projectdiscovery/nuclei-templates v10.3.8 on GitHub

New Templates Added: `457` | CVEs Added: `43` | First-time contributions: `13`

🔥 Release Highlights 🔥

[CVE-2026-23760] SmarterTools SmarterMail - Admin Password Reset (@watchtowr, @dhiyaneshdk) [critical] (vKEV) 🔥
[CVE-2026-23550] Modular DS - Broken Access Control (@dhiyaneshdk) [high] (vKEV) 🔥
[CVE-2026-22200] osTicket - Arbitrary File Read (@dhiyaneshdk) [high] 🔥
[CVE-2026-21858] n8n Webhooks - Remote Code Execution (@rxerium) [critical] (vKEV) 🔥
[CVE-2025-66516] Apache Tika - XML External Entity Injection (@MathematicianGoat) [high] 🔥
[CVE-2025-56520] Dify v1.6.0 - Server-Side Request Forgery (@0x_Akoko) [high] 🔥
[CVE-2025-52694] Advantech WISE-IoTSuite/SaaS - SQL Injection (@Loi Nguyen Thang) [critical] 🔥
[CVE-2025-27817] Apache Kafka Client - Arbitrary File Read (@0x_Akoko) [high] 🔥
[CVE-2025-25570] Vue Vben Admin - Default Credentials (@0x_Akoko) [critical] 🔥
[CVE-2025-8110] Gogs <= 0.13.3 - Remote Code Execution (@rxerium) [high] (kev) 🔥
[CVE-2025-4210] Casdoor - Authorization Bypass (@theamanrawat) [high] (vKEV) 🔥
[CVE-2023-52163] Digiever DS-2105 Pro - Command Injection (@rajesh-social-tech) [high] (kev) 🔥
[CVE-2022-4223] pgAdmin < 6.17 - Unauthenticated Remote Code Execution (@0x_Akoko) [critical] 🔥
[CVE-2020-26935] phpMyAdmin < 5.0.3 - SQL Injection (@0x_Akoko) [critical] 🔥
[CVE-2020-9039] Couchbase Server - Broken Access Control (@pussycat0x) [critical] 🔥
[CVE-2020-5722] Grandstream UCM6200 - SQL Injection (@theamanrawat) [critical] (kev) 🔥

What's Changed

Bug Fixes

Fixed copyright year detection from 2025 to 2026 in old-copyright.yaml (PR #14977)
Corrected CVE ID by renaming CVE-2025-54253.yaml to CVE-2025-49533.yaml (PR #14963)
Fixed file path by renaming CVE-2020-26935.yaml to proper directory (PR #14993)
Fixed file path for pear-registry-exposed.yaml (PR #14984)
Revised CVE-2025-61882 details and references (PR #14972)
Updated php-backup-files.yaml (PR #14973)
Updated CVE-2026-23760.yaml tags (PR #15023)
Fixed author name in CVE-2025-60188.yaml (PR #15042)

False Negatives

Fixed multiple regex-based templates triggering incorrectly on valid CSS (Issue #13131)

False Positives

Reduced false positives in the following templates:
- CVE-2022-42475 - Fixed detection when connection is dropped by firewall (PR #15027, Issue #14988)
- CVE-2024-2473 - Added missing "condition: and" to prevent early matching (PRs #14976, #14962, Issue #14950)
- coinbase-phish & hotjar-rum-detect (PR #15059)
- CVE-2023-30150.yaml (PR #14998)
- dot-credentials-exposure (Issue #14922)
- CVE-2023-34048 - Fixed false positives on ESXi hosts (Issue #14710)
- postgres-history-exposure (PR #14861, Issue #14844)
- xinclude-injection:linux - Reduced false positives with stricter regex (PR #14925, Issue #14775)

Enhancements

Updated detect-sentry.yaml with new matchers (PR #14955)

