVE-2020-9039] Couchbase Server - Broken Access Control (@pussycat0x) [critical] 🔥
[CVE-2020-5722] Grandstream UCM6200 - SQL Injection (@theamanrawat) [critical] (kev) 🔥
[CVE-2019-14206] Nevma Adaptive Images - Arbitrary File Deletion (@riteshs4hu) [high]
[CVE-2019-12935] Shopware < 5.5.8 - Cross-Site Scripting (@pussycat0x) [high] 🔥
[CVE-2018-7765] Schneider Electric U.motion Builder - SQL Injection (@daffainfo) [high]
[clawdbot-gw-exposure] Clawdbot Gateway - Detect (@rxerium) [info]
[pendo-api-key-exposure] Pendo API Key Exposure (@0x_Akoko) [medium]
[jhipster-default-login] JHipster Platform - Default Login (@ritikchaddha) [high]
[openlitespeed-default-login] OpenLiteSpeed WebAdmin - Default Login (@0x_Akoko) [high]
[cgit-detect] cgit Web Interface - Detection (@ritikchaddha) [info]
[cheatsh-detect] cheat.sh Instance - Detection (@ritikchaddha) [info]
[cisco-webex-meetings-panel] Cisco Webex Meetings - Panel (@Eyonn) [info]
[dagster-webserver-ui-exposure] Dagster - Webserver UI Exposure (@0x_Akoko) [medium]
[orbeon-forms-ex...

Contributors

shino, mahmoud, and 27 other contributors

Assets 3

11 Jan 16:55

princechaddha

v10.3.7

8e5debf

Nuclei Templates v10.3.7 – Release Notes

New Templates Added: `102` | CVEs Added: `42` | First-time contributions: `9` | Bounties rewarded: `16`

🔥 Release Highlights 🔥

[CVE-2025-69200] phpMyFAQ - Configuration Backup Disclosure (@louay-075) [high] 🔥
[CVE-2025-68926] RustFS < 1.0.0-alpha.77 - Hardcoded gRPC Authentication Token (@Chocapikk, @bilisheep) [critical] 🔥
[CVE-2025-68645] Zimbra Collaboration - Local File Inclusion (@dhiyaneshdk, @sirifu4k1) [high] 🔥
[CVE-2025-62522] Vite - Information Disclosure (@dhiyaneshdk) [medium] 🔥
[CVE-2025-60188] Atarim < 4.2.2 - Sensitive Information Exposure (@m4sh_wacker) [high] 🔥
[CVE-2025-52691] SmarterMail - Unrestricted File Upload (@dhiyaneshdk, @watchtowr) [critical] 🔥
[CVE-2025-34291] Langflow AI <= 1.6.9 - CORS Misconfiguration (@686f6c61) [critical] 🔥
[CVE-2025-14847] MongoDB Server - Info Disclosure (MongoBleed) (@pussycat0x, @joe-desimone, @dhiyaneshdk) [high] 🔥 (vKEV)
[CVE-2025-8848] LibreChat <= 0.7.9 - HTML Injection via Accept-Language Header (@Kazgangap) [medium] 🔥
[CVE-2024-28986] SolarWinds Web Help Desk < 12.8.3 - Insecure Deserialization (@rxerium) [critical] 🔥 (vKEV)
[CVE-2024-24882] Masteriyo LMS <= 1.7.2 - Unauthenticated Privilege Escalation (@riteshs4hu) [critical] 🔥 (vKEV)
[CVE-2024-5057] WordPress Easy Digital Downloads <= 3.2.12 - SQL Injection (@daffainfo) [critical] 🔥 (vKEV)
[CVE-2023-33193] Emby Server - Authentication Bypass (@daffainfo) [critical] 🔥 (vKEV)
[CVE-2023-27351] PaperCut NG - Authentication Bypass (@daffainfo, @jjcho) [high] 🔥 (vKEV)
[CVE-2022-27924] Zimbra Collaboration Suite - Memcached Command Injection (@rxerium) [high] 🔥 (vKEV)
[CVE-2021-28799] QNAP HBS 3 - Broken Access Control (@daffainfo) [critical] 🔥 (vKEV)
[CVE-2019-11253] Kubernetes API Server - YAML Parsing DoS (Billion Laughs) (@ritikchaddha) [high] 🔥
[CVE-2018-9206] Blueimp jQuery-File-Upload v9.22.0 - Unrestricted File Upload (@thewindghost) [critical] 🔥 (vKEV)
[CVE-2018-6961] VMware NSX SD-WAN Edge - Command Injection (@D3nverNg, @thewindghost) [critical] 🔥 (vKEV)
[CVE-2016-15043] WP Mobile Detector <= 3.5 - Unrestricted File Upload (@D3nverNg, @thewindghost) [critical] 🔥 (vKEV)

What's Changed

💰 Bounties Rewarded 💰

CVE-2019-14206 - Nevma Adaptive Images - Arbitrary File Deletion (Issue #14693, PR #14694)
CVE-2016-15043 - WP Mobile Detector - Unrestricted File Upload (Issue #14673, PR #14674)
CVE-2018-6961 - VMware NSX SD-WAN Edge - Command Injection (Issue #14623, PR #14626)
CVE-2018-9206 - Blueimp jQuery-File-Upload - Unrestricted File Upload (Issue #14587, PR #14588)
CVE-2017-20192 - Formidable Form Builder - Stored XSS (Issue #14544, PR #14548)
CVE-2012-10018 - Mapplic & Mapplic Lite - SSRF & Stored XSS (Issue #14478, PR #14479)
CVE-2021-4448 - Kaswara Modern VC Addons - Missing Authorization (PR #14637)
CVE-2024-5057 - WordPress Easy Digital Downloads - SQL Injection (PR #14601)
CVE-2020-13125 - Ultimate Addons for Elementor - Registration Bypass (PR #14597)
CVE-2024-4455 - YITH WooCommerce Ajax Search - XSS (PR #14564)
CVE-2023-33193 - Emby Server - Authentication Bypass (PR #14490)
CVE-2023-27351 - PaperCut NG - Authentication Bypass (PR #14225)
CVE-2019-9082 - ThinkPHP - Command Injection (Issue #14501)
CVE-2025-34299 - Monsta FTP - Unrestricted File Upload (Issue #14328)
CVE-2025-13486 - Advanced Custom Fields Extended - RCE (Issue #14212)
CVE-2021-23394 - studio-42/elfinder - RCE (Issue #14132)

Bug Fixes

Fixed boolean type for verified metadata in BitRAT C2 template (PR #14777)
Corrected reference list formatting in SeaDuke malware hash template (PR #14776)
Updated CVE-2024-2473 template (PR #14748)
Resolved WordPress FPD template placement confusion (Issue #14608, PR #14740)
Fixed max-request metadata in CVE-2019-9082 (PR #14715)
Corrected CVE-2024-6753 YAML configuration (PR #14688)
Fixed string literal quoting in CVE-2015-3224 (PR #14518)
Removed duplicate CVE-2019-14206 template file (PR #14706)

False Negatives

Improved detection for CVE-2025-37164 (PR #14606)
Changed CVE-2020-9402 and CVE-2021-35042 to DAST templates to reduce false negatives (Issue #14502, PR #14534)

False Positives

Reduced false positives in Dell iDRAC detection templates for iDRAC 6, 7, and 8 (Issue #14723, PRs #14739, #14738)

Enhancements

None in this release

Templates Added

[CVE-2025-69200] phpMyFAQ - Configuration Backup Disclosure (@louay-075) [high] 🔥
[CVE-2025-68926] RustFS < 1.0.0-alpha.77 - Hardcoded gRPC Authentication Token (@Chocapikk, @bilisheep) [critical] 🔥
[CVE-2025-68645] Zimbra Collaboration - Local File Inclusion (@dhiyaneshdk, @sirifu4k1) [high] 🔥
[CVE-2025-62522] Vite - Information Disclosure (@dhiyaneshdk) [medium] 🔥
[CVE-2025-60188] Atarim < 4.2.2 - Sensitive Information Exposure (@m4sh_wacker) [high] 🔥
[CVE-2025-52691] SmarterMail - Unrestricted File Upload (@dhiyaneshdk, @watchtowr) [critical] 🔥
[CVE-2025-34291] Langflow AI <= 1.6.9 - CORS Misconfiguration (@686f6c61) [critical] 🔥
[CVE-2025-14847] MongoDB Server - Info Disclosure (MongoBleed) (@pussycat0x, @joe-desimone, @dhiyaneshdk) [high] 🔥 (vKEV)
[CVE-2025-8848] LibreChat <= 0.7.9 - HTML Injection via Accept-Language Header (@Kazgangap) [medium] 🔥
[CVE-2024-43971] Sunshine Photo Cart <= 3.2.5 - Reflected Cross-Site Scripting (@0xanis) [medium]
[CVE-2024-30194] Sunshine Photo Cart <= 3.1.1 - Reflected Cross-Site Scripting (@0xanis) [medium]
[CVE-2024-29931] WP Go Maps <= 9.0.29 - Cross-Site Scripting (@Shivam Kamboj) [medium]
[CVE-2024-29792] Unlimited Elements for Elementor <= 1.5.93 - Cross Site Scripting (@Shivam Kamboj) [medium]
[CVE-2024-29138] WordPress Restrict User Access <= 2.5 - Cross-Site Scripting (@Shivam Kamboj) [medium]
[CVE-2024-28986] SolarWinds Web Help Desk < 12.8.3 - Insecure Deserialization (@rxerium) [critical] 🔥 (vKEV)
[CVE-2024-24882] Masteriyo LMS <= 1.7.2 - Unauthenticated Privilege Escalation (@riteshs4hu) [critical] 🔥 (vKEV)
[CVE-2024-6753] Social Auto Poster <= 5.3.14 - Stored Cross-Site Scripting (@Shivam Kamboj) [high]
[CVE-2024-5057] WordPress Easy Digital Downloads <= 3.2.12 - SQL Injection (@daffainfo) [critical] 🔥 (vKEV)
[CVE-2024-4455] YITH WooCommerce Ajax Search <= 2.4.0 - Cross-Site Scripting (@Shivam Kamboj) [high]
[CVE-2024-3469] GP Premium <= 2.4.0 - Cross-Site Scripting (@Shivam Kamboj) [medium]
[CVE-2023-33193] Emby Server - Authentication Bypass (@daffainfo) [critical] 🔥 (vKEV)
[CVE-2023-27351] PaperCut NG - Authentication Bypass (@daffainfo, @jjcho) [high] 🔥 (vKEV)
[CVE-2022-27924] Zimbra Collaboration Suite - Memcached Command Injection (@rxerium) [high] 🔥 (vKEV)
[CVE-2022-4940] WCFM Membership <= 2.10.0 - Broken Access Control (@0xanis) [high]
[CVE-2021-36754] PowerDNS Authoritative Server - Denial of Service (@daffainfo) [high]
[CVE-2021-28799] QNAP HBS 3 - Broken Access Control (@daffainfo) [critical] 🔥 (vKEV)
[CVE-2021-24213] GiveWP <= 2.9.7 - Cross-Site Scripting (@Shivam Kamboj) [medium]
[CVE-2021-4448] Kaswara Modern VC Addons <= 3.0.1 - Missing Authorization (@daffainfo) [high]
[CVE-2020-13125] Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass (@daffainfo) [high]
[CVE-2019-15823] WPS Hide Login <= 1.5.2.2 - Login Page Bypass (@pussycat0x) [high]
[CVE-2019-11253] Kubernetes API Server - YAML Parsing DoS (Billion Laughs) (@ritikchaddha) [high] 🔥
[CVE-2018-10245] AWStats <= 7.5 - Full Path Disclosure (@0x_Akoko) [medium]
[CVE-2018-9206] Blueimp jQuery-File-Upload v9.22.0 - Unrestricted File Upload (@thewindghost) [critical] 🔥 (vKEV)
[CVE-2018-8011] Apache HTTP Server - NULL Pointer Dereference (@daffainfo) [high]
[CVE-2018-6961] VMware NSX SD-WAN Edge - Command Injection (@D3nverNg, @thewindghost) [critical] 🔥 (vKEV)
[CVE-2017-20192] Formidable Forms < 2.05.02 - Cross-Site Scripting (@0xanis) [medium]
[CVE-2017-11107] phpLDAPadmin <= 1.2.3 - Reflected XSS (@0x_Akoko) [medium]
[CVE-2016-15043] WP Mobile Detector <= 3.5 - Unrestricted File Upload (@D3nverNg, @thewindghost) [critical] 🔥 (vKEV)
[CVE-2016-15041] MainWP Dashboard <= 3.1.2 - Stored Cross-Site Scripting (@flame) [high]
[CVE-2012-10018] WordPress Mapplic <= 6.1 / Mapplic Lite <= 1.0 - Stored XSS via SVG File Upload (@KrE80r) [high]
[CVE-2011-3600] Apache OFBiz - XML External Entity Injection (@daffainfo, @pikpikcu) [high]
[CVE-2006-3392] Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (@s4e-io) [medium]
[gcloud-service-account-keys-rotation] GCP Service Account Keys - No Rotation Configured (@kelu27) [high]
[cloudinary-csp-bypass] Content-Security-Policy Bypass - cloudinary (@pussycat0x) [medium]
[bitbucket-panel] Bitbucket Panel - Detect (@Shivam Kamboj) [info]
[ekoapi-admin-panel] EkoAPI Admin Panel - Detect (@rxerium) [info]
[librechat-login-panel] LibreChat Login Panel - Detection (@Kazgangap) [info]
[victoriametrics-panel] VictoriaMetrics Panel - Detect (@Shivam Kamboj) [info]
[woodpecker-ci-panel] Woodpecker CI Panel - Detect (@Shivam Kamboj) [info]
[xspeeder-login] XSpeeder Login - Detect (@rxerium) [info]
[bash-config-exposure] Bash Configuration - Exposure (@theamanrawat) [low]
[exposed-gitmodules] .gitmodules File Exposed (@pussycat0x) [high]
[flow-config-exposure] Flow Configuration - Exposure (@theamanrawat) [medium]
[grafana-metrics-exposure] Grafana Metrics Endpoint - Information Disclosure (@0x_Akoko) [low]
[jfrog-artifactory-build-exposure] JFrog Artifactory Build - Exposure (@theamanrawat) [medium]
[keycloak-admin-console-config] Keycloak Admin Console Configuration Disclosure (@0x_Akoko) [low]
[makefile-exposure] Makefile - Exposure (@0x_Akoko) [low]
[mysql-config-exposure] MySQL Conifg - Exposure (@theamanrawat) [high]
[prettier-ignore-disclosure] Prettier - ...

