github projectdiscovery/nuclei-templates v10.3.3
Nuclei Templates v10.3.3 - Release Notes
on GitHub

3 hours ago

New Templates Added: 68 | CVEs Added: 27 | First-time contributions: 11 | Bounties rewarded: 3

🔥 Release Highlights 🔥

  • [CVE-2025-64764] Astro - Reflected XSS via server islands feature (@DhiyaneshDk, @zhero___) [high] 🔥
  • [CVE-2025-61757] Oracle Identity Manager WebService - Auth Bypass (@ritikchaddha) [critical] 🔥 (vKEV)
  • [CVE-2025-58360] GeoServer - XML External Entity Injection (@lbb, @xbow, @darses) [high] 🔥
  • [CVE-2025-49706] Microsoft SharePoint Server - Auth Bypass (@daffainfo) [medium] 🔥 (vKEV)
  • [CVE-2025-27915] Zimbra - XSS (@Snbig, @EhsanCreator, @eliotworkspac-max) [medium] 🔥 (vKEV)
  • [CVE-2025-11833] Post SMTP <= 3.6.0 - Email Log Disclosure (@Kazgangap) [critical] 🔥 (vKEV)
  • [CVE-2022-29081] Zoho ManageEngine - Access Control Bypass (@0xanis) [critical] 🔥 (vKEV)
  • [CVE-2021-34427] Eclipse BIRT Viewer - Remote Code Execution (@us3r777, @Synacktiv) [critical] 🔥
  • [CVE-2021-4462] Employee Records System 1.0 - Unauth File Upload RCE (@josephttd) [critical] 🔥 (vKEV)
  • [CVE-2021-4449] ZoomSounds Plugin - Unauth Arbitrary File Upload (@0xnemian) [critical] 🔥 (vKEV)
  • [CVE-2017-5983] JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - RCE (XXE) (@us3r777, @Synacktiv) [critical] 🔥

What's Changed

💰 Bounties Rewarded 💰

  • CVE-2021-4462 - Employee Records System - Unrestricted File Upload 💰 (Issue #14040).
  • CVE-2022-29081 - Zoho ManageEngine - Access Control Bypass 💰 (Issue #13982).
  • CVE-2021-4449 - ZoomSounds WordPress - Unrestricted File Upload 💰 (Issue #13886).

Bug Fixes

  • Fix CVE-2024-23897 (PR #13608).

False Negatives

  • FIX [FALSE-NEGATIVE] error-logs template fails to detect exposed log files without Content-Type header (PR #14025).
  • chore: remove redundant condition in CVE-2024-9047.yaml (PR #13496).
  • [FALSE-NEGATIVE] error-logs template fails to detect exposed log files without Content-Type header (Issue #13519).

False Positives

  • Fix FP wp-twenty-theme-fpd.yaml (PR #14048).
  • Fix FP CVE-2020-26948.yaml (PR #13978).

Enhancements

  • Update CVE-2025-58360 (PR #14088).
  • Update unavailable documentation URLs (PR #14075).
  • Refactor the "JITSI" template. (PR #14054).
  • feat: Update Next.js detection (PR #14033).
  • Update CVE-2025-20362 (PR #14016).
  • Enhance Next.js/Vite public env exposure config (PR #14013).
  • Improve CVE-2020-14179 detection with customfield identifier (PR #14007).
  • Updated CVE-2017-9841 with new eval-stdin.php paths (PR #13991).
  • chore: update CVE-2021-39226 (PR #13918).