Templates Added

[CVE-2026-23760] SmarterTools SmarterMail - Admin Password Reset (@watchtowr, @dhiyaneshdk) [critical] (vKEV) 🔥
[CVE-2026-23550] Modular DS - Broken Access Control (@dhiyaneshdk) [high] (vKEV) 🔥
[CVE-2026-22200] osTicket - Arbitrary File Read (@dhiyaneshdk) [high] 🔥
[CVE-2026-21859] Mailpit < 1.28.3 - Server-Side Request Forgery (@omarkurt) [high]
[CVE-2026-21858] n8n Webhooks - Remote Code Execution (@rxerium) [critical] (vKEV) 🔥
[CVE-2025-66516] Apache Tika - XML External Entity Injection (@MathematicianGoat) [high] 🔥
[CVE-2025-66472] XWiki DeleteApplication - Cross-Site Scripting (@ritikchaddha) [medium]
[CVE-2025-56520] Dify v1.6.0 - Server-Side Request Forgery (@0x_Akoko) [high] 🔥
[CVE-2025-56132] LiquidFiles < 4.2 - User Enumeration via Password Reset (@dhiyaneshdk) [high]
[CVE-2025-55303] Astro - Unauthorized Third-Party Image Access (@theamanrawat) [medium]
[CVE-2025-52694] Advantech WISE-IoTSuite/SaaS - SQL Injection (@Loi Nguyen Thang) [critical] 🔥
[CVE-2025-46550] YesWiki < 4.5.4 - Cross-Site Scripting (@MuhammadWaseem) [medium]
[CVE-2025-46549] YesWiki <= 4.5.1 - Cross-Site Scripting (@MuhammadWaseem) [medium]
[CVE-2025-46349] YesWiki Reflected XSS via File Upload (@mahmoud Gamal) [high]
[CVE-2025-36845] Eveo URVE Web Manager - Server-Side Request Forgery (@dhiyaneshdk) [high]
[CVE-2025-27817] Apache Kafka Client - Arbitrary File Read (@0x_Akoko) [high] 🔥
[CVE-2025-25570] Vue Vben Admin - Default Credentials (@0x_Akoko) [critical] 🔥
[CVE-2025-13418] Responsive Pricing Table <= 5.1.12 - Cross-Site Scripting (@Shivam Kamboj, @jay Jani) [medium]
[CVE-2025-11580] PowerJob List - Authorization Bypass (@dhiyaneshdk) [medium]
[CVE-2025-8110] Gogs <= 0.13.3 - Remote Code Execution (@rxerium) [high] (kev) 🔥
[CVE-2025-4210] Casdoor - Authorization Bypass (@theamanrawat) [high] (vKEV) 🔥
[CVE-2025-3472] Ocean Extra <= 2.4.6 - Unauthenticated Shortcode Execution (@theamanrawat) [medium]
[CVE-2024-56159] Astro - Information Disclosure (@theamanrawat) [medium]
[CVE-2024-29137] WordPress Tourfic Plugin <= 2.11.7 - Cross-Site Scripting (@Shivam Kamboj) [high] 🔥
[CVE-2024-23055] Plone Docker - Host Header Injection (@theamanrawat) [medium]
[CVE-2023-52163] Digiever DS-2105 Pro - Command Injection (@rajesh-social-tech) [high] (kev) 🔥
[CVE-2023-33960] OpenProject < 12.5.4 - Project Identifiers Exposure (@0x_Akoko) [medium]
[CVE-2022-41697] Ghost CMS - User Enumeration (@ritikchaddha) [medium] 🔥
[CVE-2022-4223] pgAdmin < 6.17 - Unauthenticated Remote Code Execution (@0x_Akoko) [critical] 🔥
[CVE-2022-0188] CMP WordPress < 4.0.19 - Broken Access Control (@pussycat0x) [medium]
[CVE-2021-37598] WP Cerber < 8.9.3 - Broken Access Control (@theamanrawat) [medium]
[CVE-2021-22881] Ruby on Rails - Open Redirect via Host Header Injection (@theamanrawat) [medium] 🔥
[CVE-2021-21246] OneDev < 4.0.3 - User Access Token Leak (@dhiyaneshdk) [high]
[CVE-2020-26935] phpMyAdmin < 5.0.3 - SQL Injection (@0x_Akoko) [critical] 🔥
[CVE-2020-19363] Vtiger CRM v7.2.0 - Directory Listing (@0x_Akoko) [medium] 🔥
[CVE-2020-16248] Prometheus Blackbox Exporter - Server-Side Request Forgery (SSRF) (@dhiyaneshdk) [medium] 🔥
[CVE-2020-15081] PrestaShop < 1.7.6.6 - Information Exposure via Upload Directory (@0x_Akoko) [low] 🔥
[CVE-2020-9314] Oracle iPlanet Web Server 7.0.x - Image Injection (@dhiyaneshdk) [medium]
[CVE-2020-9039] Couchbase Server - Broken Access Control (@pussycat0x) [critical] 🔥
[CVE-2020-5722] Grandstream UCM6200 - SQL Injection (@theamanrawat) [critical] (kev) 🔥
[CVE-2019-14206] Nevma Adaptive Images - Arbitrary File Deletion (@riteshs4hu) [high]
[CVE-2019-12935] Shopware < 5.5.8 - Cross-Site Scripting (@pussycat0x) [high] 🔥
[CVE-2018-7765] Schneider Electric U.motion Builder - SQL Injection (@daffainfo) [high]
[clawdbot-gw-exposure] Clawdbot Gateway - Detect (@rxerium) [info]
[pendo-api-key-exposure] Pendo API Key Exposure (@0x_Akoko) [medium]
[jhipster-default-login] JHipster Platform - Default Login (@ritikchaddha) [high]
[openlitespeed-default-login] OpenLiteSpeed WebAdmin - Default Login (@0x_Akoko) [high]
[cgit-detect] cgit Web Interface - Detection (@ritikchaddha) [info]
[cheatsh-detect] cheat.sh Instance - Detection (@ritikchaddha) [info]
[cisco-webex-meetings-panel] Cisco Webex Meetings - Panel (@Eyonn) [info]
[dagster-webserver-ui-exposure] Dagster - Webserver UI Exposure (@0x_Akoko) [medium]
[orbeon-forms-exposure] Orbeon Forms Exposure (@ritikchaddha) [info]
[polycom-hdx-web-exposure] Polycom HDX - Web Interface Exposure (@0x_Akoko) [low]
[sanity-studio-panel] Sanity Studio Panel - Detect (@Shivam Kamboj) [info]