Contributors

todb, 686f6c61, and 29 other contributors

Assets 3

25 Dec 17:36

princechaddha

v10.3.6

4537df8

🎄 Nuclei Templates v10.3.6 – Christmas Release Notes

New Templates Added: `163` | CVEs Added: `57` | First-time contributions: `6` | Bounties rewarded: `4`

🔥 Release Highlights 🔥

[CVE-2025-68613] n8n - RCE via Expression Injection (@rxerium, @PentesterFlow, @MuhamadJuwandi) [critical] 🔥
[CVE-2025-52970] Fortinet FortiWeb - Authentication Bypass to Admin Privilege (@Sourabh-Sahu) [high] (vKEV) 🔥
[CVE-2025-47188] Mitel 6000 - OS Command Injection (@matejsmycka) [critical] (vKEV) 🔥
[CVE-2025-37164] HPE OneView - RCE (@dhiyaneshdk) [critical] (vKEV) 🔥
[CVE-2025-34299] Monsta FTP <= 2.11.2 - Unauthenticated RCE (@KrE80r) [critical] (vKEV) 🔥
[CVE-2025-14611] Gladinet CentreStack & Triofox - Hardcoded Credentials (@0xanis) [critical] (vKEV) 🔥
[CVE-2024-28200] N-able N-central < 2024.2 - Authentication Bypass Detection (@rxerium) [critical] (vKEV) 🔥
[CVE-2021-37415] Zoho ManageEngine ServiceDesk Plus - Authentication Bypass (@daffainfo, @jjcho) [critical] 🔥
[CVE-2021-35042] Django QuerySet.order_by - SQL Injection (@0x_Akoko) [critical] 🔥
[CVE-2021-25082] WordPress Popup Builder < 4.0.7 - RCE (@0x_Akoko) [critical] 🔥
[CVE-2021-2135] Oracle WebLogic Server - RCE (@hnd3884) [critical] (vKEV) 🔥
[CVE-2025-55184] React Server Components - Denial of Service (@dhiyaneshdk) [high] 🔥

What's Changed

💰 Bounties Rewarded 💰

CVE-2025-14611 - Gladinet CentreStack & Triofox - Hardcoded Credentials (Issue #14392, PR #14410).
CVE-2021-3007 - Laminas Project laminas-http - Insecure Deserialization (Issue #14236, PR #14241).
CVE-2024-0801 - Arcserve UDP - Denial of Service (Issue #13829).
CVE-2025-11833 - Post SMTP WordPress Plugin - Broken Access Control (Issue #13820)

Bug Fixes

Corrected error matching condition in CVE-2025-55182 template (Issue #14255, PR #14376).

False Negatives

Fixed false negative in CVE-2022-26143 template, improving detection accuracy (PR #14371).

False Positives

Fixed false positives in the following templates:
- Generic .env detection - stopped detecting .env.example files (PR #14555)
- Credit card number detection (PR #14447)
- CVE-2021-25281 PoC (Issue #3212)
- Various CVE templates (PR #14376)

Enhancements

Enhanced WAF detection by adding FortiWEB WAF signatures to waf-detect.yaml (PR #14370).
Improved regex matchers in node-exporter-metrics.yaml for better accuracy (PR #14375).
Updated awstats-script.yaml template (PR #14413).

Templates Added

[CVE-2025-68613] n8n - RCE via Expression Injection (@rxerium, @PentesterFlow, @MuhamadJuwandi) [critical] 🔥
[CVE-2025-63387] Dify v1.9.1 - Broken Access Control (@dhiyaneshdk) [medium]
[CVE-2025-56819] Datart v1.0.0-rc.3 - RCE (@Redmomn) [critical]
[CVE-2025-56266] Avigilon ACM - Host Header Injection (@dhiyaneshdk) [medium]
[CVE-2025-55749] XWiki - Information Disclosure (@dhiyaneshdk) [high]
[CVE-2025-55184] React Server Components - Denial of Service (@dhiyaneshdk) [high] 🔥
[CVE-2025-52970] Fortinet FortiWeb - Authentication Bypass to Admin Privilege (@Sourabh-Sahu) [high] (vKEV) 🔥
[CVE-2025-47188] Mitel 6000 - OS Command Injection (@matejsmycka) [critical] (vKEV) 🔥
[CVE-2025-37164] HPE OneView - RCE (@dhiyaneshdk) [critical] (vKEV) 🔥
[CVE-2025-34299] Monsta FTP <= 2.11.2 - Unauthenticated RCE (@KrE80r) [critical] (vKEV) 🔥
[CVE-2025-14611] Gladinet CentreStack & Triofox - Hardcoded Credentials (@0xanis) [critical] (vKEV) 🔥
[CVE-2025-13486] Advanced Custom Fields Extended < 0.9.2 - RCE (@0xanis) [critical]
[CVE-2025-12139] Integrate Google Drive <= 1.5.3 - Information Disclosure (@meysam Bal-afkan) [high]
[CVE-2025-9808] The Events Calendar <= 6.15.2 - Information Disclosure (@zer0p0int) [medium]
[CVE-2024-47374] LiteSpeed Cache <= 6.5.0.2 - Stored XSS (@Sourabh-Sahu) [high]
[CVE-2024-39646] WordPress Custom 404 Pro <= 3.11.1 - Reflected XSS (@Sourabh-Sahu) [high]
[CVE-2024-35694] Wordpress WPMobile.App >= 11.42 - Cross-Site Scripting (@Sourabh-Sahu) [high]
[CVE-2024-35693] WordPress 12 Step Meeting List Plugin <= 3.14.33 - Cross-Site Scripting (@intelligent-ears) [medium]
[CVE-2024-31223] Fides Privacy Center ≤ 2.39.1 - Server-Side URL Disclosure (@hnd3884) [medium]
[CVE-2024-28253] OpenMetaData - SpEL Injection in PUT /api/v1/policies (@daffainfo) [critical]
[CVE-2024-28200] N-able N-central < 2024.2 - Authentication Bypass Detection (@rxerium) [critical] (vKEV) 🔥
[CVE-2024-25608] Liferay Portal - Open Redirect (@daffainfo) [medium]
[CVE-2024-2863] LG LED Assistant - Thumbnail Path Traversal File Upload (@Beginee) [high]
[CVE-2024-2862] LG LED Assistant - Unauthenticated Password Reset (@Beginee) [high]
[CVE-2023-45038] QNAP Music Station < 5.4.0 - Authentication Bypass (@daffainfo) [medium]
[CVE-2023-38952] ZKTeco BioTime <= 9.0.1 - Privilege Escalation (@riteshs4hu) [high]
[CVE-2023-27624] WordPress Redirect After Login <= 0.1.9 - Admin Stored XSS (@0x_Akoko) [medium]
[CVE-2023-23897] Ozette Plugins - Cross-Site Request Forgery (@popcorn94) [medium]
[CVE-2023-7164] WordPress BackWPup < 4.0.4 - Backup File Disclosure (@0x_Akoko) [high]
[CVE-2023-6266] WordPress Backup Migration <= 1.3.6 - Path Traversal (@riteshs4hu) [high]
[CVE-2023-3388] Beautiful Cookie Consent Banner < 2.10.2 - Cross-Site Scripting (@daffainfo) [high]
[CVE-2022-38130] KeySight RF - smsRestoreDatabaseZip UNC path to RCE (@daffainfo, @jjcho) [critical]
[CVE-2022-36923] Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils - getUserAPIKey Authentication Bypass (@daffainfo, @jjcho) [high]
[CVE-2022-34305] Apache Tomcat Examples Web Application - Cross-Site Scripting (@Sourabh-Sahu) [medium]
[CVE-2022-1029] Limit Login Attempts - Stored Cross-Site Scripting (@theamanrawat) [medium]
[CVE-2022-0873] WordPress Gmedia Photo Gallery Plugin < 1.20.0 - Cross-Site Scripting (@ritikchaddha) [medium]
[CVE-2022-0765] WordPress Loco Translate < 2.6.1 - Cross-Site Scripting (@0x_Akoko) [medium]
[CVE-2021-37415] Zoho ManageEngine ServiceDesk Plus - Authentication Bypass (@daffainfo, @jjcho) [critical] 🔥
[CVE-2021-35042] Django QuerySet.order_by - SQL Injection (@0x_Akoko) [critical] 🔥
[CVE-2021-33829] Drupal 7 CKEditor XSS (@0x_Akoko) [medium]
[CVE-2021-25082] WordPress Popup Builder < 4.0.7 - RCE (@0x_Akoko) [critical] 🔥
[CVE-2021-24681] Duplicate Page WordPress - Stored Cross-Site Scripting (@theamanrawat) [medium]
[CVE-2021-24657] Limit Login Attempts WordPress - Stored Cross-site Scripting (@theamanrawat) [medium]
[CVE-2021-22175] GitLab CI Lint API - Server-Side Request Forgery (@0x_Akoko) [high]
[CVE-2021-20617] Acmailer - Improper Access Control to OS Command Injection (@daffainfo) [critical]
[CVE-2021-3007] Laminas Project laminas-http - RCE (@0xanis) [critical]
[CVE-2021-2135] Oracle WebLogic Server - RCE (@hnd3884) [critical] (vKEV) 🔥
[CVE-2020-26836] SAP Solution Manager - Open Redirect (@gal Nagli, @lrvt) [medium]
[CVE-2020-25200] Pritunl VPN Server 1.29.2145.25 - Username Enumeration (@pussycat0x) [medium]
[CVE-2020-20627] GiveWP - Missing Authorization to Settings Update (@daffainfo) [medium]
[CVE-2020-12832] WordPress Simple File List - Path Traversal (@riteshs4hu) [critical]
[CVE-2019-9082] ThinkPHP < 3.2.4 - RCE (@0xanis) [high]
[CVE-2019-5591] FortiOS - Insecure LDAP Configuration Detection (@ayewo) [medium]
[CVE-2019-4061] IBM BigFix Platform - Information Disclosure (@daffainfo) [medium]
[CVE-2017-18580] WordPress Shortcodes Ultimate <= 5.0.0 - Authenticated RCE (@0x_Akoko) [critical]
[CVE-2017-17762] Episerver 7 - Blind XML External Entity Injection (@pussycat0x) [high]
[CVE-2015-8350] WordPress Calls to Action <=2.4.3 - Authenticated Reflected XSS (@0x_Akoko) [medium]
[ai-code-execution] AI Code Execution Detection (@princechaddha) [high]
[ai-data-exfiltration] AI Data Exfiltration Detection (@princechaddha) [high]
[ai-prompt-injection] AI Prompt Injection Detection (@princechaddha) [high]
[ai-safety-bypass] AI Safety Control Bypass Detection (@princechaddha) [unknown]
[pdfjs-content-spoofing] Mozilla PDF.js - Content Spoofing (@0x_Akoko) [medium]
[cisco-esa-panel] Cisco Email Security Appliance - Panel (@rxerium, @darses) [info]
[hpe-oneview-panel] HPE OneView - Panel Detect (@rxerium) [info]
[temboard-panel] temBoard Panel - Detect (@righettod) [info]
[ambassador-api-diagnostics-exposure] Ambassador API Gateway Diagnostics - Exposure (@0x_Akoko) [medium]
[wordpress-db-exposure] WordPress Database Backup File - Exposure (@0x_Akoko) [high]
[cakefile-exposure] Cakefile - Exposure (@0x_Akoko) [info]
[codekit-config-exposure] CodeKit Configuration Exposure (@pussycat0x) [low]
[glimpse-data-exposure] Glimpse Diagnostics - Sensitive Data Exposure (@0x_Akoko) [high]
[node-repl-history-disclosure] Node.js REPL History Disclosure (@pussycat0x) [low]
[phpci-yml] PHPCI Configuration Exposure "phpci.yml" Exposure (@dhiyaneshdk) [info]
[python-setup-config] Python Setup Configuration - Exposure (@dhiyaneshdk) [low]
[rexify-config-exposure] Rexify Configuration - Exposure (@theamanrawat) [high]
[xampp-phpinfo-detect] XAMPP PHP info Page - Detect (@pussycat0x) [low]
[eclipse-project-exposure] Eclipse .project Configuration - Exposure (@0x_Akoko) [info]
[python-history-disclosure] Python History File Disclosure (@pussycat0x) [low]
[wp-w3-total-cache-exposure] WordPress W3 Total Cache - Cache Files Exposure (@pussycat0x) [high]
[yarn-integrity-disclosure] Yarn Integrity File Disclosure (@pussycat0x) [info]
[bitrix-log-file-disclosure] Bitrix Site Manager - Log File Disclosure (@0x_Akoko) [medium]
[wp-easy-google-fonts-log-disclosure] WordPress Easy Google Fonts - Error Log Disclosure (@0x_Akoko) [low]
[wp-flexible-shipping-log] WordPress Flexible Shipping - Log File ...

