projectdiscovery/nuclei-templates v10.2.3

Nuclei Templates v10.2.3 - Release Notes

on GitHub

New Templates Added: 105 | CVEs Added: 75 | First-time contributions: 9

🔥 Release Highlights 🔥

• [CVE-2025-49113] Roundcube Webmail - Remote Code Execution (@rootxharsh, @iamnoooob, @pdresearch, @Ademking) [critical] 🔥 (CISA KEV)
• [CVE-2025-47539] Eventin <= 4.0.26 - Privilege Escalation (@pdresearch) [critical] 🔥 (CISA KEV)
• [CVE-2025-20188] Cisco IOS XE WLC - Arbitrary File Upload (@iamnoooob, @pdresearch, @dhiyaneshdk) [critical] 🔥 (CISA KEV)
• [CVE-2025-5086] Dassault Systèmes DELMIA Apriso (up to 2025) - Insecure Deserialization (@HacktronAI, @iamnoooob, @pdresearch) [critical] 🔥 (CISA KEV)
• [CVE-2025-4322] Motors <= 5.6.67 - Unauthenticated Privilege Escalation via Password Update/Account Takeover (@dhiyaneshdk) [critical] 🔥 (CISA KEV)
• [CVE-2025-4009] Evertz SDVN 3080ipx-10G - Unauthenticated Arbitrary Command Injection (@Onekey, @iamnoooob, @pdresearch) [critical] 🔥 (CISA KEV)
• [CVE-2025-0107] Palo Alto Networks Expedition - OS Command Injection (@iamnoooob, @pdresearch) [critical] 🔥 (CISA KEV)
• [CVE-2024-10443] Synology BeeStation BST150-4T - Unauthenticated Command Injection (@iamnoooob, @pdresearch) [critical] 🔥 (CISA KEV)
• [CVE-2024-7399] Samsung MagicINFO 9 Server 21.1050.0 - Remote Code Execution (@iamnoooob, @pdresearch) [high] 🔥 (CISA KEV)
• [CVE-2024-0692] SolarWinds Security Event Manager - Unauthenticated RCE (@dhiyaneshdk) [high] 🔥 (CISA KEV)
• [CVE-2023-34990] FortiWLM - Directory Traversal (@dhiyaneshdk) [critical] 🔥 (CISA KEV)
• [CVE-2023-25280] D-Link DIR820LA1_FW105B03 'ping_addr' - OS Command Injection (@pussycat0x) [critical] 🔥 (CISA KEV)
• [CVE-2023-2986] Abandoned Cart Lite for WooCommerce - Authentication Bypass (@iamnoooob, @pdresearch) [critical] 🔥 (CISA KEV)
• [CVE-2021-40655] D-Link DIR-605 - Information Disclosure (@dhiyaneshdk) [high] 🔥 (CISA KEV)
• [CVE-2021-27964] SonLogger - Arbitrary File Upload (@dhiyaneshdk) [critical] 🔥 (CISA KEV)
• [CVE-2020-29047] WP Hotel Booking < 1.10.4 - PHP Object Injection (@dhiyaneshdk) [critical] 🔥 (CISA KEV)
• [CVE-2020-26879] Ruckus vRioT IoT Controller - Authentication Bypass (@dhiyaneshdk) [critical] 🔥 (CISA KEV)
• [CVE-2020-12641] Roundcube Webmail - Command Injection (@domwhewell-sage) [critical] 🔥 (CISA KEV)
• [CVE-2020-10987] Tenda AC15 AC1900 version 15.03.05.19 - Command Injection (@pussycat0x) [critical] 🔥 (CISA KEV)
• [CVE-2019-25141] Easy WP SMTP <= 1.3.9 - Missing Authorization to Arbitrary Options Update (@dhiyaneshdk) [critical] 🔥 (CISA KEV)
• [CVE-2019-13372] D-Link Central WiFi Manager CWM(100) - Remote Code Execution (@dhiyaneshdk) [critical] 🔥 (CISA KEV)
• [CVE-2019-9879] WPGraphQL 0.2.3 - User Creation (@dhiyaneshdk) [critical] 🔥 (CISA KEV)
• [CVE-2018-17207] WordPress Duplicator Plugin < 1.2.42 - Arbitrary Code Execution (@synacktiv, @iamnoooob, @pdresearch) [critical] 🔥 (CISA KEV)
• [CVE-2017-8046] Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution (@domwhewell-sage) [critical] 🔥 (CISA KEV)

What's Changed

Bug Fixes

• Fixed FN in jupyter-notebooks-exposed.yaml (Issue #12260).

