projectdiscovery/nuclei-templates v10.3.4

Nuclei Templates v10.3.4 - Release Notes

on GitHub

New Templates Added: 68 | CVEs Added: 27 | First-time contributions: 11 | Bounties rewarded: 3

🔥 Release Highlights 🔥

• [CVE-2025-64764] Astro - Reflected XSS via server islands feature (@dhiyaneshdk, @zhero___) [high] 🔥
• [CVE-2025-61757] Oracle Identity Manager WebService - Auth Bypass (@ritikchaddha) [critical] 🔥 (vKEV)
• [CVE-2025-58360] GeoServer - XML External Entity Injection (@lbb, @xbow, @darses) [high] 🔥
• [CVE-2025-49706] Microsoft SharePoint Server - Auth Bypass (@daffainfo) [medium] 🔥 (vKEV)
• [CVE-2025-27915] Zimbra - XSS (@Snbig, @EhsanCreator, @eliotworkspac-max) [medium] 🔥 (vKEV)
• [CVE-2025-11833] Post SMTP <= 3.6.0 - Email Log Disclosure (@Kazgangap) [critical] 🔥 (vKEV)
• [CVE-2022-29081] Zoho ManageEngine - Access Control Bypass (@0xanis) [critical] 🔥 (vKEV)
• [CVE-2021-34427] Eclipse BIRT Viewer - Remote Code Execution (@us3r777, @synacktiv) [critical] 🔥
• [CVE-2021-4462] Employee Records System 1.0 - Unauth File Upload RCE (@JosephTTD) [critical] 🔥 (vKEV)
• [CVE-2021-4449] ZoomSounds Plugin - Unauth Arbitrary File Upload (@0xnemian) [critical] 🔥 (vKEV)
• [CVE-2017-5983] JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - RCE (XXE) (@us3r777, @synacktiv) [critical] 🔥

What's Changed

💰 Bounties Rewarded 💰

• CVE-2021-4462 - Employee Records System - Unrestricted File Upload 💰 (Issue #14040).
• CVE-2022-29081 - Zoho ManageEngine - Access Control Bypass 💰 (Issue #13982).
• CVE-2021-4449 - ZoomSounds WordPress - Unrestricted File Upload 💰 (Issue #13886).

Bug Fixes

• Fix CVE-2024-23897 (PR #13608).

False Negatives

• FIX [FALSE-NEGATIVE] error-logs template fails to detect exposed log files without Content-Type header (PR #14025).
• chore: remove redundant condition in CVE-2024-9047.yaml (PR #13496).
• [FALSE-NEGATIVE] error-logs template fails to detect exposed log files without Content-Type header (Issue #13519).

False Positives

• Fix FP wp-twenty-theme-fpd.yaml (PR #14048).
• Fix FP CVE-2020-26948.yaml (PR #13978).

Enhancements

• Update CVE-2025-58360 (PR #14088).
• Update unavailable documentation URLs (PR #14075).
• Refactor the "JITSI" template. (PR #14054).
• feat: Update Next.js detection (PR #14033).
• Update CVE-2025-20362 (PR #14016).
• Enhance Next.js/Vite public env exposure config (PR #14013).
• Improve CVE-2020-14179 detection with customfield identifier (PR #14007).
• Updated CVE-2017-9841 with new eval-stdin.php paths (PR #13991).
• chore: update CVE-2021-39226 (PR #13918).