Contributors

meysam, righettod, and 30 other contributors

Assets 3

06 Dec 11:55

princechaddha

v10.3.5

c88b645

Nuclei Templates v10.3.5 - Release Notes

New Templates Added: `57` | CVEs Added: `33`

🔥 Release Highlights 🔥

[CVE-2025-55182] React Server Components - Remote Code Execution [critical] 🔥 (vKEV)
[CVE-2024-6220] WordPress Keydatas ≤ 2.5.2 - Arbitrary File Upload (@hnd3884) [critical] 🔥 (vKEV)
[CVE-2023-37999] HT Mega <= 2.2.0 - Missing Auth to Privilege Escalation (@daffainfo) [critical] 🔥 (vKEV)
[CVE-2023-30869] Easy Digital Downloads - Privilege Escalation (@daffainfo) [critical] 🔥 (vKEV)
[CVE-2023-3277] MStore API <= 4.10.7 - Unauthorized Account Access and Privilege Escalation (@daffainfo) [critical] 🔥 (vKEV)
[CVE-2023-2734] MStore API <= 3.9.1 - Authentication Bypass (@daffainfo) [critical] 🔥 (vKEV)
[CVE-2022-34487] ShortCode Addons - Unauthenticated Options Update (@Sourabh-Sahu) [critical] 🔥 (vKEV)
[CVE-2022-33198] WordPress Accordions - Unauthenticated Settings Update (@riteshs4hu) [critical] 🔥 (vKEV)
[CVE-2021-36888] WordPress Image Hover Ultimate - Unauthenticated Settings Update (@riteshs4hu) [critical] 🔥 (vKEV)
[CVE-2021-4073] RegistrationMagic <= 5.0.1.7 - Authentication Bypass (@daffainfo) [critical] 🔥 (vKEV)
[CVE-2019-25213] WordPress Advanced Access Manager - Path Traversal (@riteshs4hu) [critical] 🔥 (vKEV)

What's Changed

Bug Fixes

Fixed path for CVE-2022-28666 from 2021 to 2022 directory (PR #14183)
Fixed path for CVE-2021-4449 (PR #14182)
Fixed path for CVE-2024-47308 (PR #14180)
Corrected file naming for CVE-2021-35211 (PR #14162)
Updated CVE-2024-9161 template (PR #14159)
Updated CSP script-src wildcard template (PR #14117)

False Negatives

Fixed false negative in CVE-2022-31181 by adding product to wishlist functionality (Issue #13938, PR #14112)
Corrected username and password in CVE-2022-0206 to reduce false negatives (PR #14148)
Corrected username and password in CVE-2015-4063 to reduce false negatives (PR #14133)

False Positives

Removed mailgun-takeover template due to false positive detections (Issue #13900, PR #14113)
Fixed false positive in wp-functions-php-disclosure.yaml (PR #14124)
Prevented false positive matches in CVE-2024-55591 (PR #14106)
Reduced false positives in CVE-2021-45467 (PR #14086)

Enhancements

Enhanced CVE-2025-55182 template with updated authors and details (PR #14235)
Updated POC for CVE-2025-55182 (PR #14229)
Added new templates, fixed false positives, and enhanced existing templates (PR #14081)

Templates Added

[CVE-2025-55182] React Server Components - Remote Code Execution (@dhiyaneshdk, @princechaddha, @assetnote, @lachlan2k, @maple3142, @Iamnooob) [critical] 🔥 (vKEV)
[CVE-2025-51586] PrestaShop - Information Disclosure (@mastercho) [medium] 🔥
[CVE-2025-47445] WordPress Eventin (Themewinter) ≤ 4.0.26 - Arbitrary File Download (@hnd3884) [high] 🔥 (vKEV)
[CVE-2025-11307] WP Google Maps < 9.0.48 - Cross-Site Scripting (@0x_Akoko) [high] 🔥
[CVE-2025-10211] ChanCMS <= 3.3.0 - Server-Side Request Forgery (@Yu_Bao) [medium]
[CVE-2025-10210] ChanCMS <= 3.3.0 - SQL Injection (@Yu_Bao) [medium]
[CVE-2025-5301] ONLYOFFICE Docs (DocumentServer) - Reflected Cross-Site Scripting (@theamanrawat) [medium]
[CVE-2024-47308] Templately <= 3.1.2 - Broken Access Control (@popcorn94) [medium] 🔥 (vKEV)
[CVE-2024-9161] Rank Math SEO < 1.0.229 - Unauthenticated User and Term Metadata Insert/Update/Deletion (@Kazgangap) [medium] 🔥 (vKEV)
[CVE-2024-6555] WP Popups - Information Disclosure (@theamanrawat) [medium]
[CVE-2024-6220] WordPress Keydatas ≤ 2.5.2 - Arbitrary File Upload (@hnd3884) [critical] 🔥 (vKEV)
[CVE-2023-41954] ProfilePress <= 4.13.1 — Unauthenticated Privilege Escalation (@daffainfo) [high] 🔥 (vKEV)
[CVE-2023-40211] Post Grid <= 2.2.50 - Information Exposure via REST API (@daffainfo) [high]
[CVE-2023-38875] PHP Login System 2.0.1 - Cross-Site Scripting (@0x_Akoko) [medium]
[CVE-2023-37999] HT Mega – Absolute Addons for Elementor <= 2.2.0 - Missing Authorization to Privilege Escalation (@daffainfo) [critical] 🔥 (vKEV)
[CVE-2023-30869] Easy Digital Downloads - Privilege Escalation (@daffainfo) [critical] 🔥 (vKEV)
[CVE-2023-5815] News & Blog Designer Pack – WordPress Blog Plugin <= 3.4.1 - Unauthenticated Local File Inclusion (@daffainfo) [high]
[CVE-2023-3277] MStore API <= 4.10.7 - Unauthorized Account Access and Privilege Escalation (@daffainfo) [critical] 🔥 (vKEV)
[CVE-2023-2734] MStore API <= 3.9.1 - Authentication Bypass (@daffainfo) [critical] 🔥 (vKEV)
[CVE-2022-34487] ShortCode Addons - Unauthenticated Options Update (@Sourabh-Sahu) [critical] 🔥 (vKEV)
[CVE-2022-33198] WordPress Accordions - Unauthenticated Settings Update (@riteshs4hu) [critical] 🔥 (vKEV)
[CVE-2022-31101] Prestashop Blockwishlist 2.1.0 SQL Injection (@mastercho) [high] 🔥
[CVE-2022-28666] Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update (@Sourabh-Sahu) [medium]
[CVE-2022-0879] Caldera Forms < 1.9.7 - Reflected Cross-Site Scripting (@0x_Akoko) [medium]
[CVE-2021-36888] WordPress Image Hover Ultimate - Unauthenticated Settings Update (@riteshs4hu) [critical] 🔥 (vKEV)
[CVE-2021-23394] elFinder < 2.1.58 - Remote Code Execution (@0xanis) [high]
[CVE-2021-4073] RegistrationMagic <= 5.0.1.7 - Authentication Bypass (@daffainfo) [critical] 🔥 (vKEV)
[CVE-2020-11732] Media Library Assistant < 2.82 - Unauthenticated Limited Local File Inclusion (@Sourabh-Sahu) [high]
[CVE-2019-25213] WordPress Advanced Access Manager - Path Traversal (@riteshs4hu) [critical] 🔥 (vKEV)
[CVE-2019-17671] WordPress <= 5.2.4 - Unauthenticated View Private/Draft Posts (@0x_Akoko) [medium]
[CVE-2019-14950] WP Live Chat Support <= 8.0.27 — Stored Cross-Site Scripting (@daffainfo) [medium]
[CVE-2019-10647] ZZZCMS ZZZPHP 1.6.3 – Remote PHP Code Execution (RCE) (@Sourabh-Sahu) [critical]
[CVE-2018-17082] Apache2 - Transfer-Encoding Chunked XSS (@dhiyaneshdk) [medium]
[google-storage-csp-bypass] Content-Security-Policy Bypass - Google Storage (@0x_Akoko) [medium]
[spf-limit-lookup] SPF record DNS lookup limit (@theamanrawat) [info]
[redis-commander-default-login] Redis Commander - Default Login (@dhiyaneshdk) [high]
[ship-manager-dnv] Ship Manager DNV - Panel (@rxerium) [info]
[apache-hive-config] Apache Hive Configuration - Exposure (@icarot) [medium]
[codeclimate-config-exposure] CodeClimate Configuration File - Exposure (@0x_Akoko) [info]
[deprecated-feature-policy] Deprecated Feature-Policy Header - Detection (@ritikchaddha) [info]
[expect-ct-misconfigured] Expect-CT Header - Misconfigured (@theamanrawat) [info]
[jenkins-users-exposure] Jenkins Users - Exposure (@theamanrawat) [info]
[kafka-api-cluster] Kafka Operation API - Cluster (@dhiyaneshdk) [high]
[unauth-munin] Munin Monitoring Dashboard - Exposure (@0x_Akoko) [medium]
[weak-csp-detect] Weak Content Security Policy - Detect (@pussycat0x) [low]
[apache-hive-detect] Apache Hive - Detect (@icarot) [info]
[apache-httpd-eol] Apache HTTP Server End-of-Life - Detect (@Shivam Kamboj) [info]
[laravel-eol] Laravel End-of-Life Detection (@Shivam Kamboj) [info]
[nginx-eol] Nginx End-of-Life - Detect (@Shivam Kamboj) [info]
[php-eol] PHP End-of-Life - Detect (@Shivam Kamboj) [info]
[sharepoint-lists-api-disclosure] Microsoft SharePoint - List API Disclosure (@theamanrawat) [low]
[wp-bbpress-fpd] WordPress bbPress Plugin - Full Path Disclosure (@0x_Akoko) [info]
[wp-fastest-cache-fpd] WordPress WP Fastest Cache Plugin - Full Path Disclosure (@0x_Akoko) [info]
[wp-mailchimp-for-wp-fpd] WordPress Mailchimp for WordPress Plugin - Full Path Disclosure (@0x_Akoko) [info]
[wp-twentyfifteen-fpd] WordPress Twenty Fifteen Theme - Full Path Disclosure (@0x_Akoko) [info]
[dameng-detect] Dameng Database - Detect (@pussycat0x) [info]
[vnc-workflow] VNC Security Checks (@pussycat0x) [unknown]

