github danielmiessler/SecLists 2025.3
on GitHub

13 hours ago

Important changes

📛 Deprecated DirBuster wordlists

The dirbuster wordlists were made in 2007, and are now considered obsolete. Instead, these wordlists are recommended for testing modern web environments:

  • Discovery/Web-Content/combined_words.txt
  • Discovery/Web-Content/combined_directories.txt

Both of these wordlists are composed of various other wordlists in that same directory, and are automatically updated whenever one of their components is modified. For more information see the README.md for Discovery/Web-Content.

The dirbuster wordlists will remain contained in SecLists, but they now have the DirBuster-2007 prefix to highlight their age.

📛 Dangerous SQLi payloads

The SQL Injection wordlists contained in Fuzzing/Databases/SQLi are not safe to use on production environments. Many of those wordlists contain potentially destructive queries which may permanently delete data on any databases they're used on. A warning has been added to the README.md for that directory. For more information see issue #1011

New content

  • ✨ feat(wordlist): Created Active Directory wordlist (PR #1224)
  • ✨ feat(docs): Added "GENOVEVA" tool to readme (PR #1200)
  • ✨ feat(docs): Added alternative reference to docs
  • ✨ feat(docs): Added documentation for the 'cirt-net_collection.txt' wordlist
  • ✨ feat(docs): Added documentation for the 'Java-Spring-Boot.txt' wordlist
  • ✨ feat(docs): Added documentation for the 'xato-net-10-million-passwords' wordlists
  • ✨ feat(wordlist): Added 'encryptionkeys' directory to 'common_directories.txt'
  • ✨ feat(wordlist): Added /etc/apache2/.htpasswd to LFI fuzzing lists (PR #1223)
  • ✨ feat(wordlist): Added a dictionary for Model Context Protocol server discovery. (PR #1216)
  • ✨ feat(wordlist): Added common Spanish names and words (PR #1199)
  • ✨ feat(wordlist): Added default SSH password "padmin:padmin" for IBM Power Systems (PR #1211)
  • ✨ feat(wordlist): Added IANA mime-types to "web-all-content-types.txt" (PR #1204)
  • ✨ feat(wordlist): Added mcp-server.txt entries to common.txt
  • ✨ feat(wordlist): Added more OBEX common filenames and cleaned OBEX wordlists (PR #1249)
  • ✨ feat(wordlist): Added more permutations to 'common_directories.txt'
  • ✨ feat(wordlist): Added more swagger endpoints (PR #1219)
  • ✨ feat(wordlist): Added new payload to 'SAP' wordlist (PR #1196)
  • ✨ feat(wordlist): Added prefixes to deal with Java-Spring-Boot being behind spring-cloud-gateway (PR #1220)
  • ✨ feat(wordlist): Added Quectel to default-passwords.csv + updated default-passwords.txt (PR #1208)
  • ✨ feat(wordlist): Added readme.md to "Discovery/Web-Content/big.txt" (PR #1248)
  • ✨ feat(wordlist): Added YYYY-MM-DD dates wordlists (PR #1217)

Other changes

  • 🐛 fix(wordlist): Added 'DirBuster-2007' prefix to all DirBuster wordlists
  • 🐛 fix(cicd): Removed trailing spaces from wordlist-updater_default-passwords.yml (PR #1243)
  • 🐛 fix(cicd): Updated paths in the 'Wordlist Updater - Combined directories' pipeline
  • 🐛 fix(docs): Updated filenames that compose 'combined_directories.txt'
  • 🐛 fix(wordlist): Cleaned up '100k-most-used-passwords-NCSC.txt' (PR #1235)
  • 🐛 fix(wordlist): Fixed encoding in "100k-most-used-passwords-NCSC.txt" (PR #1226)
  • 🐛 fix(wordlist): Updated curl-protocols wordlist (PR #1237)
  • 🔧 chore(wordlist): Moved 'curl-protocols.txt' wordlist to the 'Fuzzing' directory

New Contributors

Full Changelog: 2025.2...2025.3

Check out latest releases or
releases around danielmiessler/SecLists 2025.3

Don't miss a new SecLists release

NewReleases is sending notifications on new releases.

Get notifications