github projectdiscovery/nuclei-templates v10.2.8
Nuclei Templates v10.2.8 - Release Notes
on GitHub

one day ago

New Templates Added: 114 | CVEs Added: 33 | First-time contributions: 17

🔥 Release Highlights 🔥

What's Changed

💰 Bounties Rewarded 💰

Bug Fixes

  • Fixed matchers words in CVE-2000-0114.yaml (PR #13026).
  • Fixed apache-rocketmq-broker-unauth.yaml false positive (PR #12942).
  • Fixed false positive in composer-config.yaml (PR #12900).
  • Fixed typo in CVE-2024-36104.yaml (PR #12898).
  • Removed name bit in extractor section for grafana-detect template (PR #12911).

False Negatives

  • Fixed swagger-api.yaml to reduce underreporting (Issue #12764).

False Positives

  • Reduced false positives in composer-config.yaml (Issue #12863).
  • Fixed false positives in CVE-2022-24493 template (PR #12966).
  • Fixed false positives in wordpress-vulnerability-assessment (PR #12954).
  • Multiple false positives reported and addressed (Issue #12956).

Enhancements

  • Added Nuclei Templates v10.2.8 Release Prep (PR #13046).
  • Updated KEV Tags (PR #12999).
  • Added comprehensive template creation and review guides (PR #12935).
  • Enhanced detection capabilities in multiple CVE templates.
  • Added new detection templates for various services including MESHERY, Bugzilla, AEM Forms, and others.
  • Created multiple CVE templates for new vulnerabilities (CVE-2025-53677, CVE-2025-3515, CVE-2025-25231, etc.).
  • Updated protocol syntax and deprecated templates.
  • Added Linux Audit Templates directory changes.
  • Enhanced TFTP detection with additional matchers.