[theia-ide-panel] Eclipse Theia IDE Panel - Detect (@0x_Akoko) [info]
[xymon-exposure] Xymon - Exposure (@theamanrawat) [low]
[freshrss-api] FreshRSS Google Reader API Exposure (@dhiyaneshdk) [low]
[frigate-api-exposure] Frigate NVR - API Exposure (@0x_Akoko) [medium]
[batflat-sqlite-exposure] Batflat SQLite Database - Exposure (@dhiyaneshdk) [high]
[azure-functions-hostjson-exposure] Azure Functions host.json Configuration Exposure (@pussycat0x) [medium]
[jakefile-disclosure] Jakefile Build Configuration - Disclosure (@0x_Akoko) [info]
[netlify-headers-config-exposure] Netlify Headers Configuration - Exporsure (@theamanrawat) [low]
[ovhcloud-backup-config] OVHcloud Backup Configuration - Exposure (@pussycat0x) [high]
[php-prober-exposure] PHP Prober - Exposure (@ritikchaddha) [medium]
[selenium-grid-exposure] Selenium Grid Exposure (@0x_Akoko) [high]
[symfony-lock-exposure] Symfony Lock File - Exposure (@ritikchaddha) [low]
[wordpress-wp-env-exposure] WordPress Configuration wp-env - Exposure (@0x_Akoko) [low]
[zipkin-config-exposure] Zipkin Configuration - Exposure (@theamanrawat) [low]
[aspnet-launchsettings-exposure] ASP.NET Launch Settings - Exposure (@theamanrawat) [medium]
[aws-buildspec-exposure] AWS CodeBuild Build Spec - Exposure (@theamanrawat) [low]
[dot-credentials-exposure] Dot Credentials - Exposure (@theamanrawat) [high]
[gcloudignore-file-exposure] Google Cloud Ignore File Exposure (@dhiyaneshdk) [low]
[gitpod-dockerfile-exposure] Gitpod Dockerfile - Exposure (@theamanrawat) [info]
[joe-deadjoe-file-exposure] Joe Editor DEADJOE File - Exposure (@0x_Akoko) [low]
[pear-registry-exposed] PEAR Registry Files Exposed (@pussycat0x) [low]
[postgres-history-exposure] PostgreSQL History - Exposure (@theamanrawat, @0x_Akoko) [low]
[redmine-issues-exposure] Redmine Issues - Exposure (@theamanrawat) [medium]
[rubygems-credentials-exposure] Ruby Gem::ConfigFile Credential - Exposure (@theamanrawat) [high]
[sqlite-history-exposure] SQLite History - Exposure (@theamanrawat) [medium]
[testignore-disclosure] Testignore - File Disclosure (@0x_Akoko) [info]
[vscode-mcp-json] Visual Studio Code MCP Configuration ("mcp.json") Exposure (@dhiyaneshdk) [low]
[vscode-settings] Visual Studio Code Settings - Credential Exposure (@dhiyaneshdk) [low]
[cacti-log-exposure] Cacti Log - Exposure (@theamanrawat) [medium]
[magento-debug-log-exposure] Magento Debug Log - Exposure (@0x_Akoko) [medium]
[opencart-error-log] OpenCart Error Log Disclosure (@dhiyaneshdk) [medium]
[servicestack-requestlogs] ServiceStack Request Logs - Unauthenticated Access (@dhiyaneshdk) [high]
[wp-wpstatistics-log] WordPress Plugin WP Statistics Error Log Disclosure (@dhiyaneshdk) [medium]
[zen-cart-log-exposure] Zen Cart Log File Exposure (@0x_Akoko) [medium]
[azure-instrumentation-key-exposure] Azure Instrumentation Key - Exposure (@pussycat0x) [medium]
[firebase-fcm-server-key-disclosure] Firebase Cloud Messaging - Server Key Disclosure (@0x_Akoko) [medium]
[adminbro-dashboard-exposure] AdminBro Dashboard - Unauthenticated Access (@0x_Akoko) [high]
[administrate-dashboard] Administrate Dashboard Exposure (@dhiyaneshdk) [high]
[coldfusion-cfide-dir-listing] Adobe ColdFusion CFIDE - Directory Listing (@0x_Akoko) [medium]
[alibaba-bucket-listing] Alibaba Cloud OSS Bucket - Public Listing Enabled (@0x_Akoko) [unknown]
[apache-spark-env] Apache Spark Environment - Exposure (@0x_Akoko) [medium]
[cacti-fpd] Cacti - Full Path Disclosure (@theamanrawat) [low]
[cakephp-debugkit-exposure] CakePHP - Debug Kit Toolbar Exposure (@0x_Akoko) [medium]
[chroma-db-unauth] Chroma DB - Information Disclosure (@Shay Ben Tikva) [high]
[flask-debug-toolbar] Flask Debug Toolbar - Exposure (@0x_Akoko) [medium]
[drupal-source-code-disclosure] Drupal - Source Code Disclosure (@pussycat0x) [medium]
[envoy-metadata-disclosure] Envoy Proxy - Metadata Disclosure (@theamanrawat) [info]
[exist-db-dashboard-access] eXist-DB Dashboard Access (@ritikchaddha) [high]
[ezservermonitor-exposure] eZ Server Monitor - Exposure (@pussycat0x) [low]
[fastly-backend-info-disclosure] Fastly Backend Server Information Disclosure (@0x_Akoko) [low]
[fastly-debug-headers] Fastly CDN Debug Headers Exposure (@pussycat0x) [info]
[fortra-filecatalyst-anonymous-access] Fortra FileCatalyst - Anonymous Access (@ritikchaddha) [low]
[gerrit-account-enum] Gerrit Code Review - Account Enumeration (@dhiyaneshdk) [medium]
[gitea-public-repo-exposure] Gitea Public Repository - Exposure (@theamanrawat) [low]
[google-calendar-exposure] Google Calendar - Exposure (@dhiyaneshdk) [low]
[homebridge-unfinished-install] Homebridge - Unfinished Installation (@theamanrawat) [high]