New Contributors

@murataslan1 made their first contribution in #14113

Full Changelog: v10.3.4...v10.3.5

Contributors

lachlan2k, maple3142, and 19 other contributors

Assets 3

29 Nov 14:21

princechaddha

v10.3.4

931fd1f

Nuclei Templates v10.3.4 - Release Notes

New Templates Added: `68` | CVEs Added: `27` | First-time contributions: `11` | Bounties rewarded: `3`

🔥 Release Highlights 🔥

[CVE-2025-64764] Astro - Reflected XSS via server islands feature (@dhiyaneshdk, @zhero___) [high] 🔥
[CVE-2025-61757] Oracle Identity Manager WebService - Auth Bypass (@ritikchaddha) [critical] 🔥 (vKEV)
[CVE-2025-58360] GeoServer - XML External Entity Injection (@lbb, @xbow, @darses) [high] 🔥
[CVE-2025-49706] Microsoft SharePoint Server - Auth Bypass (@daffainfo) [medium] 🔥 (vKEV)
[CVE-2025-27915] Zimbra - XSS (@Snbig, @EhsanCreator, @eliotworkspac-max) [medium] 🔥 (vKEV)
[CVE-2025-11833] Post SMTP <= 3.6.0 - Email Log Disclosure (@Kazgangap) [critical] 🔥 (vKEV)
[CVE-2022-29081] Zoho ManageEngine - Access Control Bypass (@0xanis) [critical] 🔥 (vKEV)
[CVE-2021-34427] Eclipse BIRT Viewer - Remote Code Execution (@us3r777, @synacktiv) [critical] 🔥
[CVE-2021-4462] Employee Records System 1.0 - Unauth File Upload RCE (@JosephTTD) [critical] 🔥 (vKEV)
[CVE-2021-4449] ZoomSounds Plugin - Unauth Arbitrary File Upload (@0xnemian) [critical] 🔥 (vKEV)
[CVE-2017-5983] JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - RCE (XXE) (@us3r777, @synacktiv) [critical] 🔥

What's Changed

💰 Bounties Rewarded 💰

CVE-2021-4462 - Employee Records System - Unrestricted File Upload 💰 (Issue #14040).
CVE-2022-29081 - Zoho ManageEngine - Access Control Bypass 💰 (Issue #13982).
CVE-2021-4449 - ZoomSounds WordPress - Unrestricted File Upload 💰 (Issue #13886).

Bug Fixes

Fix CVE-2024-23897 (PR #13608).

False Negatives

FIX [FALSE-NEGATIVE] error-logs template fails to detect exposed log files without Content-Type header (PR #14025).
chore: remove redundant condition in CVE-2024-9047.yaml (PR #13496).
[FALSE-NEGATIVE] error-logs template fails to detect exposed log files without Content-Type header (Issue #13519).

False Positives

Fix FP wp-twenty-theme-fpd.yaml (PR #14048).
Fix FP CVE-2020-26948.yaml (PR #13978).

Enhancements

Update CVE-2025-58360 (PR #14088).
Update unavailable documentation URLs (PR #14075).
Refactor the "JITSI" template. (PR #14054).
feat: Update Next.js detection (PR #14033).
Update CVE-2025-20362 (PR #14016).
Enhance Next.js/Vite public env exposure config (PR #14013).
Improve CVE-2020-14179 detection with customfield identifier (PR #14007).
Updated CVE-2017-9841 with new eval-stdin.php paths (PR #13991).
chore: update CVE-2021-39226 (PR #13918).

Templates Added

[CVE-2025-64764] Astro - Reflected XSS via server islands feature (@dhiyaneshdk, @zhero___) [high] 🔥
[CVE-2025-64525] Astro - Broken Access Control (@zhero___, @dhiyaneshdk) [medium] 🔥
[CVE-2025-61757] Oracle Identity Manager REST WebServices - Authentication Bypass (@ritikchaddha) [critical] 🔥 (vKEV)
[CVE-2025-58360] GeoServer - XML External Entity Injection (@lbb, @xbow, @darses) [high] 🔥
[CVE-2025-55523] Agent-Zero 0.8.0 - 0.9.4 - Arbitrary File Download (@0x_Akoko) [high]
[CVE-2025-49706] Microsoft SharePoint Server - Authentication Bypass (@daffainfo) [medium] 🔥 (vKEV)
[CVE-2025-27915] Zimbra - Cross-Site Scripting via ICS Files (@Snbig, @EhsanCreator, @eliotworkspac-max) [medium] 🔥 (vKEV)
[CVE-2025-13315] Twonky Server 8.5.2 on Linux and Windows - Log File Exposure (@pussycat0x) [critical]
[CVE-2025-12055] MPDV Mikrolab GmbH HYDRA X, MIP 2 & FEDRA 2 - Path Traversal (@theamanrawat) [high]
[CVE-2025-11833] Post SMTP <= 3.6.0 - Email Log Disclosure (@Kazgangap) [critical] 🔥 (vKEV)
[CVE-2025-11700] N-central - XML External Entities Injection (@dhiyaneshdk, @horizon3ai) [high]
[CVE-2025-10204] AC Smart II - Authentication Bypass (@theeldruin) [high]
[CVE-2025-9316] N-central - Authentication Bypass (@dhiyaneshdk, @horizon3ai) [medium]
[CVE-2025-7901] yangzongzhuan RuoYi - DOM Based XSS (@nikhil Patidar) [medium]
[CVE-2024-53995] SickChill - Open Redirect (@omarkurt) [low]
[CVE-2024-20404] Cisco Finesse - Server-Side Request Forgery (SSRF) (@0x_Akoko) [medium] 🔥
[CVE-2022-29081] Zoho ManageEngine - Access Control Bypass (@0xanis) [critical] 🔥 (vKEV)
[CVE-2021-34427] Eclipse BIRT Viewer - Remote Code Execution (@us3r777, @synacktiv) [critical] 🔥
[CVE-2021-4462] Employee Records System 1.0 - Unauthenticated File Upload RCE (@JosephTTD) [critical] 🔥 (vKEV)
[CVE-2021-4449] ZoomSounds Plugin - Unauthenticated Arbitrary File Upload (@0xnemian) [critical] 🔥 (vKEV)
[CVE-2019-19825] TOTOLINK/Realtek Routers - CAPTCHA Bypass (@ritikchaddha) [critical]
[CVE-2019-19823] TOTOLINK/Realtek Routers - Information Disclosure (@ritikchaddha) [high]
[CVE-2019-19822] TOTOLINK/Realtek Routers - Information Disclosure (@ritikchaddha) [high]
[CVE-2018-13317] TOTOLINK A3002RU 1.0.8 - Information Disclosure (@ritikchaddha) [medium]
[CVE-2017-17092] WordPress < 4.9.1 - Authenticated JavaScript File Upload (@0x_Akoko) [medium]
[CVE-2017-14725] WordPress < 4.8.2 - Authenticated Open Redirect (@0x_Akoko) [medium]
[CVE-2017-5983] JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE) (@us3r777, @synacktiv) [critical] 🔥
[jquery-cdn-csp-bypass] Content-Security-Policy Bypass - jQuery CDN (@0x_Akoko) [medium]
[shai-hulud-supply-chain] Shai Hulud 2.0 - Supply Chain Malware Detection (@princechaddha, @wiz-research) [critical]
[traggo-default-login] Traggo - Default Login (@0x_Akoko) [high]
[vtigercrm-default-login] Vtiger CRM - Default Login (@icarot) [high]
[cluster-trino-panel] Cluster Overview Trino - Panel (@dhiyaneshdk) [info]
[vtigercrm-exposed-directory] Vtiger CRM - Exposed Directory (@icarot) [low]
[crypto-address-detect] Exposed Cryptocurrency Wallet Address (@rxerium) [info]
[aem-anonymous-write] Adobe Experience Manager (AEM) - Anonymous JCR Node Creation (@dhiyaneshdk, @0ang3el) [high]
[blackbox-exporter-exposure] Blackbox Exporter - Exposure (@dhiyaneshdk) [high]
[cluster-trino-admin-login] Cluster Overview Trino - Admin Login (@dhiyaneshdk) [high]
[csp-script-src-wildcard] Content-Security-Policy "script-src" Wildcard Detected (@prithiv) [medium]
[memtracker-exposure] MemTracker - Exposure (@dhiyaneshdk) [high]
[sharepoint-files-disclosure] Microsoft SharePoint Files Disclosure (@pussycat0x) [info]
[sharepoint-layouts-disclosure] Microsoft SharePoint - Layouts Disclosure (@dhiyaneshdk) [low]
[sharepoint-masterpage-disclosure] Microsoft SharePoint - Master Page Disclosure (@dhiyaneshdk) [low]
[sharepoint-site-metadata-disclosure] Microsoft SharePoint - Site Metadata Disclosure (@0x_Akoko) [low]
[sharepoint-sitepages-disclosure] Microsoft SharePoint - Site Pages Disclosure (@pussycat0x) [low]
[nginx-status-403-bypass] Nginx Status Page - 403 Bypass (@pussycat0x) [low]
[postgresql-cluster-config] PostgreSQL Cluster - Configuration (@dhiyaneshdk) [high]
[postrest-api-exposure] PostgREST API Server - Exposure (@dhiyaneshdk) [high]
[unauth-akhq-dashboard] AKHQ Dashboard - Unauthenticated Access (@dhiyaneshdk) [high]
[unauth-hawkeye-dashboard] Unauth Hawkeye Dashboard - Detect (@dhiyaneshdk) [high]
[unauth-kafka-config-editor] Kafka Config Editor - Unauthenticated Access (@dhiyaneshdk) [high]
[unauth-phoenix-dashboard] Unauth Phoenix Dashboard - Detect (@dhiyaneshdk) [high]
[unauth-qdrantui] Qdrant UI - Unauthenticated Access (@dhiyaneshdk) [high]
[unauth-supervisor-dashboard] Unauth Supervisor Dashboard - Detect (@dhiyaneshdk) [high]
[agent-zero-detect] Agent-Zero Application - Detect (@0x_Akoko) [info]
[cisco-finesse-detect] Cisco Finesse - Detect (@0x_Akoko) [info]
[flower-detect] Flower - Detect (@righettod) [info]
[sharepoint-web-services-discovery] Microsoft SharePoint - Web Services Discovery (@0x_Akoko) [info]
[nostromo-detect] Nostromo Web Server (@Shivam Kamboj) [info]
[odoo-detection] Odoo - Detect (@keyboard-slayer) [info]
[traggo-server-detect] Traggo Time Tracking Server - Detect (@0x_Akoko) [info]
[vtigercrm-detect] Vtiger CRM - Detect (@icarot) [info]
[winstone-detect] Winstone Servlet Engine (@Shivam Kamboj) [info]
[wp-security-hidden-login-exposure] WordPress All-in-One Security <=4.4.1 - Hidden Login Page Exposure (@theamanrawat) [medium]
[wp-twenty-theme-fpd] WordPress Twenty Seventeen - Full Path Disclosure (@dhiyaneshdk) [low]
[wp-twentysixteen-fpd] WordPress Twenty Sixteen - Full Path Disclosure (@theamanrawat) [low]
[wp-twentytwenty-fpd] WordPress Twenty Twenty Theme - Full Path Disclosure (@0x_Akoko) [info]
[functions-php-disclosure] functions.php Full Path Disclosure (@pussycat0x) [low]
[yonyou-u9-patchfile-upload] Yonyou U9 PatchFile.asmx - Unauthenticated Arbitrary File Upload (@Co5mos, @projectdiscoveryai) [critical]