False Negatives

• Improved detection in exposed-mcp-server.yaml (Issue #12269).

False Positives

• Reduced FPs in CVE-2025-24813.yaml (Issue #12332).
• Fixed FP in vscode-launch.yaml for custom 404 pages (Issue #12206).
• Improved matrix-homeserver-detect.yaml to reduce FPs (Issue #12152).
• Enhanced version detect scan to lower FPs (Issue #11698).
• Fixed FP in CVE-2020-0618.yaml due to poor validation (Issue #11498).
• Updated waf-detect:securesphere to filter FPs from OPNSense (Issue #12362).
• Fixed FP in CVE-2025-4009.yaml (Issue #12343).
• Reduced FPs in aspnet-version-detect (Issue #12211).
• Fixed FP in rsync-list-modules.yaml (Issue #12208).
• Lowered FPs for Apache Tomcat (Issue #12143).

Enhancements

• Updated Jenkins default login for newer versions (Issue #12327).
• Improved empirec2-default-login.yaml (Issue #12295).
• Enhanced yealink-default-login.yaml (Issue #12294).
• Updated fortinet-fortigate-panel.yaml (Issue #12275).
• Improved favicon-detect.yaml (Issue #12273).
• Added MCP SSE endpoint detection template (Issue #12268).
• Updated hfs-exposure (Issue #12267).
• Added NGSURVEY login panel detection (Issue #12261).
• Updated versa concerto patch reference (Issue #12227).
• Enhanced CVE-2019-7543.yaml (Issue #12230).
• Improved discord-webhook.yaml (Issue #12224).
• Added WP plugin & theme detection templates (Issue #12203).
• Updated vbulletin-replacead-rce.yaml (Issue #12164).
• Added version extract to sysaid-panel (Issue #12132).
• Enhanced swagger-api.yaml (Issue #12091).
• Updated phpwind-installer.yaml (Issue #12046).