[ibm-cloud-bucket-exposure] IBM Cloud Object Storage - Bucket Exposure (@0x_Akoko) [unknown]
[info-cgi-env-leak] info.cgi Environment Variable - Disclosure (@pussycat0x) [medium]
[beszel-unfinished-installation] Beszel Unfinished Installation (@0x_Akoko) [high]
[fork-installer] Fork CMS - Installer (@dhiyaneshdk) [critical]
[itflow-unfinished-installation] ITFlow Unfinished Installation (@0x_Akoko) [high]
[rancher-incomplete-setup] Rancher - Incomplete Setup Exposure (@0x_Akoko) [low]
[intermapper-exposure] InterMapper - Exposure (@pussycat0x) [high]
[jellyfin-public-users-exposure] Jellyfin Public Users - Exposure (@theamanrawat) [medium]
[kanboard-database-exposure] Kanboard - SQLite Database Exposure (@0x_Akoko) [high]
[laravel-sessions-exposure] Laravel Sessions Folder Exposure (@dhiyaneshdk) [high]
[laravel-terminal-exposure] Laravel Terminal - Exposed (@pussycat0x) [high]
[lightstreamer-dashboard-exposure] Lightstreamer Dashboard Exposure (@dhiyaneshdk) [medium]
[sharepoint-exposed-login-endpoint] Microsoft SharePoint - Exposed Login Endpoint (@pussycat0x) [info]
[mongodb-exposure] MongoDB Exposure (@dhiyaneshdk) [info]
[mybb-full-path-disclosure] MyBB - Full Path Disclosure (@0x_Akoko) [low]
[nocodb-public-registration-enabled] NocoDB Public Registration Enabled (@pussycat0x) [medium]
[ollama-improper-authorization] Ollama - Improper Authorization (@0x_Akoko) [medium]
[opennms-dashboard-exposure] OpenNMS Dashboard - Exposure Detection (@ritikchaddha) [medium]
[perforce-repository] Perforce Repository Disclosure (@dhiyaneshdk) [low]
[remotely-registration-enabled] Remotely Registration Enabled (@ritikchaddha) [high]
[s3-username-disclosure] x-amz-meta-s3cmd-attrs Header Username Disclosure (@dhiyaneshdk) [low]
[seafile-public-registration] Seafile - Public Registration Enabled (@theamanrawat) [info]
[sendmail-forward-exposure] Sendmail .forward File - Exposure (@ritikchaddha) [low]
[springboot-x-application-context] Spring Boot X-Application-Context Header Exposure (@dhiyaneshdk) [low]
[stylelint-ignore-disclosure] Stylelint - Ignore File Disclosure (@ritikchaddha) [info]
[typo3-directory-listing] Typo3 Directory Listing (@theamanrawat) [low]
[umbraco-directory-listing] Umbraco CMS - Directory Listing Exposure (@dhiyaneshdk) [medium]
[umbraco-miniprofiler-exposure] Umbraco Mini Profiler - Exposure (@theamanrawat) [low]
[weblate-public-project-exposure] Weblate Public Project - Exposure (@ritikchaddha) [info]
[wekan-signup-page] Wekan Sign Up Page - Exposure (@dhiyaneshdk) [medium]
[wp-a3-lazy-load-top-fpd] WordPress a3 Lazy Load - Full Path Disclosure (@dhiyaneshdk) [low]
[wp-add-search-to-menu-fpd] WordPress Ivory Search - Full Path Disclosure (@dhiyaneshdk) [low]
[wp-advanced-iframe-fpd] WordPress Advanced iFrame - Full Path Disclosure (@dhiyaneshdk) [low]
[wp-advanced-responsive-video-embedder-fpd] WP Advanced Responsive Video Embedder - FPD (@dhiyaneshdk) [low]
[wp-ajax-load-more-anything-fpd] WordPress Load More Anything - Full Path Disclosure (@dhiyaneshdk) [low]
[wp-ajax-search-lite-fpd] WordPress Ajax Search Lite - Full Path Disclosure (@dhiyaneshdk) [low]
[wp-breadcrumb-navxt-fpd] WordPress Breadcrumb NavXT - Full Path Disclosure (@theamanrawat) [low]
[wp-call-now-button-fpd] WordPress Call Now Button - Full Path Disclosure (@dhiyaneshdk) [low]
[wp-cf7-data-source-fpd] WordPress Data Source for Contact Form 7 - Full Path Disclosure (@dhiyaneshdk) [low]
[wp-duplicate-page-fpd] WordPress Duplicate Page - Full Path Disclosure (@dhiyaneshdk) [low]
[wp-header-footer-elementor-fpd] WordPress Header Footer Elementor - Full Path Disclosure (@ritikchaddha) [low]
[wp-hostinger-fpd] WordPress Hostinger Tools - Full Path Disclosure (@dhiyaneshdk) [low]
[wp-really-simple-captcha-fpd] WordPress Plugin Really Simple CAPTCHA - Full Path Disclosure (@pussycat0x) [low]
[wp-updraftplus-fpd] WordPress UpdraftPlus - Full Path Disclosure (@dhiyaneshdk) [low]
[wp-w3-total-cache-fpd] WordPress W3 Total Cache - Full Path Disclosure (@dhiyaneshdk) [low]
[wp-wpforms-lite-fpd] WordPress WPForms - Full Path Disclosure (@dhiyaneshdk) [low]
[wp-wpfront-scroll-top-fpd] WordPress WPFront Scroll Top - Full Path Disclosure (@dhiyaneshdk) [low]
[wp-gravity-forms-log-disclosure] WordPress Gravity Forms - Log File Disclosure (@ritikchaddha) [low]
[1a-auto-phish] 1A Auto phishing Detection (@rxerium) [info]
[ace-hardware-phish] Ace Hardware phishing Detection (@rxerium) [info]
[advance-auto-phish] Advance Auto Parts phishing Detection (@rxerium) [info]
[affirm-phish] Affirm phishing Detection (@rxerium) [info]
[afterpay-phish] Afterpay phishing Detection (@rxerium) [info]