Templates Added

• [CVE-2025-64764] Astro - Reflected XSS via server islands feature (@dhiyaneshdk, @zhero___) [high] 🔥
• [CVE-2025-64525] Astro - Broken Access Control (@zhero___, @dhiyaneshdk) [medium] 🔥
• [CVE-2025-61757] Oracle Identity Manager REST WebServices - Authentication Bypass (@ritikchaddha) [critical] 🔥 (vKEV)
• [CVE-2025-58360] GeoServer - XML External Entity Injection (@lbb, @xbow, @darses) [high] 🔥
• [CVE-2025-55523] Agent-Zero 0.8.0 - 0.9.4 - Arbitrary File Download (@0x_Akoko) [high]
• [CVE-2025-49706] Microsoft SharePoint Server - Authentication Bypass (@daffainfo) [medium] 🔥 (vKEV)
• [CVE-2025-27915] Zimbra - Cross-Site Scripting via ICS Files (@Snbig, @EhsanCreator, @eliotworkspac-max) [medium] 🔥 (vKEV)
• [CVE-2025-13315] Twonky Server 8.5.2 on Linux and Windows - Log File Exposure (@pussycat0x) [critical]
• [CVE-2025-12055] MPDV Mikrolab GmbH HYDRA X, MIP 2 & FEDRA 2 - Path Traversal (@theamanrawat) [high]
• [CVE-2025-11833] Post SMTP <= 3.6.0 - Email Log Disclosure (@Kazgangap) [critical] 🔥 (vKEV)
• [CVE-2025-11700] N-central - XML External Entities Injection (@dhiyaneshdk, @horizon3ai) [high]
• [CVE-2025-10204] AC Smart II - Authentication Bypass (@theeldruin) [high]
• [CVE-2025-9316] N-central - Authentication Bypass (@dhiyaneshdk, @horizon3ai) [medium]
• [CVE-2025-7901] yangzongzhuan RuoYi - DOM Based XSS (@nikhil Patidar) [medium]
• [CVE-2024-53995] SickChill - Open Redirect (@omarkurt) [low]
• [CVE-2024-20404] Cisco Finesse - Server-Side Request Forgery (SSRF) (@0x_Akoko) [medium] 🔥
• [CVE-2022-29081] Zoho ManageEngine - Access Control Bypass (@0xanis) [critical] 🔥 (vKEV)
• [CVE-2021-34427] Eclipse BIRT Viewer - Remote Code Execution (@us3r777, @synacktiv) [critical] 🔥
• [CVE-2021-4462] Employee Records System 1.0 - Unauthenticated File Upload RCE (@JosephTTD) [critical] 🔥 (vKEV)
• [CVE-2021-4449] ZoomSounds Plugin - Unauthenticated Arbitrary File Upload (@0xnemian) [critical] 🔥 (vKEV)
• [CVE-2019-19825] TOTOLINK/Realtek Routers - CAPTCHA Bypass (@ritikchaddha) [critical]
• [CVE-2019-19823] TOTOLINK/Realtek Routers - Information Disclosure (@ritikchaddha) [high]
• [CVE-2019-19822] TOTOLINK/Realtek Routers - Information Disclosure (@ritikchaddha) [high]
• [CVE-2018-13317] TOTOLINK A3002RU 1.0.8 - Information Disclosure (@ritikchaddha) [medium]
• [CVE-2017-17092] WordPress < 4.9.1 - Authenticated JavaScript File Upload (@0x_Akoko) [medium]
• [CVE-2017-14725] WordPress < 4.8.2 - Authenticated Open Redirect (@0x_Akoko) [medium]
• [CVE-2017-5983] JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE) (@us3r777, @synacktiv) [critical] 🔥
• [jquery-cdn-csp-bypass] Content-Security-Policy Bypass - jQuery CDN (@0x_Akoko) [medium]
• [shai-hulud-supply-chain] Shai Hulud 2.0 - Supply Chain Malware Detection (@princechaddha, @wiz-research) [critical]
• [traggo-default-login] Traggo - Default Login (@0x_Akoko) [high]
• [vtigercrm-default-login] Vtiger CRM - Default Login (@icarot) [high]
• [cluster-trino-panel] Cluster Overview Trino - Panel (@dhiyaneshdk) [info]
• [vtigercrm-exposed-directory] Vtiger CRM - Exposed Directory (@icarot) [low]
• [crypto-address-detect] Exposed Cryptocurrency Wallet Address (@rxerium) [info]
• [aem-anonymous-write] Adobe Experience Manager (AEM) - Anonymous JCR Node Creation (@dhiyaneshdk, @0ang3el) [high]
• [blackbox-exporter-exposure] Blackbox Exporter - Exposure (@dhiyaneshdk) [high]