Templates Added

• [CVE-2025-49113] Roundcube Webmail - Remote Code Execution (@rootxharsh, @iamnoooob, @pdresearch, @Ademking) [critical] 🔥 (CISA KEV)
• [CVE-2025-47539] Eventin <= 4.0.26 - Privilege Escalation (@pdresearch) [critical] 🔥 (CISA KEV)
• [CVE-2025-46822] Java-springboot-codebase 1.1 - Arbitrary File Read (@haliteroglu25) [high]
• [CVE-2025-27134] Joplin 3.3.3 Server - Privilege Escalation (@zonia3000) [high]
• [CVE-2025-20188] Cisco IOS XE WLC - Arbitrary File Upload (@iamnoooob, @pdresearch, @dhiyaneshdk) [critical] 🔥 (CISA KEV)
• [CVE-2025-5086] Dassault Systèmes DELMIA Apriso (up to 2025) - Insecure Deserialization (@HacktronAI, @iamnoooob, @pdresearch) [critical] 🔥 (CISA KEV)
• [CVE-2025-4322] Motors <= 5.6.67 - Unauthenticated Privilege Escalation via Password Update/Account Takeover (@dhiyaneshdk) [critical] 🔥 (CISA KEV)
• [CVE-2025-4009] Evertz SDVN 3080ipx-10G - Unauthenticated Arbitrary Command Injection (@Onekey, @iamnoooob, @pdresearch) [critical] 🔥 (CISA KEV)
• [CVE-2025-4008] MeteoBridge <= 6.1 - Remote Code Execution (@iamnoooob, @pdresearch) [high]
• [CVE-2025-0674] Elber ESE DVB-S/S2 - Authentication Bypass (@dhiyaneshdk) [critical]
• [CVE-2025-0133] PAN-OS - Reflected Cross-Site Scripting (@xbow, @dhiyaneshdk) [medium]
• [CVE-2025-0107] Palo Alto Networks Expedition - OS Command Injection (@iamnoooob, @pdresearch) [critical] 🔥 (CISA KEV)
• [CVE-2024-51211] openSIS Classic v9.1 - SQL Injection (@haliteroglu) [critical]
• [CVE-2024-47073] DataEase v2.10.2 - JWT Signature Verification Bypass (@iamnoooob, @pdresearch) [critical]
• [CVE-2024-36858] Jan v0.4.12 - Arbitrary File Upload (@pussycat0x) [critical]
• [CVE-2024-33559] WordPress XStore Theme - SQL Injection (@haliteroglu) [critical]
• [CVE-2024-30163] IPS Community Suite - Unauthenticated SQL Injection (@ritikchaddha) [critical]
• [CVE-2024-24329] TotoLink Router setPortForwardRules - Command Injection (@pussycat0x) [critical]
• [CVE-2024-24328] TotoLink Router setMacFilterRules - Command Injection (@pussycat0x) [critical]
• [CVE-2024-22729] Netis MW5360 V1.0.1.3031 - Command Injection (@pussycat0x) [critical]
• [CVE-2024-10571] Chartify – WordPress Chart Plugin < 2.9.6 - Local File Inclusion (@iamnoooob, @pdresearch) [critical]
• [CVE-2024-10443] Synology BeeStation BST150-4T - Unauthenticated Command Injection (@iamnoooob, @pdresearch) [critical] 🔥 (CISA KEV)
• [CVE-2024-9916] HuangDou UTCMS V9 - OS Command Injection (@iamnoooob, @pdresearch) [high]
• [CVE-2024-9707] Hunk Companion <= 1.8.4 - Arbitrary Plugin Installation (@dhiyaneshdk) [critical]
• [CVE-2024-7399] Samsung MagicINFO 9 Server 21.1050.0 - Remote Code Execution (@iamnoooob, @pdresearch) [high] 🔥 (CISA KEV)
• [CVE-2024-4620] ArForms < 6.6 - Remote Code Execution (@iamnoooob, @pdresearch) [critical]
• [CVE-2024-2667] InstaWP Connect <= 0.1.0.22 - Unauthenticated Arbitrary File Upload (@dhiyaneshdk) [critical]
• [CVE-2024-0692] SolarWinds Security Event Manager - Unauthenticated RCE (@dhiyaneshdk) [high] 🔥 (CISA KEV)
• [CVE-2023-38950] ZKTeco BioTime v8.5.5 - Path Traversal (@iamnoooob, @pdresearch) [high]
• [CVE-2023-38879] openSIS v9.0 - Path Traversal (@haliteroglu) [high]
• [CVE-2023-34990] FortiWLM - Directory Traversal (@dhiyaneshdk) [critical] 🔥 (CISA KEV)
• [CVE-2023-30192] PrestaShop 'possearchproducts' <= 1.7 - SQL Injection (@mastercho) [critical]
• [CVE-2023-27638] tshirtecommerce PrestaShop Module - SQL Injection (@ritikchaddha) [high]
• [CVE-2023-27637] PrestaShop tshirtecommerce Module - SQL Injection (@ritikchaddha) [critical]