[airbnb-phish] Airbnb phishing Detection (@rxerium) [info]
[airtable-phish] Airtable phishing Detection (@rxerium) [info]
[ally-bank-phish] Ally Bank phishing Detection (@rxerium) [info]
[amc-plus-phish] AMC+ phishing Detection (@rxerium) [info]
[americanmuscle-phish] AmericanMuscle phishing Detection (@rxerium) [info]
[amplitude-phish] Amplitude phishing Detection (@rxerium) [info]
[anthropic-phish] Anthropic phishing Detection (@rxerium) [info]
[anydo-phish] Any.do phishing Detection (@rxerium) [info]
[anz-phish] ANZ phishing Detection (@rxerium) [info]
[asana-phish] Asana phishing Detection (@rxerium) [info]
[atlassian-phish] Atlassian phishing Detection (@rxerium) [info]
[audible-phish] Audible phishing Detection (@rxerium) [info]
[auth0-phish] Auth0 phishing Detection (@rxerium) [info]
[authy-phish] Authy phishing Detection (@rxerium) [info]
[autodesk-phish] Autodesk phishing Detection (@rxerium) [info]
[autozone-phish] AutoZone phishing Detection (@rxerium) [info]
[azure-phish] Microsoft Azure phishing Detection (@rxerium) [info]
[backblaze-phish] Backblaze phishing Detection (@rxerium) [info]
[bandcamp-phish] Bandcamp phishing Detection (@rxerium) [info]
[barclays-phish] Barclays phishing Detection (@rxerium) [info]
[bethesda-phish] Bethesda phishing Detection (@rxerium) [info]
[bigcommerce-phish] BigCommerce phishing Detection (@rxerium) [info]
[binance-phish] Binance phishing Detection (@rxerium) [info]
[bitbucket-phish] Bitbucket phishing Detection (@rxerium) [info]
[bitfinex-phish] Bitfinex phishing Detection (@rxerium) [info]
[bjs-phish] BJ's Wholesale Club phishing Detection (@rxerium) [info]
[blizzard-phish] Blizzard phishing Detection (@rxerium) [info]
[bmo-phish] BMO phishing Detection (@rxerium) [info]
[bnp-paribas-phish] BNP Paribas phishing Detection (@rxerium) [info]
[booking-com-phish] Booking.com phishing Detection (@rxerium) [info]
[brevo-phish] Brevo phishing Detection (@rxerium) [info]
[buymeacoffee-phish] Buy Me a Coffee phishing Detection (@rxerium) [info]
[cafepress-phish] CafePress phishing Detection (@rxerium) [info]
[calendly-phish] Calendly phishing Detection (@rxerium) [info]
[canva-phish] Canva phishing Detection (@rxerium) [info]
[capital-one-phish] Capital One phishing Detection (@rxerium) [info]
[caviar-phish] Caviar phishing Detection (@rxerium) [info]
[chatgpt-phish] ChatGPT phishing Detection (@rxerium) [info]
[chime-phish] Chime phishing Detection (@rxerium) [info]
[cibc-phish] CIBC phishing Detection (@rxerium) [info]
[citibank-phish] Citibank phishing Detection (@rxerium) [info]
[cj-pony-parts-phish] CJ Pony Parts phishing Detection (@rxerium) [info]
[clickup-phish] ClickUp phishing Detection (@rxerium) [info]
[cloudflare-phish] Cloudflare phishing Detection (@rxerium) [info]
[codesandbox-phish] CodeSandbox phishing Detection (@rxerium) [info]
[coinbase-phish] Coinbase phishing Detection (@rxerium) [info]
[comerica-phish] Comerica Bank phishing Detection (@rxerium) [info]
[commonwealth-bank-phish] Commonwealth Bank phishing Detection (@rxerium) [info]
[costco-phish] Costco phishing Detection (@rxerium) [info]
[credit-agricole-phish] Crédit Agricole phishing Detection (@rxerium) [info]
[crunchyroll-phish] Crunchyroll phishing Detection (@rxerium) [info]
[csgo-phish] CS:GO phishing Detection (@rxerium) [info]
[current-phish] Current phishing Detection (@rxerium) [info]
[customink-phish] CustomInk phishing Detection (@rxerium) [info]
[cvs-phish] CVS phishing Detection (@rxerium) [info]
[cyberghost-phish] CyberGhost phishing Detection (@rxerium) [info]
[dbs-phish] DBS Bank phishing Detection (@rxerium) [info]
[depop-phish] Depop phishing Detection (@rxerium) [info]
[deutsche-bank-phish] Deutsche Bank phishing Detection (@rxerium) [info]
[dhl-phish] DHL phishing Detection (@rxerium) [info]
[discover-phish] Discover phishing Detection (@rxerium) [info]
[docusign-phish] DocuSign phishing Detection (@rxerium) [info]
[doordash-phish] DoorDash phishing Detection (@rxerium) [info]
[dota2-phish] Dota 2 phishing Detection (@rxerium) [info]
[dribbble-phish] Dribbble phishing Detection (@rxerium) [info]
[ea-phish] EA phishing Detection (@rxerium) [info]
[edelbrock-phish] Edelbrock phishing Detection (@rxerium) [info]
[epic-games-phish] Epic Games phishing Detection (@rxerium) [info]
[etsy-phish] Etsy phishing Detection (@rxerium) [info]
[expedia-phish] Expedia phishing Detection (@rxerium) [info]
[expressvpn-phish] ExpressVPN phishing Detection (@rxerium) [info]
[fanatical-phish] Fanatical phishing Detection (@rxerium) [info]
[fastmail-phish] Fastmail phishing Detection (@rxerium) [info]
[fedex-phish] FedEx phishing Detection (@rxerium) [info]