Templates Added

  • [CVE-2025-57789] Commvault Initial Administrator Login Process Vulnerability (@dhiyaneshdk, @watchtowr) [medium]
  • [CVE-2025-57788] Commvault Unauthenticated Password Disclosure (WT-2025-0047) (@dhiyaneshdk, @iamnoooob, @pdresearch, @watchtowr) [medium]
  • [CVE-2025-55169] WeGIA - Directory Traversal (@praivesi) [critical]
  • [CVE-2025-54589] Copyparty <=1.18.6 - Cross-Site Scripting (@s-cu-bot) [medium]
  • [CVE-2025-54309] CrushFTP - Authentication Bypass Race Condition (@pussycat0x, @watchtowr, @dhiyaneshdk) [critical] 🔥 (kev) (vKEV)
  • [CVE-2025-54125] XWiki XML View - Sensitive Information Exposure (@ritikchaddha) [high] 🔥
  • [CVE-2025-53364] Parse Server - GraphQL Schema Information Disclosure (@securitytaters) [medium] 🔥
  • [CVE-2025-51502] Microweber CMS 2.0 - Reflected XSS in Admin Page Creation (@nukunga) [medium] 🔥
  • [CVE-2025-51501] Microweber CMS2.0 - Cross-Site Scripting (@nukunga) [medium] 🔥
  • [CVE-2025-46554] XWiki REST API - Attachments Disclosure (@ritikchaddha) [high] 🔥
  • [CVE-2025-34152] Shenzhen Aitemi M300 Wi-Fi Repeater – Unauthenticated Remote Command Execution via time Parameter (@Chocapikk, @dhiyaneshdk) [critical]
  • [CVE-2025-34073] Maltrail <=0.54 Username Parameter - Remote Command Execution (@SeungAh-Hong) [critical] 🔥
  • [CVE-2025-34035] EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution (@intelligent-ears) [critical]
  • [CVE-2025-32970] XWiki WYSIWYG API - Open Redirect (@ritikchaddha) [medium] 🔥
  • [CVE-2025-32969] XWiki REST API Query - SQL Injection (@ritikchaddha) [critical] 🔥
  • [CVE-2025-32430] XWiki Platform - Cross-Site Scripting (@ritikchaddha) [medium] 🔥
  • [CVE-2025-29925] XWiki REST API - Private Pages Disclosure (@ritikchaddha) [high] 🔥
  • [CVE-2025-28906] Skitter Slideshow <= 2.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting (@nblirwn) [medium]
  • [CVE-2025-27888] Apache Druid - Server-Side Request Forgery (@xbow, @dhiyaneshdk) [high] 🔥
  • [CVE-2025-25256] Fortinet FortiSIEM - OS Command Injection (@watchtowr, @darses) [critical] 🔥 (kev) (vKEV)
  • [CVE-2025-25231] Omnissa Workspace ONE UEM - Path Traversal (@dhiyaneshdk, @slcyber) [high]
  • [CVE-2025-22457] Ivanti Connect Secure - Stack-based Buffer Overflow (@s4e-io) [critical] 🔥 (kev) (vKEV)
  • [CVE-2025-6934] The Opal Estate Pro – Property Management <= 1.7.5 - Unauthenticated Privilege Escalation (@pussycat0x) [critical]
  • [CVE-2025-4632] Samsung MagicINFO 9 Server - File Upload & Remote Code Execution (@s4e-io) [critical] 🔥 (kev) (vKEV)
  • [CVE-2025-1562] Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit - Broken Access Control (@s4e-io) [critical]
  • [CVE-2023-37988] Contact Form Generator <= 2.5.5 - Cross-Site Scripting (@0xr2r, @vats147) [medium] 🔥
  • [CVE-2023-27163] Request-Baskets <= 1.2.1 - Server Side Request Forgery (@Jaenact) [medium]
  • [CVE-2023-1893] Login Configurator <=2.1 - Cross-Site Scripting (@0xr2r) [medium]
  • [CVE-2020-36708] WordPress Epsilon Framework Themes <=2.4.8 - Remote Code Execution (@madrobot) [critical] 🔥 (kev) (vKEV)
  • [CVE-2020-11975] Apache Unomi - Remote Code Execution (@Sourabh-Sahu) [critical] 🔥 (kev) (vKEV)
  • [CVE-2018-19127] PHPCMS 2008 - Remote Code Execution via Template Injection (@tomaquet18) [critical]
  • [CVE-2018-7841] Schneider Electric U.motion Builder - Remote Code Execution (@darses, @rcesecurity) [critical]
  • [CVE-2018-0171] Cisco Smart Install - Configuration Download (@ritikchaddha) [critical] 🔥 (kev) (vKEV)
  • [autofs-service] Ensure autofs Service is Not Installed (@Th3l0newolf) [info]
  • [avahi-daemon] Ensure Avahi Daemon Service is Not Installed (@Th3l0newolf) [info]
  • [dhcp-server] Ensure DHCP Server Service is Not Installed (@Th3l0newolf) [info]
  • [dns-server] Ensure DNS Server Service is Not Installed (@Th3l0newolf) [info]
  • [dns-zone-transfer-any] DNS Zone Transfer Allowed to Any Host (@songyaeji) [high]
  • [dnsmasq-service] Ensure dnsmasq Service is Not Installed (@Th3l0newolf) [info]
  • [etc-services-permission-check] /etc/services Permission Check (@songyaeji) [high]
  • [finger-service-enabled] Linux Finger Should Be Disabled (@songyaeji) [high]
  • [ftp-client] Ensure FTP Client is Not Installed (@Th3l0newolf) [info]
  • [ftp-server] Ensure FTP Server Service is Not Installed (@Th3l0newolf) [info]
  • [home-env-permission] User Home Directory and Shell Environment File Ownership & Permission (@songyaeji) [medium]
  • [inactive-password-lock-default] Ensure Inactive Password Lock is Configured (Default Setting) (@Th3l0newolf) [high]
  • [ldap-client] Ensure LDAP Client is Not Installed (@Th3l0newolf) [info]
  • [ldap-server] Ensure LDAP Server Service is Not Installed (@Th3l0newolf) [info]
  • [linux-account-lockout-threshold] Linux Account Lockout Threshold Check (@songyaeji) [high]
  • [linux-anonymous-ftp-enabled] Linux Anonymous FTP Access Enabled (@songyaeji) [high]
  • [linux-automountd-enabled] Automountd Service Enabled (@songyaeji) [medium]
  • [linux-cron-permissions-check] Cron Access File Ownership & Permissions (@songyaeji) [high]
  • [linux-legacy-services-enabled] DoS Vulnerable Service Enabled (@songyaeji) [high]