• [CVE-2023-26802] DCBI-Netlog-LAB v1.0 - Command Injection (@pussycat0x) [critical]
• [CVE-2023-25280] D-Link DIR820LA1_FW105B03 'ping_addr' - OS Command Injection (@pussycat0x) [critical] 🔥 (CISA KEV)
• [CVE-2023-4136] CrafterCMS Engine - Cross-Site Scripting (@ritikchaddha) [medium]
• [CVE-2023-3722] Avaya Aura Device Services - OS Command Injection (@iamnoooob, @pdresearch) [high]
• [CVE-2023-2986] Abandoned Cart Lite for WooCommerce - Auth Bypass (@iamnoooob, @pdresearch) [critical] 🔥 (CISA KEV)
• [CVE-2022-45699] APsystems ECU-R Firmware - Command Injection (@pussycat0x) [critical]
• [CVE-2022-37061] FLIR AX8 1.46.16 - Remote Command Injection (@ritikchaddha) [critical]
• [CVE-2022-25061] TP-Link TL-WR840N - Command Injection (@ritikchaddha) [critical]
• [CVE-2022-1026] Kyocera Net View Address Book Exposure (@dhiyaneshdk) [high]
• [CVE-2022-0783] Multiple Shipping Address Woocommerce < 2.0 - SQL Injection (@ritikchaddha) [high]
• [CVE-2021-40655] D-Link DIR-605 - Information Disclosure (@dhiyaneshdk) [high] 🔥 (CISA KEV)
• [CVE-2021-39341] OptinMonster Plugin < 2.6.5 - Unprotected REST-API (@iamnoooob, @pdresearch) [high]
• [CVE-2021-34187] Chamilo model.ajax.php - SQL Injection (@dhiyaneshdk) [critical]
• [CVE-2021-33558] Boa 0.94.13 - Information Disclosure (@dhiyaneshdk) [high]
• [CVE-2021-27964] SonLogger - Arbitrary File Upload (@dhiyaneshdk) [critical] 🔥 (CISA KEV)
• [CVE-2021-26599] ImpressCMS < 1.4.3 - SQL Injection (@ritikchaddha) [high]
• [CVE-2021-25032] PublishPress Capabilities < 2.3.1 - Missing Authorization (@ritikchaddha) [critical]
• [CVE-2021-24522] ProfilePress < 3.1.11 - Cross-Site Scripting (@ritikchaddha) [medium]
• [CVE-2020-36728] WordPress Plugin Adning Advertising < 1.5.6 - Arbitrary File Upload (@iamnoooob, @pdresearch) [medium]
• [CVE-2020-35131] Cockpit CMS 0.6.1 - Remote Code Execution (@dhiyaneshdk) [critical]
• [CVE-2020-29047] WP Hotel Booking < 1.10.4 - PHP Object Injection (@dhiyaneshdk) [critical] 🔥 (CISA KEV)
• [CVE-2020-26879] Ruckus vRioT IoT Controller - Authentication Bypass (@dhiyaneshdk) [critical] 🔥 (CISA KEV)
• [CVE-2020-24285] INTELBRAS TELEFONE IP TIP200 60.61.75.22 - Local File Inclusion (@ritikchaddha) [high]
• [CVE-2020-13886] Intelbras TIP 200/200 LITE/300 - Local File Inclusion (@ritikchaddha) [high]
• [CVE-2020-12641] Roundcube Webmail - Command Injection (@domwhewell-sage) [critical] 🔥 (CISA KEV)
• [CVE-2020-12262] Intelbras TIP200/TIP200LITE/TIP300 - Cross-Site Scripting (@ritikchaddha) [medium]
• [CVE-2020-10987] Tenda AC15 AC1900 version 15.03.05.19 - Command Injection (@pussycat0x) [critical] 🔥 (CISA KEV)
• [CVE-2020-5766] SRS Simple Hits Counter 1.0.3-1.0.4 - Unauthenticated Blind SQL Injection (@dhiyaneshdk) [high]
• [CVE-2019-25141] Easy WP SMTP <= 1.3.9 - Missing Authorization to Arbitrary Options Update (@dhiyaneshdk) [critical] 🔥 (CISA KEV)
• [CVE-2019-13372] D-Link Central WiFi Manager CWM(100) - Remote Code Execution (@dhiyaneshdk) [critical] 🔥 (CISA KEV)
• [CVE-2019-9879] WPGraphQL 0.2.3 - User Creation (@dhiyaneshdk) [critical] 🔥 (CISA KEV)
• [CVE-2019-9762] PHPSHE 1.7 - SQL Injection (@dhiyaneshdk) [critical]
• [CVE-2019-9757] LabKey Server 19.1.0 - XML External Entity (XXE) (@ritikchaddha) [high]
• [CVE-2018-17207] WordPress Duplicator Plugin < 1.2.42 - Arbitrary Code Execution (@synacktiv, @iamnoooob, @pdresearch) [critical] 🔥 (CISA KEV)
• [CVE-2018-12455] Intelbras NPLUG 1.0.0.14 - Authentication Bypass (@ritikchaddha) [critical]
• [CVE-2018-11133] Quest KACE SMA /common/run_cross_report.php 'fmt' XSS (@iamnoooob, @pdresearch) [medium]