Templates Added

  • [CVE-2025-64764] Astro - Reflected XSS via server islands feature (@DhiyaneshDk, @zhero___) [high] 🔥
  • [CVE-2025-64525] Astro - Broken Access Control (@zhero___, @DhiyaneshDK) [medium] 🔥
  • [CVE-2025-61757] Oracle Identity Manager REST WebServices - Authentication Bypass (@ritikchaddha) [critical] 🔥 (vKEV)
  • [CVE-2025-58360] GeoServer - XML External Entity Injection (@lbb, @xbow, @darses) [high] 🔥
  • [CVE-2025-55523] Agent-Zero 0.8.0 - 0.9.4 - Arbitrary File Download (@0x_Akoko) [high]
  • [CVE-2025-49706] Microsoft SharePoint Server - Authentication Bypass (@daffainfo) [medium] 🔥 (vKEV)
  • [CVE-2025-27915] Zimbra - Cross-Site Scripting via ICS Files (@Snbig, @EhsanCreator, @eliotworkspac-max) [medium] 🔥 (vKEV)
  • [CVE-2025-13315] Twonky Server 8.5.2 on Linux and Windows - Log File Exposure (@pussycat0x) [critical]
  • [CVE-2025-12055] MPDV Mikrolab GmbH HYDRA X, MIP 2 & FEDRA 2 - Path Traversal (@theamanrawat) [high]
  • [CVE-2025-11833] Post SMTP <= 3.6.0 - Email Log Disclosure (@Kazgangap) [critical] 🔥 (vKEV)
  • [CVE-2025-11700] N-central - XML External Entities Injection (@DhiyaneshDK, @horizon3ai) [high]
  • [CVE-2025-10204] AC Smart II - Authentication Bypass (@theeldruin) [high]
  • [CVE-2025-9316] N-central - Authentication Bypass (@DhiyaneshDK, @horizon3ai) [medium]
  • [CVE-2025-7901] yangzongzhuan RuoYi - DOM Based XSS (@Nikhil Patidar) [medium]
  • [CVE-2024-53995] SickChill - Open Redirect (@omarkurt) [low]
  • [CVE-2024-20404] Cisco Finesse - Server-Side Request Forgery (SSRF) (@0x_Akoko) [medium] 🔥
  • [CVE-2022-29081] Zoho ManageEngine - Access Control Bypass (@0xanis) [critical] 🔥 (vKEV)
  • [CVE-2021-34427] Eclipse BIRT Viewer - Remote Code Execution (@us3r777, @Synacktiv) [critical] 🔥
  • [CVE-2021-4462] Employee Records System 1.0 - Unauthenticated File Upload RCE (@josephttd) [critical] 🔥 (vKEV)
  • [CVE-2021-4449] ZoomSounds Plugin - Unauthenticated Arbitrary File Upload (@0xnemian) [critical] 🔥 (vKEV)
  • [CVE-2019-19825] TOTOLINK/Realtek Routers - CAPTCHA Bypass (@ritikchaddha) [critical]
  • [CVE-2019-19823] TOTOLINK/Realtek Routers - Information Disclosure (@ritikchaddha) [high]
  • [CVE-2019-19822] TOTOLINK/Realtek Routers - Information Disclosure (@ritikchaddha) [high]
  • [CVE-2018-13317] TOTOLINK A3002RU 1.0.8 - Information Disclosure (@ritikchaddha) [medium]
  • [CVE-2017-17092] WordPress < 4.9.1 - Authenticated JavaScript File Upload (@0x_Akoko) [medium]
  • [CVE-2017-14725] WordPress < 4.8.2 - Authenticated Open Redirect (@0x_Akoko) [medium]
  • [CVE-2017-5983] JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE) (@us3r777, @Synacktiv) [critical] 🔥
  • [jquery-cdn-csp-bypass] Content-Security-Policy Bypass - jQuery CDN (@0x_Akoko) [medium]
  • [shai-hulud-supply-chain] Shai Hulud 2.0 - Supply Chain Malware Detection (@princechaddha, @wiz-research) [critical]
  • [traggo-default-login] Traggo - Default Login (@0x_Akoko) [high]
  • [vtigercrm-default-login] Vtiger CRM - Default Login (@icarot) [high]
  • [cluster-trino-panel] Cluster Overview Trino - Panel (@DhiyaneshDk) [info]
  • [vtigercrm-exposed-directory] Vtiger CRM - Exposed Directory (@icarot) [low]
  • [crypto-address-detect] Exposed Cryptocurrency Wallet Address (@rxerium) [info]
