What's Changed
🔥 Release Highlights 🔥
- [CVE-2025-29927] Next.js Middleware Bypass (@pdresearch, @pdteam, @hazedic) [critical] 🔥
- [CVE-2025-26319] FlowiseAI Flowise <= 2.2.6 - Arbitrary File Upload (@iamnoooob, @rootxharsh, @pdresearch) [high] 🔥
- [CVE-2025-25291] GitLab - SAML Authentication Bypass (@iamnoooob, @rootxharsh, @pdresearch) [critical] 🔥
- [CVE-2025-24813] Apache Tomcat Path Equivalence - RCE (@iamnoooob, @rootxharsh, @pdresearch, @themiddle) [critical] 🔥
- [CVE-2025-2825] CrushFTP - Authentication Bypass (@parthmalhotra, @Ice3man, @dhiyaneshdk, @pdresearch) [critical] 🔥
- [CVE-2025-1974] Ingress-Nginx Controller - Remote Code Execution (@iamnoooob, @rootxharsh, @pdresearch) [critical] 🔥
- [CVE-2025-1661] HUSKY – for WooCommerce <= 1.3.6.5 - Unauth LFI (@iamnoooob, @rootxharsh, @pdresearch) [critical] 🔥
- [CVE-2024-53991] Discourse Backup File Disclosure - Nginx Configuration (@iamnoooob, @rootxharsh, @pdresearch) [high] 🔥
- [CVE-2024-51378] CyberPanel - Command Injection (@ritikchaddha) [critical] 🔥
- [CVE-2024-13496] GamiPress <= 2.8.9 - SQL Injection (@ritikchaddha) [high] 🔥
- [CVE-2023-22952] SugarCRM Unauthenticated - Remote Code Execution (@iamnoooob, @rootxharsh, @pdresearch) [high] 🔥
False Negatives
- CVE-2025-24813 PUT method not sending data (Issue #11798)
- Hardcoded interact.sh in 178 templates (Issue #11771)
False Positives
- Missing MFA check (Issue #11761)
- CVE-2022-40032 (Issue #11758)
- CVE-2021-40822 (Issue #11119)
- external-service-interaction.yaml (PR #11809)
- internal-ip-disclosure.yaml (PR #11806)
- CVE-2022-40032 (PR #11791)
Enhancements
- CVE-2025-2825.yaml (PR #11839)
- CVE-2025-29927.yaml (PRs #11804, #11820)
- mobsf-apktool-lfi.yaml renamed and updated to CVE-2024-21633.yaml (PR #11805)
- CVE-2020-28351.yaml (PR #11794)
- CVE-2020-2036.yaml (PR #11795)
- oracle-ebs-xss.yaml (PR #11792)
- polyfill-backdoor.yaml (PR #11748)
- craft-cms-detect.yaml (PR #11700)
Bug Fixes
- Fixed Dell iDRAC workflow issue (Issue #10876).
- Fixed GET request handling in CVE-2025-24813 (Issue #11759).
Template Updates
New Templates Added: 78 | CVEs Added: 45 | First-time contributions: 8
- [CVE-2025-30208] Vite - Arbitrary File Read (@v2htw) [medium] 🔥
- [CVE-2025-29927] Next.js Middleware Bypass (@pdresearch, @pdteam, @hazedic) [critical] 🔥
- [CVE-2025-26319] FlowiseAI Flowise <= 2.2.6 - Arbitrary File Upload (@iamnoooob, @rootxharsh, @pdresearch) [high] 🔥
- [CVE-2025-25291] GitLab - SAML Authentication Bypass (@iamnoooob, @rootxharsh, @pdresearch) [critical] 🔥
- [CVE-2025-24813] Apache Tomcat Path Equivalence - Remote Code Execution (@iamnoooob, @rootxharsh, @pdresearch, @themiddle) [critical] 🔥
- [CVE-2025-2825] CrushFTP - Authentication Bypass (@parthmalhotra, @Ice3man, @dhiyaneshdk, @pdresearch) [critical] 🔥
- [CVE-2025-2539] File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated Arbitrary File Read (@iamnoooob, @rootxharsh, @pdresearch) [high]
- [CVE-2025-2129] Mage AI - Insecure Default Authentication Setup (@zn9988, @H0j3n) [medium]
- [CVE-2025-1974] Ingress-Nginx Controller - Remote Code Execution (@iamnoooob, @rootxharsh, @pdresearch) [critical] 🔥
- [CVE-2025-1661] HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.5 - Unauthenticated Local File Inclusion (@iamnoooob, @rootxharsh, @pdresearch) [critical] 🔥
- [CVE-2025-1323] WP-Recall – Plugin <= 16.26.10 - Unauthenticated SQL Injection (@iamnoooob, @rootxharsh, @pdresearch) [high]