New Contributors

@keyboard-slayer made their first contribution in #13958
@eduquintanilha made their first contribution in #13920
@0xanis made their first contribution in #13983
@0xnemian made their first contribution in #13930
@OrSmolnik made their first contribution in #14007
@nikhilpatidar01 made their first contribution in #14015
@brendan-rsoc made their first contribution in #14016
@S9n3x made their first contribution in #13496
@Snbig made their first contribution in #13581
@JosephTTD made their first contribution in #14042
@L-TEL...

Contributors

prithiv, righettod, and 35 other contributors

Assets 3

18 Nov 19:10

princechaddha

v10.3.2

2603fc1

Nuclei Templates v10.3.2 - Release Notes

New Templates Added: `129` | CVEs Added: `56` | First-time contributions: `9` | Bounties rewarded: `7`

🔥 Release Highlights 🔥

[CVE-2025-64446] FortiWeb - Authentication Bypass (@dhiyaneshdk, @watchtowr, @rapid7, @defusedcyber) [critical] (vKEV) 🔥
[CVE-2025-64095] DNN - Unrestricted Arbitrary File Upload (@dhiyaneshdk, @pussycat0x) [critical] 🔥
[CVE-2025-61884] Oracle E-Business Suite - SSRF (@Kazgangap) [high] (vKEV) 🔥
[CVE-2025-59287] Windows Server Update Service - Insecure Deserialization (@pussycat0x, @princechaddha) [critical] (vKEV) 🔥
[CVE-2025-58443] FOGProject <= 1.5.10.1673 - Authentication Bypass (@oleveloper) [critical] 🔥
[CVE-2025-55190] ArgoCD Project API Token Repository Credentials Exposure (@nukunga[seunghyeonJeon]) [critical] 🔥
[CVE-2025-54253] Adobe Experience Manager - Deserialization (@ritikchaddha, @dhiyaneshdk, @s4e-io) [critical] (vKEV) 🔥
[CVE-2025-54236] Adobe Commerce - Authentication Bypass (@dhiyaneshdk, @slcyber, @johnk3r) [critical] (vKEV) 🔥
[CVE-2025-52665] UniFi Access - Broken Access Control (@theamanrawat, @dhiyaneshdk) [critical] 🔥
[CVE-2025-41243] Spring Cloud Gateway Server Webflux - Broken Access Control (@Redmomn) [critical] 🔥
[CVE-2025-12101] Citrix NetScaler ADC & Gateway - Reflected XSS / Open Redirect (@dhiyaneshdk, @watchtowr) [medium] 🔥
[CVE-2025-11749] WordPress AI Engine Plugin - Token Exposure (@4m3rr0r) [critical] 🔥
[CVE-2025-8943] Flowise < 3.0.1 - Remote Command Execution (@zezezez) [critical] 🔥
[CVE-2025-1550] Keras Model.load_model - Arbitrary Code Execution (@nukunga[seunghyeonJeon]) [critical] 🔥
[CVE-2025-1302] JSONPath Plus < 10.3.0 - RCE (@Jaenact) [critical] 🔥
[CVE-2024-53900] Mongoose < 8.8.3 - RCE (@h4mg) [critical] 🔥
[CVE-2024-47575] FortiManager Unauth RCE (@0x_Akoko, @pussycat0x, @watchtowr) [critical] (vKEV) 🔥
[CVE-2024-27443] Zimbra Collaboration - XSS (XSS) (@rxerium) [medium] (vKEV) 🔥
[CVE-2024-23108] Fortinet FortiSIEM - OS Command Injection (@0x_Akoko) [critical] (vKEV) 🔥
[CVE-2023-34048] VMware vCenter Server - Out-of-Bounds Write (@ritikchaddha) [critical] (vKEV) 🔥
[CVE-2023-2437] UserPro <= 5.1.1 - Authentication Bypass (@intelligent-ears) [critical] (vKEV) 🔥
[CVE-2021-45467] Control Web Panel (CWP) - File Inclusion (@ritikchaddha) [critical] (vKEV) 🔥
[CVE-2020-14644] Oracle WebLogic Server - RCE (Insecure Deserialization) (@hnd3884) [critical] (vKEV) 🔥

What's Changed

💰 Bounties Rewarded 💰

CVE-2024-0799 - Arcserve Unified Data Protection - Authentication Bypass (Issue #13804, PR #13844)
CVE-2024-0801 - Arcserve Unified Data Protection - Denial of Service (Issue #13829, PR #13845)
CVE-2025-1023 - ChurchCRM - SQL Injection (Issue #13792, PR #13800)
CVE-2025-6403 - School Fees Payment System - SQL Injection (Issue #13785, PR #13786)
CVE-2025-51482 - Letta 0.7.12 - Remote Code Execution (Issue #13745, PR #13750)
CVE-2021-4374 - WordPress Automatic Plugin - Broken Access Control (Issue #13872, PR #13850)
CVE-2020-14644 - Oracle WebLogic Server (Issue #12428, PR #13846)

Bug Fixes

Corrected CVE-2025-64446 vulnerability details (PR #13947, PR #13932)
Updated CVE-2025-12101 with open redirect information (PR #13928)
Updated CVE-2021-39226 template (PR #13918)
Fixed external service interaction template (PR #13818, Issue #13765)
Corrected file path for CVE-2024-28623 (PR #13810)
Improved open-redirect-generic template accuracy (PR #13787)
Fixed command execution in CVE-2020-2883 template (PR #13780)
Enhanced CVE-2021-41467 with new matchers (PR #13776)
Corrected file naming for CVE-2016-8735 (PR #13773, Issue #13770)
Fixed payload typo in CVE-2023-38192 (PR #13760)
Corrected domain variable name in CVE-2025-59287 (PR #13759, PR #13756)
Updated PHP Backup template (PR #13753)
Fixed file naming for CVE-2022-26143 (PR #13749, Issue #13748)
Corrected CVSS score and severity mismatch in CVE-2024-30569 (Issue #13714)

False Negatives

Improved detection in CVE-2020-35338 template (Issue #13676)
Enhanced default-asp-net-page template to detect modern ASP.NET welcome pages (Issue #13543)

False Positives

CVE-2020-26948 (PR #13978)
CVE-2025-5777 / CitrixBleed 2 (PR #13905, PR #13815, Issue #13197)
CVE-2000-0760 Snoop.jsp endpoint detection (PR #13830, Issue #13522)
CVE-2023-37582 (PR #13823)
config-json.yaml exposure detection (PR #13774, Issue #13763)
External Service Interaction (Issue #13765)
api-dbt token spray (Issue #11289)
CVE-2017-3132 (Issue #10975)
OSINT user enumeration templates (Issue #10158, PR #13742)

Enhancements

Enhanced eclipse-birt-panel template detection (PR #13955)
Added missing service tags to improve categorization (PR #13926)
Fixed tag typos across multiple templates (PR #13925)
Resolved duplicate template ID issue in gradio-lfi (PR #13922, Issue #13917)
Enriched GITBLIT template detection (PR #13898)
Improved IIS Shortname detection capabilities (PR #13885, Issue #4911)
Enhanced CVE-2025-61884 and CVE-2025-61882 templates (PR #13822, Issue #13813)
Converted non-CVE templates to proper CVE template format (PR #13797, Issue #13779)
Enhanced AEM querybuilder bypass detection (PR #13746)
Added HTTP/2 protocol support improvements (Issue #13709)