• [cluster-trino-admin-login] Cluster Overview Trino - Admin Login (@dhiyaneshdk) [high]
• [csp-script-src-wildcard] Content-Security-Policy "script-src" Wildcard Detected (@prithiv) [medium]
• [memtracker-exposure] MemTracker - Exposure (@dhiyaneshdk) [high]
• [sharepoint-files-disclosure] Microsoft SharePoint Files Disclosure (@pussycat0x) [info]
• [sharepoint-layouts-disclosure] Microsoft SharePoint - Layouts Disclosure (@dhiyaneshdk) [low]
• [sharepoint-masterpage-disclosure] Microsoft SharePoint - Master Page Disclosure (@dhiyaneshdk) [low]
• [sharepoint-site-metadata-disclosure] Microsoft SharePoint - Site Metadata Disclosure (@0x_Akoko) [low]
• [sharepoint-sitepages-disclosure] Microsoft SharePoint - Site Pages Disclosure (@pussycat0x) [low]
• [nginx-status-403-bypass] Nginx Status Page - 403 Bypass (@pussycat0x) [low]
• [postgresql-cluster-config] PostgreSQL Cluster - Configuration (@dhiyaneshdk) [high]
• [postrest-api-exposure] PostgREST API Server - Exposure (@dhiyaneshdk) [high]
• [unauth-akhq-dashboard] AKHQ Dashboard - Unauthenticated Access (@dhiyaneshdk) [high]
• [unauth-hawkeye-dashboard] Unauth Hawkeye Dashboard - Detect (@dhiyaneshdk) [high]
• [unauth-kafka-config-editor] Kafka Config Editor - Unauthenticated Access (@dhiyaneshdk) [high]
• [unauth-phoenix-dashboard] Unauth Phoenix Dashboard - Detect (@dhiyaneshdk) [high]
• [unauth-qdrantui] Qdrant UI - Unauthenticated Access (@dhiyaneshdk) [high]
• [unauth-supervisor-dashboard] Unauth Supervisor Dashboard - Detect (@dhiyaneshdk) [high]
• [agent-zero-detect] Agent-Zero Application - Detect (@0x_Akoko) [info]
• [cisco-finesse-detect] Cisco Finesse - Detect (@0x_Akoko) [info]
• [flower-detect] Flower - Detect (@righettod) [info]
• [sharepoint-web-services-discovery] Microsoft SharePoint - Web Services Discovery (@0x_Akoko) [info]
• [nostromo-detect] Nostromo Web Server (@Shivam Kamboj) [info]
• [odoo-detection] Odoo - Detect (@keyboard-slayer) [info]
• [traggo-server-detect] Traggo Time Tracking Server - Detect (@0x_Akoko) [info]
• [vtigercrm-detect] Vtiger CRM - Detect (@icarot) [info]
• [winstone-detect] Winstone Servlet Engine (@Shivam Kamboj) [info]
• [wp-security-hidden-login-exposure] WordPress All-in-One Security <=4.4.1 - Hidden Login Page Exposure (@theamanrawat) [medium]
• [wp-twenty-theme-fpd] WordPress Twenty Seventeen - Full Path Disclosure (@dhiyaneshdk) [low]
• [wp-twentysixteen-fpd] WordPress Twenty Sixteen - Full Path Disclosure (@theamanrawat) [low]
• [wp-twentytwenty-fpd] WordPress Twenty Twenty Theme - Full Path Disclosure (@0x_Akoko) [info]
• [functions-php-disclosure] functions.php Full Path Disclosure (@pussycat0x) [low]
• [yonyou-u9-patchfile-upload] Yonyou U9 PatchFile.asmx - Unauthenticated Arbitrary File Upload (@Co5mos, @projectdiscoveryai) [critical]

New Contributors

• @keyboard-slayer made their first contribution in #13958
• @eduquintanilha made their first contribution in #13920
• @0xanis made their first contribution in #13983
• @0xnemian made their first contribution in #13930
• @OrSmolnik made their first contribution in #14007
• @nikhilpatidar01 made their first contribution in #14015
• @brendan-rsoc made their first contribution in #14016
• @S9n3x made their first contribution in #13496
• @Snbig made their first contribution in #13581
• @JosephTTD made their first contribution in #14042
• @l-teles made their first contribution in #14075

Full Changelog: v10.3.2...v10.3.3