  • [linux-nis-service] NIS Service Should Be Disabled (@songyaeji) [high]
  • [linux-nisplus-service] NIS+ Service Should Be Disabled (@songyaeji) [high]
  • [linux-rexec-service] rexec Service Should Be Disabled (@songyaeji) [high]
  • [linux-rhosts-hostsequiv-misconfig] Rhosts and Hosts.equiv Misconfiguration Check (@songyaeji) [high]
  • [linux-rlogin-service] rlogin Service Should Be Disabled (@songyaeji) [high]
  • [linux-root-remote-login] Linux Root Remote Login Enabled - Misconfig (@songyaeji) [high]
  • [linux-rsh-service] rsh Service Should Be Disabled (@songyaeji) [high]
  • [linux-world-writable-file] Linux World-Writable File Permission (@songyaeji) [high]
  • [message-access-server] Ensure Message Access Server Service is Not Installed (@Th3l0newolf) [info]
  • [nfs-daemon-service] NFS Service Daemon Should Be Disabled (@songyaeji) [high]
  • [nfs-insecure-exports] NFS Insecure Exports Check (@songyaeji) [high]
  • [nis-client] Ensure NIS Client is Not Installed (@Th3l0newolf) [info]
  • [password-expiration] Ensure Password Expiration is Configured (@Th3l0newolf) [medium]
  • [password-min-days] Ensure Minimum Password Days is Configured (@Th3l0newolf) [medium]
  • [password-warn-age] Ensure Password Expiration Warning Days is Configured (@Th3l0newolf) [medium]
  • [root-path-dot] Root PATH Contains Current Directory (@songyaeji) [high]
  • [rpc-enabled] Unnecessary RPC Service (rstatd) Enabled (@songyaeji) [high]
  • [rsh-client] Ensure rsh Client is Not Installed (@Th3l0newolf) [info]
  • [rw-hosts-file] /etc/hosts File Read/Write Check (@songyaeji) [high]
  • [sendmail-postfix-execution-restrictions] Sendmail/Postfix Execution Restrictions Misconfigured (@songyaeji) [medium]
  • [smtp-open-relay] Linux SMTP Open Relay Misconfigured (@songyaeji) [high]
  • [strong-password-hashing] Ensure Strong Password Hashing Algorithm is Configured (@Th3l0newolf) [high]
  • [suid-sgid] Root SUID/SGID File Check (@songyaeji) [high]
  • [syslog-rsyslog-permission] /etc/syslog and /etc/rsyslog.conf Permission Check (@songyaeji) [high]
  • [talk-client] Ensure Talk Client is Not Installed (@Th3l0newolf) [info]
  • [tcpwrapper-access] TCP Wrapper Access Control Check (@songyaeji) [low]
  • [telnet-client] Ensure Telnet Client is Not Installed (@Th3l0newolf) [info]
  • [tftp-service-enabled] TFTP Service Should Be Disabled (@songyaeji) [info]
  • [weak-password-complexity] Linux Password Complexity Not Enforced (@songyaeji) [high]
  • [writable-xinetdconf] /etc/(x)inetd.conf Permission Check (@songyaeji) [high]
  • [openrouter-key] OpenRouter API Key (@mmqnym) [info]
  • [atlona-default-login] Atlona AT-OME-MS42 - Default Login (@matejsmycka) [high]
  • [openplc-default-login] OpenPLC Webserver v3 - Default Login (@machevalia) [high]
  • [pensando-default-login] AMD Pensando PSM - Default Login (@tpierru) [high]
  • [aem-forms-panel] Adobe Experience Manager Forms - Panel (@darses) [info]
  • [espec-web-controller-panel] Espec Web Controller - Panel (@darses) [info]
  • [huawei-holosense-panel] Huawei HoloSens SDC - Panel (@darses) [info]
  • [hyperdx-panel] HyperDX Panel - Detect (@righettod) [info]
  • [magicinfo-panel] Samsung MagicINFO Panel - Detect (@s4e-io) [info]
  • [zammad-helpdesk-panel] Zammad Helpdesk Panel - Detect (@righettod) [info]
  • [zipline-panel] Diced Zipline - Detect (@icarot) [info]
  • [bugzilla-config] Bugzilla - Config Exposed (@icarot) [low]
  • [magicinfo-config-file] Samsung MagicINFO Configuration File (@s4e-io) [info]
  • [python-venv-exposure] Python Virtual Environment Directory Exposure (@a1baradi) [info]
  • [atproto-did-exposure] Well-Known ATProto DID (@rxerium) [info]
  • [mta-sts-exposure] Well-Known MTA-STS Policy (@rxerium) [info]
  • [nostr-json-exposure] Well-Known Nostr JSON (@rxerium) [info]
  • [oauth-authorization-server-exposure] Well-Known OAuth Authorization Server Metadata (@rxeriums) [info]
  • [pki-validation-exposure] Well-Known PKI Validation Directory (@rxerium) [info]
  • [microweber-install] Microweber Exposed Installation - Detected (@pussycat0x) [high]
  • [mapproxy-file-read] MapProxy - Local File Inclusion (@xbow, @dhiyaneshdk) [high]
  • [anonymous-distribution-point-sccm] Microsoft SCCM - Anonymous Distribution Point Access (@matejsmycka) [medium]
  • [portal-api-ssrf] Portal API - Server Side Request Forgery (@ishowtess) [high]
  • [bugzilla-detect] Bugzilla - Detect (@icarot) [info]
  • [meshery-detect] Meshery - Detect (@righettod) [info]
  • [nvidia-triton-detect] Triton Inference Server - Detect (@mailler0xa) [info]
  • [roadiz-cms-detect] Roadiz CMS - Detect (@righettod) [info]
  • [ajp-protocol-detect] AJP Protocol Detection (@pussycat0x) [info]
  • [echo-detect] Echo Protocol Detect (@pussycat0x) [info]
  • [afp-server-detect] AFP Server Detect (@pussycat0x) [info]
  • [nfs-v3-exposed] NFSv3 Exposed (@johnk3r) [info]
  • [checkmk-info-disclosure] Checkmk Agent Info Disclosure (@ivaldivieso) [medium]

New Contributors

Full Changelog: v10.2.7...v10.2.8

Check out latest releases or
releases around projectdiscovery/nuclei-templates v10.2.8

Don't miss a new nuclei-templates release

NewReleases is sending notifications on new releases.

Get notifications