- [CVE-2024-57050] TP-LINK WR840N v6 up to 0.9.1 4.16 - Improper Authentication (@dhiyaneshdk) [critical]
- [CVE-2024-57049] TP-Link Archer C20 - Authentication Bypass (@ritikchaddha) [critical]
- [CVE-2024-57046] Netgear DGN2200 - Improper Authentication (@ritikchaddha) [high]
- [CVE-2024-57045] D-Link DIR-859 - Information Disclosure (@ritikchaddha) [critical]
- [CVE-2024-55556] InvoiceShelf <= 1.3.0 - PHP Deserialization (@iamnoooob, @rootxharsh, @pdresearch) [critical]
- [CVE-2024-54767] AVM FRITZ!Box 7530 AX - Unauthorized Access (@dhiyaneshdk) [high]
- [CVE-2024-54764] ipTIME A2004 - Unauthorized Access (@ritikchaddha) [medium]
- [CVE-2024-54763] ipTIME A2004 - Unauthorized Access (@ritikchaddha) [medium]
- [CVE-2024-53991] Discourse Backup File Disclosure Via Default Nginx Configuration (@iamnoooob, @rootxharsh, @pdresearch) [high] 🔥
- [CVE-2024-52763] Ganglia Web Interface (v3.7.3 - v3.7.5) - Cross-Site Scripting (@dhiyaneshdk) [medium]
- [CVE-2024-52762] Ganglia Web Interface (v3.7.3 - v3.7.6) - Cross-Site Scripting (@dhiyaneshdk) [medium]
- [CVE-2024-51378] CyberPanel - Command Injection (@ritikchaddha) [critical] 🔥
- [CVE-2024-30570] Netgear R6850 - Information Disclosure (@ritikchaddha) [medium]
- [CVE-2024-30569] Netgear R6850 - Information Disclosure (@ritikchaddha) [medium]
- [CVE-2024-30568] Netgear R6850 V1.1.0.88 - Command Injection (@ritikchaddha) [critical]
- [CVE-2024-21485] Dash Framework - Cross-site Scripting (@lee Changhyun(eeche)) [medium]
- [CVE-2024-13853] WordPress SEO Tools Plugin 4.0.7 - Cross-Site Scripting (@ritikchaddha) [medium]
- [CVE-2024-13624] WordPress WPMovieLibrary Plugin <= 2.1.4.8 - Cross-Site Scripting (@ritikchaddha) [high]
- [CVE-2024-13496] GamiPress <= 2.8.9 - SQL Injection (@ritikchaddha) [high] 🔥
- [CVE-2024-11740] Download Manager < 3.3.04 - Unauthenticated Arbitrary Shortcode Execution (@iamnoooob, @rootxharsh, @pdresearch) [high]
- [CVE-2024-10783] WordPress Plugin MainWP Child - Authentication Bypass (@sean Murphy, @iamnoooob, @rootxharsh, @pdresearch) [high]
- [CVE-2024-6892] Journyx 11.5.4 - Reflected Cross Site Scripting (@dhiyaneshdk) [medium]
- [CVE-2024-6651] WordPress File Upload Plugin < 4.24.8 - Cross-Site Scripting (@ritikchaddha) [high]
- [CVE-2024-6460] WordPress Grow by Tradedoubler Plugin < 2.0.22 - Unauthenticated Local File Inclusion (@ritikchaddha) [critical]
- [CVE-2024-4399] WordPress CAS Theme <= 1.0.0 - Server-Side Request Forgery (@ritikchaddha) [critical]
- [CVE-2024-3080] ASUS DSL-AC88U - Authentication Bypass (@ritikchaddha) [critical]
- [CVE-2024-3032] WordPress Themify Builder < 7.5.8 - Open Redirect (@ritikchaddha) [medium]
- [CVE-2023-49489] KodeExplorer 4.51 - Reflective Cross Site Scripting (XSS) (@dhiyaneshdk) [medium]
- [CVE-2023-31478] GL.iNET SSID Key Disclosure (@dhiyaneshdk) [high]
- [CVE-2023-22952] SugarCRM Unauthenticated - Remote Code Execution (@iamnoooob, @rootxharsh, @pdresearch) [high] 🔥
- [CVE-2023-5974] WordPress WPB Show Core <= 2.2 - Server-Side Request Forgery (@ritikchaddha) [critical]
- [CVE-2023-4284] WordPress Post Timeline Plugin < 2.2.6 - Cross-Site Scripting (@ritikchaddha) [high]
- [CVE-2023-2518] WordPress Easy Forms for Mailchimp Plugin < 6.8.9 - Cross-Site Scripting (@ritikchaddha) [medium]
- [CVE-2023-2256] WordPress Product Addons & Fields for WooCommerce < 32.0.7 - Cross-Site Scripting (@ritikchaddha) [high]