[fifth-third-bank-phish] Fifth Third Bank phishing Detection (@rxerium) [info]
[footlocker-phish] Foot Locker phishing Detection (@rxerium) [info]
[fortnite-phish] Fortnite phishing Detection (@rxerium) [info]
[framer-phish] Framer phishing Detection (@rxerium) [info]
[freshworks-phish] Freshworks phishing Detection (@rxerium) [info]
[fubo-phish] FuboTV phishing Detection (@rxerium) [info]
[fullstory-phish] FullStory phishing Detection (@rxerium) [info]
[g2a-phish] G2A phishing Detection (@rxerium) [info]
[gamestop-phish] GameStop phishing Detection (@rxerium) [info]
[gcp-phish] Google Cloud Platform phishing Detection (@rxerium) [info]
[gemini-phish] Gemini phishing Detection (@rxerium) [info]
[gitlab-phish] GitLab phishing Detection (@rxerium) [info]
[gitpod-phish] Gitpod phishing Detection (@rxerium) [info]
[goat-phish] GOAT phishing Detection (@rxerium) [info]
[godaddy-phish] GoDaddy phishing Detection (@rxerium) [info]
[gog-phish] GOG phishing Detection (@rxerium) [info]
[grailed-phish] Grailed phishing Detection (@rxerium) [info]
[grammarly-phish] Grammarly phishing Detection (@rxerium) [info]
[green-man-gaming-phish] Green Man Gaming phishing Detection (@rxerium) [info]
[grubhub-phish] Grubhub phishing Detection (@rxerium) [info]
[gumroad-phish] Gumroad phishing Detection (@rxerium) [info]
[harbor-freight-phish] Harbor Freight phishing Detection (@rxerium) [info]
[hbo-max-phish] HBO Max phishing Detection (@rxerium) [info]
[heroku-phish] Heroku phishing Detection (@rxerium) [info]
[hetzner-phish] Hetzner phishing Detection (@rxerium) [info]
[holley-phish] Holley phishing Detection (@rxerium) [info]
[homeaway-phish] HomeAway phishing Detection (@rxerium) [info]
[hotels-phish] Hotels.com phishing Detection (@rxerium) [info]
[hotjar-phish] Hotjar phishing Detection (@rxerium) [info]
[hsbc-phish] HSBC phishing Detection (@rxerium) [info]
[hubspot-phish] HubSpot phishing Detection (@rxerium) [info]
[hulu-phish] Hulu phishing Detection (@rxerium) [info]
[humble-bundle-phish] Humble Bundle phishing Detection (@rxerium) [info]
[huntington-bank-phish] Huntington Bank phishing Detection (@rxerium) [info]
[icbc-phish] ICBC phishing Detection (@rxerium) [info]
[ing-phish] ING phishing Detection (@rxerium) [info]
[instacart-phish] Instacart phishing Detection (@rxerium) [info]
[intercom-phish] Intercom phishing Detection (@rxerium) [info]
[irs-phish] IRS phishing Detection (@rxerium) [info]
[itch-io-phish] itch.io phishing Detection (@rxerium) [info]
[jegs-phish] JEGS phishing Detection (@rxerium) [info]
[jetbrains-phish] JetBrains phishing Detection (@rxerium) [info]
[jitsi-phish] Jitsi phishing Detection (@rxerium) [info]
[keybank-phish] KeyBank phishing Detection (@rxerium) [info]
[kinguin-phish] Kinguin phishing Detection (@rxerium) [info]
[klarna-phish] Klarna phishing Detection (@rxerium) [info]
[ko-fi-phish] Ko-fi phishing Detection (@rxerium) [info]
[kraken-phish] Kraken phishing Detection (@rxerium) [info]
[latemodel-restoration-phish] Late Model Restoration phishing Detection (@rxerium) [info]
[league-of-legends-phish] League of Legends phishing Detection (@rxerium) [info]
[line-phish] LINE phishing Detection (@rxerium) [info]
[linear-phish] Linear phishing Detection (@rxerium) [info]
[linode-phish] Linode phishing Detection (@rxerium) [info]
[lloyds-phish] Lloyds Bank phishing Detection (@rxerium) [info]
[loaded-phish] Loaded phishing Detection (@rxerium) [info]
[loom-phish] Loom phishing Detection (@rxerium) [info]
[lowes-phish] Lowe's phishing Detection (@rxerium) [info]
[lyft-phish] Lyft phishing Detection (@rxerium) [info]
[magento-phish] Magento phishing Detection (@rxerium) [info]
[mailchimp-phish] Mailchimp phishing Detection (@rxerium) [info]
[mastercard-phish] Mastercard phishing Detection (@rxerium) [info]
[mattermost-phish] Mattermost phishing Detection (@rxerium) [info]
[medium-phish] Medium phishing Detection (@rxerium) [info]
[menards-phish] Menards phishing Detection (@rxerium) [info]
[mercari-phish] Mercari phishing Detection (@rxerium) [info]
[midjourney-phish] Midjourney phishing Detection (@rxerium) [info]
[miro-phish] Miro phishing Detection (@rxerium) [info]
[mixpanel-phish] Mixpanel phishing Detection (@rxerium) [info]
[monday-phish] Monday.com phishing Detection (@rxerium) [info]
[monzo-phish] Monzo phishing Detection (@rxerium) [info]
[mpix-phish] MPIX phishing Detection (@rxerium) [info]
[mt-bank-phish] M&T Bank phishing Detection (@rxerium) [info]
[mullvad-phish] Mullvad VPN phishing Detection (@rxerium) [info]
[n26-phish] N26 phishing Detection (@rxerium) [info]
[nab-phish] NAB phishing Detection (@rxerium) [info]