Templates Added

[CVE-2025-64446] FortiWeb - Authentication Bypass (@dhiyaneshdk, @watchtowr, @rapid7, @defusedcyber) [critical] (vKEV) 🔥
[CVE-2025-64095] DNN - Unrestricted Arbitrary File Upload (@dhiyaneshdk, @pussycat0x) [critical] 🔥
[CVE-2025-61884] Oracle E-Business Suite - SSRF (@Kazgangap) [high] (vKEV) 🔥
[CVE-2025-59287] Windows Server Update Service - Insecure Deserialization (@pussycat0x, @princechaddha) [critical] (vKEV) 🔥
[CVE-2025-58443] FOGProject <= 1.5.10.1673 - Authentication Bypass (@oleveloper) [critical] 🔥
[CVE-2025-55190] ArgoCD Project API Token Repository Credentials Exposure (@nukunga[seunghyeonJeon]) [critical] 🔥
[CVE-2025-54253] Adobe Experience Manager - Deserialization (@ritikchaddha, @dhiyaneshdk, @s4e-io) [critical] (vKEV) 🔥
[CVE-2025-54236] Adobe Commerce - Authentication Bypass (@dhiyaneshdk, @slcyber, @johnk3r) [critical] (vKEV) 🔥
[CVE-2025-52665] UniFi Access - Broken Access Control (@theamanrawat, @dhiyaneshdk) [critical] 🔥
[CVE-2025-52472] XWiki - HQL Injection (@ritikchaddha) [high]
[CVE-2025-51991] XWiki <= 17.3.0 - Server-Side Template Injection (SSTI) (@0x_Akoko) [critical]
[CVE-2025-51990] XWiki – Stored XSS (XSS) (@0x_Akoko) [medium]
[CVE-2025-51482] Letta Letta 0.7.12 - RCE (@RaghavArora14) [high]
[CVE-2025-44137] MapTiler Tileserver-php v2.0 - Unauth File Read (@0x_Akoko) [high]
[CVE-2025-44136] MapTiler Tileserver-php v2.0 - Unauth XSS (@0x_Akoko) [medium]
[CVE-2025-41243] Spring Cloud Gateway Server Webflux - Broken Access Control (@Redmomn) [critical] 🔥
[CVE-2025-32429] XWiki Platform - SQL Injection (@ritikchaddha) [critical]
[CVE-2025-31486] Vite server.fs.deny Bypass - Local File Inclusion (@wn147) [medium]
[CVE-2025-24354] Imgproxy < 3.27.2 - SSRF (SSRF) (@oksuzkayra) [medium]
[CVE-2025-12480] Triofox - Improper Access Control (@johnk3r, @GTi) [critical]
[CVE-2025-12101] Citrix NetScaler ADC & Gateway - Reflected XSS / Open Redirect (@dhiyaneshdk, @watchtowr) [medium] 🔥
[CVE-2025-11749] WordPress AI Engine Plugin - Token Exposure (@4m3rr0r) [critical] 🔥
[CVE-2025-9985] Featured Image from URL (FIFU) <= 5.2.7 - Unauth Information Exposure via Log File (@zer0p0int) [medium]
[CVE-2025-8943] Flowise < 3.0.1 - Remote Command Execution (@zezezez) [critical] 🔥
[CVE-2025-6403] Code-Projects School Fees Payment System 1.0 - SQL Injection (@hnd3884) [critical]
[CVE-2025-6174] WordPress Qwizcards < 3.95 - XSS (Reflected) (@0x_Akoko) [medium]
[CVE-2025-5605] WSO2 Management Console - Authentication Bypass (@dhiyaneshdk) [medium]
[CVE-2025-4302] Stop User Enumeration WordPress plugin - Authentication Bypass (@Kazgangap) [medium]
[CVE-2025-1550] Keras Model.load_model - Arbitrary Code Execution (@nukunga[seunghyeonJeon]) [critical] 🔥
[CVE-2025-1302] JSONPath Plus < 10.3.0 - RCE (@Jaenact) [critical] 🔥
[CVE-2025-1023] ChurchCRM - SQL Injection (@Kazgangap) [critical]
[CVE-2024-53900] Mongoose < 8.8.3 - RCE (@h4mg) [critical] 🔥
[CVE-2024-50857] GestioIP - Reflected XSS (@gaurang) [medium]
[CVE-2024-47575] FortiManager Unauth RCE (@0x_Akoko, @pussycat0x, @watchtowr) [critical] (vKEV) 🔥
[CVE-2024-37656] GnuBoard5 5.5.16 - Open Redirect (@0x_Akoko) [medium]
[CVE-2024-28623] RiteCMS 3.0.0 - XSS (@0x_Akoko) [medium]
[CVE-2024-27443] Zimbra Collaboration - XSS (XSS) (@rxerium) [medium] (vKEV) 🔥
[CVE-2024-23108] Fortinet FortiSIEM - OS Command Injection (@0x_Akoko) [critical] (vKEV) 🔥
[CVE-2024-11238] Landray EKP - Path Traversal (@theamanrawat) [medium]
[CVE-2024-10146] Simple File List < 6.1.13 - Reflected XSS (@0x_AKoko) [medium]
[CVE-2024-8852] All-in-One WP Migration < 7.87 - Unauth Information Disclosure (@flx) [medium]
[CVE-2024-6690] WP Content Copy Protection & No Right Click - Open Redirect (@0x_Akoko) [medium]
[CVE-2024-4180] The Events Calendar < 6.4.0.1 - XSS (@0x_Akoko) [medium]
[CVE-2024-0801] Arcserve Unified Data Protection - Unauth DoS in ASNative.dll (@daffainfo) [high]
[CVE-2024-0799] Arcserve Unified Data Protection - Authentication Bypass (@daffainfo) [critical]
[CVE-2023-39121] Emlog 2.1.9 - SQL Injection (@wjch611) [high]
[CVE-2023-34048] VMware vCenter Server - Out-of-Bounds Write (@ritikchaddha) [critical] (vKEV) 🔥
[CVE-2023-2437] UserPro <= 5.1.1 - Authentication Bypass (@intelligent-ears) [critical] (vKEV) 🔥
[CVE-2022-26143] Mitel MiCollab - Information Disclosure & Denial of Service (@theamanrawat) [critical]
[CVE-2021-45467] Control Web Panel (CWP) - File Inclusion (@ritikchaddha) [critical] (vKEV) 🔥
[CVE-2021-41419] QVIS NVR/DVR - RCE (@me91...

Contributors

flx, gaurang, and 53 other contributors

Assets 3

26 Oct 14:07

princechaddha

v10.3.1

5b4f5ca

Nuclei Templates v10.3.1 - Release Notes

New Templates Added: `119` | CVEs Added: `88` | First-time contributions: `10` | Bounties rewarded: `12`

🔥 Release Highlights 🔥

[CVE-2025-49844] Redis Lua Parser < 8.2.2 - Use After Free (@pussycat0x) [critical] 🔥
[CVE-2025-46819] Redis < 8.2.1 Lua Long-String Delimiter - Out-of-Bounds Read (@pussycat0x) [high] 🔥
[CVE-2025-46818] Redis Lua Sandbox < 8.2.2 - Cross-User Escape (@pussycat0x) [high] 🔥
[CVE-2025-46817] Redis < 8.2.1 lua script - Integer Overflow (@pussycat0x) [critical] 🔥
[CVE-2025-20281] Cisco ISE - Remote Code Execution (@daffainfo) [critical] (vKEV) 🔥
[CVE-2024-42009] Roundcube Webmail - Cross-Site Scripting (@rxerium) [critical] (vKEV) 🔥
[CVE-2023-40044] WS_FTP Server - Insecure Deserialization (@0x_Akoko) [critical] (vKEV) 🔥
[CVE-2023-37582] Apache RocketMQ - Remote Command Execution (@daffainfo) [critical] (vKEV) 🔥
[CVE-2023-21839] Oracle WebLogic Server - Unauthorized Access (@daffainfo) [high] (vKEV) 🔥
[CVE-2023-3519] Citrix NetScaler ADC and NetScaler Gateway - RCE (@pussycat0x, @ritikchaddha) [critical] (vKEV) 🔥
[CVE-2022-31711] VMware vRealize Log Insight < v8.10.2 - Information Disclosure (@dhiyaneshdk) [medium] 🔥
[CVE-2022-31706] VMware vRealize Log Insight - Path Traversal (@ritikchaddha) [critical] (vKEV) 🔥
[CVE-2022-31704] VMware vRealize Log Insight - Improper Access Control to RCE (@ritikchaddha) [critical] (vKEV) 🔥
[CVE-2022-24682] Zimbra Collaboration Suite < 8.8.15 - Improper Encoding (@rxerium) [medium] 🔥
[CVE-2022-24086] Adobe Commerce (Magento) - Remote Code Execution (@daffainfo) [critical] (vKEV) 🔥
[CVE-2022-22956] VMware Workspace ONE Access - Authentication Bypass (@daffainfo) [critical] (vKEV) 🔥
[CVE-2021-33766] Microsoft Exchange - Authentication Bypass (@daffainfo) [high] (vKEV) 🔥
[CVE-2021-32478] Moodle 3.8-3.10.3 - Reflected XSS & Open Redirect (@hackergautam) [medium] 🔥
[CVE-2021-30118] Kaseya VSA < 9.5.7 - Arbitrary File Upload to Remote Code Execution (@daffainfo) [critical] (vKEV) 🔥
[CVE-2021-30116] Kaseya VSA < 9.5.7 - Credential Disclosure via Windows Agent (@daffainfo) [critical] (vKEV) 🔥
[CVE-2021-26072] Atlassian Confluence < 5.8.6 - Server-Side Request Forgery (@TechbrunchFR) [medium] 🔥
[CVE-2021-24220] Multiple Thrive Themes < 2.0.0 - Arbitrary File Upload (@pussycat0x) [critical]
[CVE-2021-3287] Zoho ManageEngine OpManager < 12.5.329 - Remote Code Execution (@theamanrawat) [critical] (vKEV) 🔥
[CVE-2020-3952] VMware vCenter Server LDAP Broken Access Control (@0x_Akoko) [critical] (vKEV) 🔥
[CVE-2020-2883] Oracle WebLogic Server - Remote Code Execution (@daffainfo) [critical] (vKEV) 🔥
[CVE-2019-16072] Enigma NMS < 65.0.0 - Authenticated OS Command Injection (@0x_Akoko) [critical]
[CVE-2019-12989] Citrix SD-WAN and NetScaler SD-WAN - SQL Injection (@ritikchaddha) [critical] (vKEV) 🔥
[CVE-2018-18325] DotNetNuke 9.2 - 9.2.2 - Weak Encryption & Cookie Deserialization (@pdteam) [high] 🔥
[CVE-2018-15811] DotNetNuke 9.2 - 9.2.1 - Weak Encryption & Cookie Deserialization (@pdteam) [high] 🔥
[CVE-2018-11138] Quest KACE System Management Appliance 8.0.318 - RCE (@ritikchaddha) [critical] (vKEV) 🔥
[CVE-2017-18362] Kaseya VSA 2017 ConnectWise ManagedITSync - RCE (@pussycat0x) [critical] (vKEV) 🔥
[CVE-2010-20103] ProFTPd-1.3.3c - Backdoor Command Execution (@pussycat0x) [critical] 🔥

What's Changed

💰 Bounties Rewarded 💰

CVE-2025-20281 - Cisco ISE - Remote Code Execution (KEV and vKEV) (PR #13610)
CVE-2022-22956 - VMware Workspace ONE Access - Authentication Bypass (vKEV) (PR #13597)
CVE-2023-37582 - Apache RocketMQ NameServer - Remote Command Execution (vKEV) (PR #13580)
CVE-2021-30118 - Kaseya VSA - Arbitrary File Upload Leading to RCE (vKEV) (PR #13560)
CVE-2021-30116 - Kaseya VSA - Credential Disclosure (KEV and vKEV) (PR #13558)
CVE-2023-30194 - PrestaShop posstaticfooter - SQL Injection (vKEV) (PR #13551)
CVE-2021-33766 - Microsoft Exchange Server - Information Disclosure (KEV and vKEV) (PR #13547)
CVE-2023-21839 - Oracle WebLogic Server - Unauthorized Access (KEV and vKEV) (PR #13546)
CVE-2021-38154 - Canon Devices - Authentication Bypass (vKEV) (PR #13545)
CVE-2022-31181 - PrestaShop - SQL Injection (vKEV) (PR #13544)
CVE-2022-43939 - Hitachi Vantara Pentaho - Security Restriction Bypass (KEV and vKEV) (PR #13395)

Bug Fixes

Fixed CVE-2025-49825 version matching (PR #13701)
Fixed typo in CVE-2021-35064.yaml (PR #13699)
Fixed detection in CVE-2022-31711.yaml (PR #13618)
Fixed typo in BIGipServer matcher (PR #13633)
Fixed CVE-2022-22956.yaml (PR #13673)
Fixed IBM Eclipse Help System false positive (PR #13589)

False Negatives

Addressed false negative in CVE-2025-61882 template (Issue #13540)
Addressed false negative in generic-linux-lfi.yaml (Issue #12864)
Addressed false negative in CVE-2023-20198 Cisco IOS XE RCE (Issue #12324)

False Positives

Reduced false positives and improved accuracy in the following templates:
- CVE-2024-2782 (Issue #13525, PR #13668)
- CVE-2020-11514 (Issue #13520)
- CVE-2025-5777 - CitrixBleed 2 (Issue #13197)
- CVE-2022-1595.yaml - Multiple false positives (Issue #12792)
- addeventlistener-detect (Issue #11589)
- external-service-interaction (Issue #10850)