- [CVE-2025-1974-k8s] Ingress-Nginx Controller - Unauthenticated Remote Code Execution (@princechaddha) [critical]
- [CVE-2025-29927-HEADLESS] Next.js Middleware Authorization Bypass (@Ademking) [critical]
- [insecure-powershell-execution-policy] Insecure PowerShell Execution Policy - Detect (@JeonSungHyun[nukunga]) [medium]
- [powershell-script-block-logging-disabled] PowerShell Script Block Logging - Disabled (@JeonSungHyun[nukunga]) [medium]
- [chirpstack-default-login] ChirpStack - Default Login (@t3l3machus) [high]
- [unify-hipath-default-login] Unify HiPath Cordless IP - Default Login (@flx) [high]
- [chirpstack-login] ChirpStack LoRaWAN Detection (@ProjectDiscoveryAI) [info]
- [cisco-webui-login] Cisco Web UI Login - Detect (@drewvravick) [info]
- [dbt-docs-panel] dbt Docs Panel - Detect (@johnk3r) [info]
- [vectoradmin-panel] VectorAdmin Panel - Detect (@s4e-io) [info]
- [xphoneconnect-admin-panel] XPhone Connect Admin Interface - Detect (@flx) [info]
- [dnsmasq-config] Dnsmasq Config - File Disclosure (@dhiyaneshdk) [low]
- [elastic-kibana-config] Elastic Kibana Config - File Disclosure (@dhiyaneshdk) [medium]
- [gunicorn-config-file] Gunicorn Config File - File Disclosure (@dhiyaneshdk) [low]
- [haproxy-config-file] Haproxy Config - File Disclosure (@dhiyaneshdk) [low]
- [icecast-config] Icecast Config - File Disclosure (@dhiyaneshdk) [low]
- [lighttpd-config-file] Lighttpd Config File - File Disclosure (@dhiyaneshdk) [low]
- [log4-properties] Log4j Properties - File Disclosure (@dhiyaneshdk) [low]
- [next-js-config-file] Next JS Config - File Disclosure (@dhiyaneshdk) [low]
- [nuxtjs-config-file] Nuxtjs Config File - File Disclosure (@dhiyaneshdk) [low]
- [vercel-config-file] Vercel Config File - File Disclosure (@dhiyaneshdk) [low]
- [vugex-source-detect] Vugex Framework Source Code - Detect (@ProjectDiscoveryAI, @pdteam) [medium]
- [hashicorp-consul-unauth] Hashicorp Consul API Unauthenticated (@pussycat0x) [medium]
- [basercms-install] baserCMS Installation - Exposure (@ritikchaddha) [critical]
- [kentico-13-auth-bypass-wt-2025-0006] Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0006) (@dhiyaneshdk) [unknown]
- [kentico-13-auth-bypass-wt-2025-0011] Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0011) (@dhiyaneshdk) [unknown]
- [apache-hertzbeat-detect] Apache Hertzbeat - Detect (@icarot) [info]
- [flutter-web-detect] Flutter Web Application - Detect (@incogbyte) [info]
- [oqtane-cms-db] Oqtane CMS Database - Detect (@Masoud Abdaal) [info]
- [drupal7-elfinder-rce] Drupal 7 Elfinder - Remote Code Execution (@1337kro) [critical]
- [netgear-wnr614-auth-bypass] Netgear WNR614 - Improper Authentication (@ritikchaddha) [high]
- [mockoon-lfi] Mockoon <= 9.1.0 - Path Traversal (@iamnoooob, @rootxharsh, @pdresearch) [high]
- [siam-xss] SIAM 2.0 - Cross-Site Scripting (@3th1c_yuk1) [medium]
New Contributors
- @felixsta made their first contribution in #11700
- @isec-easm made their first contribution in #11740
- @MasoudAbdaal made their first contribution in #11728
- @11whoami99 made their first contribution in #11751
- @Ademking made their first contribution in #11789
- @yuligesec made their first contribution in #11804
- @mr-pmillz made their first contribution in #11760
- @v2htw made their first contribution in #11828
Full Changelog: v10.1.5...v10.1.6