[namecheap-phish] Namecheap phishing Detection (@rxerium) [info]
[napa-phish] NAPA Auto Parts phishing Detection (@rxerium) [info]
[natwest-phish] NatWest phishing Detection (@rxerium) [info]
[netlify-phish] Netlify phishing Detection (@rxerium) [info]
[newegg-phish] Newegg phishing Detection (@rxerium) [info]
[nike-phish] Nike phishing Detection (@rxerium) [info]
[nintendo-phish] Nintendo phishing Detection (@rxerium) [info]
[nordvpn-phish] NordVPN phishing Detection (@rxerium) [info]
[obsidian-phish] Obsidian phishing Detection (@rxerium) [info]
[ocbc-phish] OCBC Bank phishing Detection (@rxerium) [info]
[okta-phish] Okta phishing Detection (@rxerium) [info]
[onlyfans-phish] OnlyFans phishing Detection (@rxerium) [info]
[oracle-cloud-phish] Oracle Cloud phishing Detection (@rxerium) [info]
[oreilly-phish] O'Reilly Auto Parts phishing Detection (@rxerium) [info]
[origin-phish] Origin phishing Detection (@rxerium) [info]
[overstock-phish] Overstock phishing Detection (@rxerium) [info]
[ovh-phish] OVHcloud phishing Detection (@rxerium) [info]
[pandora-phish] Pandora phishing Detection (@rxerium) [info]
[paramount-plus-phish] Paramount+ phishing Detection (@rxerium) [info]
[partsgeek-phish] PartsGeek phishing Detection (@rxerium) [info]
[patreon-phish] Patreon phishing Detection (@rxerium) [info]
[peacock-phish] Peacock phishing Detection (@rxerium) [info]
[pepboys-phish] Pep Boys phishing Detection (@rxerium) [info]
[philo-phish] Philo phishing Detection (@rxerium) [info]
[pia-phish] Private Internet Access phishing Detection (@rxerium) [info]
[playstation-phish] PlayStation phishing Detection (@rxerium) [info]
[pnc-bank-phish] PNC Bank phishing Detection (@rxerium) [info]
[poshmark-phish] Poshmark phishing Detection (@rxerium) [info]
[postmates-phish] Postmates phishing Detection (@rxerium) [info]
[priceline-phish] Priceline phishing Detection (@rxerium) [info]
[printful-phish] Printful phishing Detection (@rxerium) [info]
[printify-phish] Printify phishing Detection (@rxerium) [info]
[protonvpn-phish] ProtonVPN phishing Detection (@rxerium) [info]
[pubg-phish] PUBG phishing Detection (@rxerium) [info]
[puma-phish] Puma phishing Detection (@rxerium) [info]
[rabobank-phish] Rabobank phishing Detection (@rxerium) [info]
[rbc-phish] RBC phishing Detection (@rxerium) [info]
[redbubble-phish] Redbubble phishing Detection (@rxerium) [info]
[regions-bank-phish] Regions Bank phishing Detection (@rxerium) [info]
[revolut-phish] Revolut phishing Detection (@rxerium) [info]
[ring-phish] Ring phishing Detection (@rxerium) [info]
[riot-games-phish] Riot Games phishing Detection (@rxerium) [info]
[rite-aid-phish] Rite Aid phishing Detection (@rxerium) [info]
[roam-research-phish] Roam Research phishing Detection (@rxerium) [info]
[robinhood-phish] Robinhood phishing Detection (@rxerium) [info]
[rockauto-phish] RockAuto phishing Detection (@rxerium) [info]
[rocketchat-phish] Rocket.Chat phishing Detection (@rxerium) [info]
[rockstar-phish] Rockstar Games phishing Detection (@rxerium) [info]
[rockstar-social-club-phish] Rockstar Social Club phishing Detection (@rxerium) [info]
[roku-phish] Roku phishing Detection (@rxerium) [info]
[salesforce-phish] Salesforce phishing Detection (@rxerium) [info]
[sams-club-phish] Sam's Club phishing Detection (@rxerium) [info]
[santander-phish] Santander Bank phishing Detection (@rxerium) [info]
[scaleway-phish] Scaleway phishing Detection (@rxerium) [info]
[scotiabank-phish] Scotiabank phishing Detection (@rxerium) [info]
[scribd-phish] Scribd phishing Detection (@rxerium) [info]
[seamless-phish] Seamless phishing Detection (@rxerium) [info]
[segment-phish] Segment phishing Detection (@rxerium) [info]
[shein-phish] Shein phishing Detection (@rxerium) [info]
[shopify-phish] Shopify phishing Detection (@rxerium) [info]
[shutterfly-phish] Shutterfly phishing Detection (@rxerium) [info]
[sketch-phish] Sketch phishing Detection (@rxerium) [info]
[sling-phish] Sling TV phishing Detection (@rxerium) [info]
[snapchat-phish] Snapchat phishing Detection (@rxerium) [info]
[snapfish-phish] Snapfish phishing Detection (@rxerium) [info]
[societe-generale-phish] Société Générale phishing Detection (@rxerium) [info]
[society6-phish] Society6 phishing Detection (@rxerium) [info]
[sofi-phish] SoFi phishing Detection (@rxerium) [info]
[soundcloud-phish] SoundCloud phishing Detection (@rxerium) [info]
[spreadshirt-phish] Spreadshirt phishing Detection (@rxerium) [info]
[square-phish] Square phishing Detection (@rxerium) [info]
[squarespace-phish] Squarespace phishing Detection (@rxerium) [info]
[standard-chartered-phish] Standard Chartered phishing Detection (@rxerium) [info]