Enhancements

Implemented asset-discovery and vulnerability detection distinction across templates (PR #13648)
Enhanced Hashicorp Vault detection by removing vault-unsealed-unauth and improving hashicorp-vault-detect (PR #13660)
Enhanced XWiki RCE detection capabilities (PR #13684)
Added new POC for yonyou-nc-arbitrary-file-read (PR #13624)
Improved Moodle changelog file detection for newer versions (PR #13654)
Removed cloudapp.net from takeover templates as no longer exploitable (PR #13679)
Enhanced SNMPv3 fingerprint detection (PR #13661)

Templates Added

[CVE-2025-61666] Traccar(Windows) 6.1- 6.8.1 - Local File Inclusion (@securitytaters) [high]
[CVE-2025-59049] Mockoon < 9.2.0 - Path Traversal (@iamnoooob, @rootxharsh, @pdresearch) [high]
[CVE-2025-58751] Vite Dev Server - Path Traversal (@wn147) [low]
[CVE-2025-57808] ESPHome - Authentication Bypass (@Sean-Kim) [high]
[CVE-2025-55748] XWiki Platform - Path Traversal (@Redmomn) [high]
[CVE-2025-55747] XWiki Platform - Information Disclosure (@Redmomn) [high]
[CVE-2025-53771] Microsoft SharePoint Server - AuthBypass (ToolShell) (@_l0gg, @SamIntruder, @sfewer-r7, @iamnoooob, @pdresearch) [medium] (vKEV) 🔥
[CVE-2025-49844] Redis Lua Parser < 8.2.2 - Use After Free (@pussycat0x) [critical] 🔥
[CVE-2025-48703] CWP (Control Web Panel) < 0.9.8.1205 - Remote Code Execution (@theamanrawat) [critical] (vKEV)
[CVE-2025-46819] Redis < 8.2.1 Lua Long-String Delimiter - Out-of-Bounds Read (@pussycat0x) [high] 🔥
[CVE-2025-46818] Redis Lua Sandbox < 8.2.2 - Cross-User Escape (@pussycat0x) [high] 🔥
[CVE-2025-46817] Redis < 8.2.1 lua script - Integer Overflow (@pussycat0x) [critical] 🔥
[CVE-2025-34509] Sitecore Experience Manager (XM) and Experience Platform (XP) - Hardcoded Credentials (@daffainfo) [high]
[CVE-2025-34038] Fanwei e-cology - SQL Injection (@ritikchaddha) [high]
[CVE-2025-25037] Aquatronica Controller System <= 5.1.6 - Information Disclosure (@s4e-io) [high]
[CVE-2025-25034] SugarCRM - Unauthenticated Remote Code Execution via PHP Object Injection (@Redmomn) [critical] (vKEV)
[CVE-2025-20281] Cisco ISE - Remote Code Execution (@daffainfo) [critical] (vKEV) 🔥
[CVE-2025-11750] Dify - User Enumeration via "Account not found" Message (@Kazgangap) [medium]
[CVE-2025-11371] Gladinet CentreStack & TrioFox - Local File Inclusion (@Kazgangap) [medium]
[CVE-2025-9242] WatchGuard IKEv2 Out-of-Bounds Write Vulnerability (@pussycat0x, @dhiyaneshdk, @watchtowr) [critical]
[CVE-2025-9196] Trinity Audio <= 5.21.0 - Information Exposure (@Kazgangap) [medium]
[CVE-2025-5701] HyperComments <= 1.2.2 - Arbitrary Options Update (@kylew1004) [critical]
[CVE-2024-42009] Roundcube Webmail - Cross-Site Scripting (@rxerium) [critical] (vKEV) 🔥
[CVE-2024-35286] Mitel MiCollab <= 9.8.0.33 - SQL Injection (@daffainfo) [critical]
[CVE-2024-13979] St. Joe ERP system - SQL Injection (@dhiyaneshdk) [critical]
[CVE-2024-10708] System Dashboard < 2.8.15 - Admin+ Path Traversal (@0x_Akoko) [medium]
[CVE-2024-9166] TitanNit Web Control 2.01/Atemio 7600 - Remote Code Execution (@dhiyaneshdk) [critical]
[CVE-2023-40044] WS_FTP Server - Insecure Deserialization (@0x_Akoko) [critical] (vKEV) 🔥
[CVE-2023-37582] Apache RocketMQ - Remote Command Execution (@daffainfo) [critical] (vKEV) 🔥
[CVE-2023-34133] SonicWall GMS and Analytics - SQL Injection (@theamanrawat) [high] (vKEV)
[CVE-2023-30194] Prestashop posstaticfooter <= 1.0.0 - SQL Injection (@daffainfo) [critical]
[CVE-2023-21839] Oracle WebLogic Server - Unauthorized Access (@daffainfo) [high] (vKEV) 🔥
[CVE-2023-6655] Hongjing e-HR 2020 - SQL Injection (@pussycat0x) [high]
[CVE-2023-3519] Citrix NetScaler ADC and NetScaler Gateway - RCE (@pussycat0x, @ritikchaddha) [critical] (vKEV) 🔥
[CVE-2022-48323] Sunflower Simple and Personal 1.0.1.43315 - Remote Code Execution (@daffainfo) [critical]
[CVE-2022-43939] Hitachi Pentaho Business Analytics Server - Bypass Authorization (@daffainfo) [high]
[CVE-2022-38812] AeroCMS 0.1.1 - SQL Injection (@shivampand3y) [medium]
[CVE-2022-37122] Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Path Traversal (@gy741) [high]
[CVE-2022-31711] VMware vRealize Log Insight < v8.10.2 - Information Disclosure (@dhiyaneshdk) [medium] 🔥
[CVE-2022-31706] VMware vRealize Log Insight - Path Traversal (@ritikchaddha) [critical] (vKEV) 🔥
[CVE-2022-31704] VMware vRealize Log Insight - Improper Access Control to RCE (@ritikchaddha) [critical] (vKEV) 🔥
[CVE-2022-31181] Presta...

Contributors

Krishna, ranjan, and 48 other contributors

Assets 3

08 Oct 04:46

princechaddha

v10.3.0

7bd4527

Nuclei Templates v10.3.0 - Release Notes

New Templates Added: `124` | CVEs Added: `90` | First-time contributions: `6`

🔥 Release Highlights 🔥

[CVE-2025-61882] Oracle E-Business Suite 12.2.3–12.2.14 – RCE (@dhiyaneshdk, @watchtowr) [critical] 🔥 (KEV) (vKEV)
[CVE-2025-54251] Adobe Experience Manager ≤ 6.5.23.0 - XML Injection (@dhiyaneshdk, @assetnote) [medium] 🔥
[CVE-2025-54249] Adobe Experience Manager ≤ 6.5.23.0 – SSRF (@dhiyaneshdk, @assetnote) [medium] 🔥
[CVE-2025-49825] Teleport - Auth Bypass (@pdteam) [critical] 🔥
[CVE-2025-36604] Dell UnityVSA < 5.5 - Remote Command Injection (@dhiyaneshdk, @watchtowr) [critical] 🔥
[CVE-2025-20362] Cisco Secure Firewall ASA & FTD - Auth Bypass (@dhiyaneshdk, @attackerkb) [medium] 🔥 (KEV) (vKEV)
[CVE-2025-10035] GoAnywhere - Auth Bypass (@dhiyaneshdk, @watchtowr) [critical] 🔥 (KEV) (vKEV)
[CVE-2025-0282] Ivanti Connect Secure - Stack-based Buffer Overflow (@ritikchaddha) [critical] 🔥 (KEV) (vKEV)
[CVE-2024-0593] WordPress Simple Job Board - Unauthorized Data Access (@zer0p0int) [medium] 🔥
[CVE-2023-26258] Arcserve UDP <= 9.0.6034 - Auth Bypass (@daffainfo) [critical] 🔥 (vKEV)
[CVE-2023-6933] Better Search Replace < 1.4.5 - PHP Object Injection (@pussycat0x) [critical] 🔥
[CVE-2023-5559] 10Web Booster < 2.24.18 - Unauth Arbitrary Option Deletion (@daffainfo) [critical] 🔥
[CVE-2023-4666] Form-Maker < 1.15.20 - Unauth Arbitrary File Upload (@pussycat0x) [critical] 🔥
[CVE-2022-41352] Zimbra Collaboration - Unrestricted File Upload (@rxerium) [critical] 🔥 (KEV) (vKEV)
[CVE-2022-38627] Nortek Linear eMerge E3-Series - SQL Injection (@daffainfo, @omarhashem666) [critical] 🔥 (vKEV)
[CVE-2022-3590] WordPress <= 6.2 - Server Side Request Forgery (@riteshs4hu) [medium] 🔥 (vKEV)
[CVE-2022-3481] NotificationX Dropshipping < 4.4 - SQL Injection (@ritikchaddha) [critical] 🔥 (vKEV)
[CVE-2022-3477] WordPress tagDiv Composer < 3.5 - Auth Bypass (@melmathari) [critical] 🔥 (vKEV)
[CVE-2021-42359] WP DSGVO Tools (GDPR) <= 3.1.23 - Unauth Arbitrary Post Deletion (@daffainfo) [high] 🔥
[CVE-2021-34622] WordPress ProfilePress <= 3.1.3 - Privilege Escalation (@Sourabh-Sahu) [critical] 🔥 (vKEV)
[CVE-2021-24295] Spam protection, AntiSpam, FireWall by CleanTalk < 5.153.4 - Unauth Blind SQLi (@dhiyaneshdk) [high] 🔥
[CVE-2021-24175] The Plus Addons for Elementor Page Builder < 4.1.7 - Auth Bypass (@pussycat0x) [critical] 🔥
[CVE-2021-20021] SonicWall Email Security <= 10.0.9.x - Unauth Admin Account Creation (@pussycat0x) [critical] 🔥 (KEV) (vKEV)
[CVE-2021-4380] Pinterest Automatic < 4.14.4 - Unauth Arbitrary Options Update (@s4e-io) [critical] 🔥
[CVE-2020-36731] Flexible Checkout Fields for WooCommerce <= 2.3.1 - Unauth Arbitrary Plugin Settings Update (@popcorn94) [high] 🔥
[CVE-2020-36719] ListingPro < 2.6.1 - Arbitrary Plugin Installation/Activation/Deactivation (@ritikchaddha) [critical] 🔥 (vKEV)
[CVE-2020-36705] Adning Advertising <= 1.5.5 - Arbitrary File Upload (@dhiyaneshdk) [critical] 🔥
[CVE-2020-13640] wpDiscuz <= 5.3.5 - SQL Injection (@Sourabh-Sahu) [critical] 🔥
[CVE-2020-9480] Apache Spark - Auth Bypass (@riteshs4hu) [critical] 🔥 (vKEV)
[CVE-2020-8657] EyesOfNetwork - Hardcoded API Key (@daffainfo) [critical] 🔥
[CVE-2020-8656] EyesOfNetwork - Hardcoded API Key & SQL Injection (@ritikchaddha) [critical] 🔥
[CVE-2019-25152] Abandoned Cart Lite for WooCommerce < 5.2.0 - Cross-Site Scripting (@dhiyaneshdk) [high] 🔥
[CVE-2019-17232] WordPress Ultimate FAQs <= 1.8.24 – Unauth Options Import and Export (@daffainfo) [high] 🔥
[CVE-2019-11886] Yellow Pencil Visual Theme Customizer < 7.2.1 - Privilege Escalation (@daffainfo) [high] 🔥
[CVE-2019-9621] Zimbra Collaboration Suite - SSRF (@riteshs4hu) [high] 🔥 (KEV) (vKEV)
[CVE-2019-7276] Optergy Proton/Enterprise - Unauth RCE via Backdoor Console (@daffainfo) [critical] 🔥 (vKEV)
[CVE-2019-6703] Total Donations Plugin for WordPress < 2.0.6 - Arbitrary Options Update (@dhiyaneshdk) [critical] 🔥
[CVE-2018-1217] Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager - Invalid Access Control (@daffainfo) [critical] 🔥
[CVE-2016-10972] Newspaper Theme 6.4–6.7.1 - Privilege Escalation (@pussycat0x) [critical] 🔥