  • [aem-anonymous-write] Adobe Experience Manager (AEM) - Anonymous JCR Node Creation (@DhiyaneshDk, @0ang3el) [high]
  • [blackbox-exporter-exposure] Blackbox Exporter - Exposure (@DhiyaneshDk) [high]
  • [cluster-trino-admin-login] Cluster Overview Trino - Admin Login (@DhiyaneshDK) [high]
  • [csp-script-src-wildcard] Content-Security-Policy "script-src" Wildcard Detected (@prithiv) [medium]
  • [memtracker-exposure] MemTracker - Exposure (@DhiyaneshDk) [high]
  • [sharepoint-files-disclosure] Microsoft SharePoint Files Disclosure (@pussycat0x) [info]
  • [sharepoint-layouts-disclosure] Microsoft SharePoint - Layouts Disclosure (@DhiyaneshDk) [low]
  • [sharepoint-masterpage-disclosure] Microsoft SharePoint - Master Page Disclosure (@DhiyaneshDk) [low]
  • [sharepoint-site-metadata-disclosure] Microsoft SharePoint - Site Metadata Disclosure (@0x_Akoko) [low]
  • [sharepoint-sitepages-disclosure] Microsoft SharePoint - Site Pages Disclosure (@pussycat0x) [low]
  • [nginx-status-403-bypass] Nginx Status Page - 403 Bypass (@pussycat0x) [low]
  • [postgresql-cluster-config] PostgreSQL Cluster - Configuration (@DhiyaneshDk) [high]
  • [postrest-api-exposure] PostgREST API Server - Exposure (@DhiyaneshDk) [high]
  • [unauth-akhq-dashboard] AKHQ Dashboard - Unauthenticated Access (@DhiyaneshDk) [high]
  • [unauth-hawkeye-dashboard] Unauth Hawkeye Dashboard - Detect (@DhiyaneshDk) [high]
  • [unauth-kafka-config-editor] Kafka Config Editor - Unauthenticated Access (@DhiyaneshDk) [high]
  • [unauth-phoenix-dashboard] Unauth Phoenix Dashboard - Detect (@DhiyaneshDk) [high]
  • [unauth-qdrantui] Qdrant UI - Unauthenticated Access (@DhiyaneshDk) [high]
  • [unauth-supervisor-dashboard] Unauth Supervisor Dashboard - Detect (@DhiyaneshDk) [high]
  • [agent-zero-detect] Agent-Zero Application - Detect (@0x_Akoko) [info]
  • [cisco-finesse-detect] Cisco Finesse - Detect (@0x_Akoko) [info]
  • [flower-detect] Flower - Detect (@righettod) [info]
  • [sharepoint-web-services-discovery] Microsoft SharePoint - Web Services Discovery (@0x_Akoko) [info]
  • [nostromo-detect] Nostromo Web Server (@Shivam Kamboj) [info]
  • [odoo-detection] Odoo - Detect (@keyboard-slayer) [info]
  • [traggo-server-detect] Traggo Time Tracking Server - Detect (@0x_Akoko) [info]
  • [vtigercrm-detect] Vtiger CRM - Detect (@icarot) [info]
  • [winstone-detect] Winstone Servlet Engine (@Shivam Kamboj) [info]
  • [wp-security-hidden-login-exposure] WordPress All-in-One Security <=4.4.1 - Hidden Login Page Exposure (@theamanrawat) [medium]
  • [wp-twenty-theme-fpd] WordPress Twenty Seventeen - Full Path Disclosure (@DhiyaneshDk) [low]
  • [wp-twentysixteen-fpd] WordPress Twenty Sixteen - Full Path Disclosure (@theamanrawat) [low]
  • [wp-twentytwenty-fpd] WordPress Twenty Twenty Theme - Full Path Disclosure (@0x_Akoko) [info]
  • [functions-php-disclosure] functions.php Full Path Disclosure (@pussycat0x) [low]
  • [yonyou-u9-patchfile-upload] Yonyou U9 PatchFile.asmx - Unauthenticated Arbitrary File Upload (@Co5mos, @ProjectDiscoveryAI) [critical]

New Contributors

Full Changelog: https://github.com/projectdiscovery/nuclei-templates/compare/v10.3.2...v10.3.3

Check out latest releases or
releases around projectdiscovery/nuclei-templates v10.3.3

Don't miss a new nuclei-templates release

NewReleases is sending notifications on new releases.

Get notifications