• [CVE-2018-8024] Apache Spark UI - Cross-Site Scripting (@ritikchaddha) [medium]
• [CVE-2017-14942] Intelbras WRN 150 - Authentication Bypass (@ritikchaddha) [critical]
• [CVE-2017-8046] Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution (@domwhewell-sage) [critical] 🔥 (CISA KEV)
• [CVE-2015-9499] WordPress ShowBiz Pro <= 1.7.1 - Authenticated Arbitrary File Upload to RCE (@iamnoooob, @pdresearch) [critical]
• [CVE-2014-9735] WordPress RevSlider - Remote Code Execution via File Upload (@iamnoooob, @pdresearch) [high]
• [ssh-gssapiauthentication-disabled] sshd GSSAPIAuthentication - Disabled (@Th3l0newolf) [low]
• [ssh-hostbasedauth-disabled] Ensure SSH HostbasedAuthentication - Disabled (@Th3l0newolf) [high]
• [get-stored-credentials-cmdkey] Get Stored Credentials - cmdkey (@pussycat0x) [high]
• [android-minsdk-21] AndroidManifest.xml minSdkVersion Set to 21 (Insecure Minimum SDK Version) (@Th3l0newolf) [medium]
• [apc-nmc-default-login] Schneider Electric APC NMC - Default Login (@x-stp) [high]
• [joplin-default-login] Joplin - Default Login (@pussycat0x) [high]
• [rocketlms-default-login] Rocket LMS - Default Login (@hamad501) [high]
• [apex-central-panel] TrendMicro Apex Central Login - Panel (@darses) [info]
• [cisco-ise-admin-panel] Cisco ISE Admin Login Panel - Detect (@bhutch) [info]
• [fortirecorder-panel] FortiRecorder Panel - Detect (@rxerium) [info]
• [joplin-panel] Joplin Server Login - Panel (@pussycat0x) [info]
• [mattermost-panel] Mattermost Login - Panel (@darses) [info]
• [nextcloudpi-panel] NextcloudPi Login - Panel (@ritikchaddha) [info]
• [ngsurvey-panel] ngSurvey Login Panel - Detect (@righettod) [info]
• [prestashop-admin-panel] Prestashop Admin Login Panel - Detect (@mastercho) [info]
• [usergate-ngfw-admin-panel] UserGate NGFW/UTM Admin Panel - Detect (@darses) [info]
• [manageengine-exchangereporter] ZOHO ManageEngine Exchange Reporter Plus Panel - Detect (@darses) [info]
• [exposed-mcp-sse-server] MCP SSE API Exposed - Detect (@domwhewell-sage) [unknown]
• [traefik-api-enabled] Traefik API - enabled (@dhiyaneshdk) [low]
• [starnet-dmb-bs-ftp-credentials-disclosure] StarNet DMB-BS - FTP Credentials Disclosure (@brucelsone) [medium]
• [assetlinks-detect] Android Asset Links Configuration - Detect (@rxerium) [info]
• [keybase-domain-owwnership-verification] Keybase Domain Ownership Verification (@rxerium) [info]
• [apachespark-ui-exposed] Apache Spark Application UI - Exposed (@ritikchaddha) [medium]
• [bigant-db-install] Bigant DataBase - Exposed Installation (@pussycat0x) [high]
• [nextcloudpi-dashboard] NextcloudPi Dashboard - Exposed (@ritikchaddha) [high]
• [simatic-dashboard-exposed] Siemens SIMATIC 300 Dashboard - Exposed (@Th3l0newolf) [high]
• [topdesk-detect] TOPdesk - Detect (@darses) [info]
• [wordpress-plugin-detect] Wordpress Plugin Detection (@s4e-io) [info]
• [wordpress-theme-detect] Wordpress Theme Detection (@s4e-io) [info]
• [raisecom-rce] Raisecom Gateway vpn_template_style.php - Remote Command Execution (@3th1c_yuk1) [critical]

New Contributors

• @haliteroglu25 made their first contribution in #12162
• @fatzombi made their first contribution in #12188
• @Chocapikk made their first contribution in #12164
• @hamad501 made their first contribution in #12205
• @apapedulimu made their first contribution in #12224
• @p0c666 made their first contribution in #12046
• @x-stp made their first contribution in #12178
• @zonia3000 made their first contribution in #12032
• @hdm made their first contribution in #12327

Full Changelog: v10.2.2...v10.2.3