What's Changed

💰 Bounties Rewarded 💰

CVE-2024-28000 LiteSpeed Technologies LiteSpeed Cache privilege escalation 💰 (Issue #13222)
CVE-2024-23660 Binance Trust Wallet insecure mnemonic generation 💰 (Issue #13315)
CVE-2022-3477 tagDiv Composer broken authentication 💰 (Issue #12752, PR #13194)
CVE-2023-23063 vKEV template 💰 (PR #13396)
CVE-2022-38840 vKEV template 💰 (PR #13382)
CVE-2022-38627 vKEV template 💰 (PR #13372)
CVE-2022-3805 vKEV template 💰 (PR #13403)
CVE-2021-3122 vKEV template 💰 (PR #13412)
CVE-2019-18952 vKEV template 💰 (PR #13425)
CVE-2019-9621 KEV & vKEV template 💰 (PR #13409)
CVE-2018-1217 vKEV template 💰 (PR #13418)
CVE-2015-9415 vKEV template 💰 (PR #13419)

Bug Fixes

Fixed false positives in CVE-2024-43441.yaml template (Issue #13317)
Fixed CVE-2021-30175 template (PR #13375)
Corrected CVSS score for CVE-2025-49825 (PR #13446)
Fixed false positives in CVE-2022-37932 by updating flow (PR #13427)
Resolved wix-takeover false positive issues (PR #13477)
Fixed addeventlistener-detect template (PR #13462)

False Negatives

Addressed CORS detection for OWASP JuiceShop Access-Control-Allow-Origin: * (Issue #13402)

False Positives

Reduced false positives in CVE-2024-43441.yaml template (Issue #13317)
Fixed false positives in wix-takeover template (PR #13477)
Corrected false positives in CVE-2022-37932 template (PR #13427)

Enhancements

Enhanced Google CSP bypass detection vector (PR #13500)
Added user and password fields to config-json.yaml for better extraction (PR #13445)
Improved vKEV workflow and updated missing tags (PR #13374)
Added credentialed CORS with reflected Origin detection (PR #13441)
Added blind SSRF (OAST) multiparam fuzzing template (PR #13440)
Added Swagger/OpenAPI/GraphQL API inventory template (PR #13442)

Templates Added

[CVE-2025-61882] Oracle E-Business Suite 12.2.3–12.2.14 – RCE (@dhiyaneshdk, @watchtowr) [critical] 🔥 (KEV) (vKEV)
[CVE-2025-59474] Jenkins Sidepanel - Unauthorized Agent/Queue Exposure (@ivaldivieso) [medium]
[CVE-2025-54251] Adobe Experience Manager ≤ 6.5.23.0 - XML Injection (@dhiyaneshdk, @assetnote) [medium] 🔥
[CVE-2025-54249] Adobe Experience Manager ≤ 6.5.23.0 – SSRF (@dhiyaneshdk, @assetnote) [medium] 🔥
[CVE-2025-49825] Teleport - Authentication Bypass (@pdteam) [critical] 🔥
[CVE-2025-36604] Dell UnityVSA < 5.5 - Remote Command Injection (@dhiyaneshdk, @watchtowr) [critical] 🔥
[CVE-2025-27225] TRUfusion Enterprise <= 7.10.4.0 - Admin Contact Portal (@dhiyaneshdk, @rcesecurity) [high]
[CVE-2025-27223] TRUfusion Enterprise <= 7.10.4.0 - Authentication Bypass (@dhiyaneshdk, @rcesecurity) [critical]
[CVE-2025-27222] TRUfusion Enterprise <= 7.10.4.0 - Path Traversal (@dhiyaneshdk, @rcesecurity) [critical]
[CVE-2025-20362] Cisco Secure Firewall ASA & FTD - Authentication Bypass (@dhiyaneshdk, @attackerkb) [medium] 🔥 (KEV) (vKEV)
[CVE-2025-10035] GoAnywhere - Authentication Bypass (@dhiyaneshdk, @watchtowr) [critical] 🔥 (KEV) (vKEV)
[CVE-2025-8868] Chef Automate < 4.13.295 — SQL Injection (@3th1c_yuk1, @xbow) [critical]
[CVE-2025-6205] DELMIA Apriso - Broken Access Control (@iamnoooob, @rootxharsh, @parthmalhotra, @pdresearch) [high]
[CVE-2025-6204] DELMIA Apriso - Command Injection (@iamnoooob, @rootxharsh, @parthmalhotra, @pdresearch) [critical]
[CVE-2025-0282] Ivanti Connect Secure - Stack-based Buffer Overflow (@ritikchaddha) [critical] 🔥 (KEV) (vKEV)
[CVE-2024-48651] ProFTPD ≤ 1.3.8b - Privilege Escalation via mod_sql (@pussycat0x) [high]
[CVE-2024-48208] Pure-FTPd < 1.0.52 - Buffer Overflow (@pussycat0x) [high]
[CVE-2024-31839] CHAOS 5.0.1 'sendCommandHandler' - Cross-Site Scripting (@riteshs4hu) [medium]
[CVE-2024-0593] WordPress Simple Job Board - Unauthorized Data Access (@zer0p0int) [medium] 🔥
[CVE-2023-51713] ProFTPD < 1.3.8a - DoS via Out-of-Bounds Read (@pussycat0x) [high]
[CVE-2023-26258] Arcserve UDP <= 9.0.6034 - Authentication Bypass (@daffainfo) [critical] 🔥 (vKEV)
[CVE-2023-23063] Cellinx NVT Web Server - Local File Disclosure (@daffainfo) [high]
[CVE-2023-22629] TitanFTP move-file Function ≤ 1.94.1205 - Path Traversal (@pussycat0x) [high]
[CVE-2023-6933] Better Search Replace < 1.4.5 - PHP Object Injection (@pussycat0x) [critical] 🔥
[CVE-2023-5559] 10Web Booster < 2.24.18 - Unauthenticated Arbitrary Option Deletion (@daffainfo) [critical] 🔥
[CVE-2023-4666] Form-Maker < 1.15.20 - Unauthenticated Arbitrary File Upload (@pussycat0x) [critical] 🔥
[CVE-2023-3169] tagDiv Composer < 4.2 - Stored Cross-Site Scripting (@ritikchaddha) [high]
[CVE-2022-41352] Zimbra Collaboration - Unrestricted File Upload (@rxerium) [critical] 🔥 (KEV) (vKEV)
[CVE-2022-38840] Güralp MAN-EAM-0003 3.2.4 - XML External Entity (XXE) (@daffainfo) [high]
[CVE-2022-38627] Nortek Linear eMerge E3-Series - SQL Injection (@daffainfo, @omarhashem666) [critical] 🔥 (vKEV)
[CVE-2022-25322] ZEROF Web Server 2.0 - SQL Injection (@daffainfo) [critical]
[CVE-2022-3805] Jeg Elementor Kit < 2.5.7 - Unauthenticated Settings Update (@dhiyaneshdk, @popcorn94) [high]
[CVE-2022-3590] WordPress <= 6.2 - Server Side Request Forgery (@riteshs4hu) [medium] 🔥 (vKEV)
[CVE-2022-3481] NotificationX Dropshipping < 4.4 - SQL Injection (@ritikchaddha) [critical] 🔥 (vKEV)
[CVE-2022-3477] WordPress tagDiv Composer < 3.5 - Authentication Bypass (@melmathari) [critical] 🔥 (vKEV)
[CVE-2021-42359] WP DSGVO Tools (GDPR) <= 3.1.23 - Unauthenticated Arbitrary Post Deletion (@daffainfo) [high] 🔥
[CVE-2021-40524] Pure-FTPd 1.0.23 < 1.0.50 - Arbitrary File Upload (@pussycat0x) [high]
[CVE-2021-34622] WordPress ProfilePre...

Contributors

andrew, righettod, and 35 other contributors

Assets 3

Releases: projectdiscovery/nuclei-templates

Nuclei Templates v10.4.0 – Release Notes

New Templates Added: 94 | CVEs Added: 47 | First-time contributions: 12

🔥 Release Highlights 🔥

What's Changed

Templates Added

Contributors

Uh oh!

Nuclei Templates v10.3.9 – Release Notes

New Templates Added: 182 | CVEs Added: 116 | First-time contributions: 7

🔥 Release Highlights 🔥

What's Changed

Templates Added

Contributors

Uh oh!

Nuclei Templates v10.3.8 – Release Notes

New Templates Added: 457 | CVEs Added: 43 | First-time contributions: 13

🔥 Release Highlights 🔥

What's Changed

Templates Added

Contributors

Uh oh!

Nuclei Templates v10.3.7 – Release Notes

New Templates Added: 102 | CVEs Added: 42 | First-time contributions: 9 | Bounties rewarded: 16

🔥 Release Highlights 🔥

What's Changed

Templates Added

Contributors

Uh oh!

🎄 Nuclei Templates v10.3.6 – Christmas Release Notes

New Templates Added: 163 | CVEs Added: 57 | First-time contributions: 6 | Bounties rewarded: 4

🔥 Release Highlights 🔥

What's Changed

Templates Added

Contributors

Uh oh!

Nuclei Templates v10.3.5 - Release Notes

New Templates Added: 57 | CVEs Added: 33

🔥 Release Highlights 🔥

What's Changed

Templates Added

New Contributors

Contributors

Uh oh!

Nuclei Templates v10.3.4 - Release Notes

New Templates Added: 68 | CVEs Added: 27 | First-time contributions: 11 | Bounties rewarded: 3

🔥 Release Highlights 🔥

What's Changed

Templates Added

New Contributors

Contributors

Uh oh!

Nuclei Templates v10.3.2 - Release Notes

New Templates Added: 129 | CVEs Added: 56 | First-time contributions: 9 | Bounties rewarded: 7

🔥 Release Highlights 🔥

What's Changed

Templates Added

Contributors

Uh oh!

Nuclei Templates v10.3.1 - Release Notes

New Templates Added: 119 | CVEs Added: 88 | First-time contributions: 10 | Bounties rewarded: 12

🔥 Release Highlights 🔥

What's Changed

Templates Added

Contributors

Uh oh!

Nuclei Templates v10.3.0 - Release Notes

New Templates Added: 124 | CVEs Added: 90 | First-time contributions: 6

🔥 Release Highlights 🔥

What's Changed

Templates Added

Contributors

Uh oh!

New Templates Added: `94` | CVEs Added: `47` | First-time contributions: `12`

New Templates Added: `182` | CVEs Added: `116` | First-time contributions: `7`

New Templates Added: `457` | CVEs Added: `43` | First-time contributions: `13`

New Templates Added: `102` | CVEs Added: `42` | First-time contributions: `9` | Bounties rewarded: `16`

New Templates Added: `163` | CVEs Added: `57` | First-time contributions: `6` | Bounties rewarded: `4`

New Templates Added: `57` | CVEs Added: `33`

New Templates Added: `68` | CVEs Added: `27` | First-time contributions: `11` | Bounties rewarded: `3`

New Templates Added: `129` | CVEs Added: `56` | First-time contributions: `9` | Bounties rewarded: `7`

New Templates Added: `119` | CVEs Added: `88` | First-time contributions: `10` | Bounties rewarded: `12`

New Templates Added: `124` | CVEs Added: `90` | First-time contributions: `6`