[starz-phish] Starz phishing Detection (@rxerium) [info]
[stockx-phish] StockX phishing Detection (@rxerium) [info]
[stripe-phish] Stripe phishing Detection (@rxerium) [info]
[substack-phish] Substack phishing Detection (@rxerium) [info]
[sumitomo-mitsui-phish] Sumitomo Mitsui Bank phishing Detection (@rxerium) [info]
[summit-racing-phish] Summit Racing phishing Detection (@rxerium) [info]
[suntrust-phish] SunTrust phishing Detection (@rxerium) [info]
[surfshark-phish] Surfshark phishing Detection (@rxerium) [info]
[td-bank-phish] TD Bank phishing Detection (@rxerium) [info]
[teepublic-phish] TeePublic phishing Detection (@rxerium) [info]
[teespring-phish] Teespring phishing Detection (@rxerium) [info]
[threadless-phish] Threadless phishing Detection (@rxerium) [info]
[tidal-phish] Tidal phishing Detection (@rxerium) [info]
[todoist-phish] Todoist phishing Detection (@rxerium) [info]
[tractor-supply-phish] Tractor Supply phishing Detection (@rxerium) [info]
[trello-phish] Trello phishing Detection (@rxerium) [info]
[tripadvisor-phish] TripAdvisor phishing Detection (@rxerium) [info]
[truist-phish] truist phishing Detection (@rxerium) [info]
[tutanota-phish] Tutanota phishing Detection (@rxerium) [info]
[twilio-phish] Twilio phishing Detection (@rxerium) [info]
[twitter-phish] Twitter/X phishing Detection (@rxerium) [info]
[typeform-phish] Typeform phishing Detection (@rxerium) [info]
[ubs-phish] UBS phishing Detection (@rxerium) [info]
[under-armour-phish] Under Armour phishing Detection (@rxerium) [info]
[unicredit-phish] UniCredit phishing Detection (@rxerium) [info]
[uob-phish] UOB phishing Detection (@rxerium) [info]
[uplay-phish] Uplay phishing Detection (@rxerium) [info]
[us-bank-phish] US Bank phishing Detection (@rxerium) [info]
[usps-phish] USPS phishing Detection (@rxerium) [info]
[valorant-phish] VALORANT phishing Detection (@rxerium) [info]
[varo-phish] Varo phishing Detection (@rxerium) [info]
[venmo-phish] Venmo phishing Detection (@rxerium) [info]
[vercel-phish] Vercel phishing Detection (@rxerium) [info]
[viber-phish] Viber phishing Detection (@rxerium) [info]
[visa-phish] Visa phishing Detection (@rxerium) [info]
[vistaprint-phish] Vistaprint phishing Detection (@rxerium) [info]
[vrbo-phish] VRBO phishing Detection (@rxerium) [info]
[vudu-phish] Vudu phishing Detection (@rxerium) [info]
[walgreens-phish] Walgreens phishing Detection (@rxerium) [info]
[wasabi-phish] Wasabi phishing Detection (@rxerium) [info]
[wayfair-phish] Wayfair phishing Detection (@rxerium) [info]
[webex-phish] Webex phishing Detection (@rxerium) [info]
[webflow-phish] Webflow phishing Detection (@rxerium) [info]
[wechat-phish] WeChat phishing Detection (@rxerium) [info]
[wells-fargo-phish] Wells Fargo phishing Detection (@rxerium) [info]
[westpac-phish] Westpac phishing Detection (@rxerium) [info]
[whereby-phish] Whereby phishing Detection (@rxerium) [info]
[wise-phish] Wise phishing Detection (@rxerium) [info]
[wish-phish] Wish phishing Detection (@rxerium) [info]
[wix-phish] Wix phishing Detection (@rxerium) [info]
[xbox-phish] Xbox phishing Detection (@rxerium) [info]
[youtube-music-phish] YouTube Music phishing Detection (@rxerium) [info]
[zapier-phish] Zapier phishing Detection (@rxerium) [info]
[zazzle-phish] Zazzle phishing Detection (@rxerium) [info]
[zelle-phish] Zelle phishing Detection (@rxerium) [info]
[zoho-phish] Zoho phishing Detection (@rxerium) [info]
[bulma-detect] Bulma CSS Framework - Detect (@Shivam Kamboj) [info]
[firstpromoter-detect] FirstPromoter - Detect (@Shivam Kamboj) [info]
[fullstory-rum-detect] FullStory RUM - Detect (@Shivam Kamboj) [info]
[hotjar-rum-detect] Hotjar RUM - Detect (@Shivam Kamboj) [info]
[logrocket-rum-detect] LogRocket RUM - Detect (@Shivam Kamboj) [info]
[matomo-rum-detect] Matomo (Piwik) RUM - Tech Detect (@Shivam Kamboj) [info]
[openreplay-rum-detect] OpenReplay RUM - Tech Detect (@Shivam Kamboj) [info]
[payloadcms-detect] PayloadCMS - Detect (@Shivam Kamboj) [info]
[raygun-rum-detect] Raygun RUM - Detect (@Shivam Kamboj) [info]
[sailsjs-detect] Sails.js Framework - Detect (@Shivam Kamboj) [info]
[vaadin-detect] Vaadin Framework - Detect (@Shivam Kamboj) [info]
[ektron-blog-xmlrpc-xxe] Ektron CMS Blogs xmlrpc.aspx - XML External Entity Injection (@pussycat0x) [high]
[theia-lfi-to-rce] Eclipse Theia IDE - LFI to RCE (@0x_Akoko) [critical]
[tinytiny-rss-redirect] TinyTiny RSS Open Redirect (@dhiyaneshdk) [low]
[wp-easy-wp-smtp-log-exposure] WordPress Easy WP SMTP - Log Exposure (@0x_Akoko) [medium]

New Contributors

@MahmoudGmy made their first contribution in #14622
@mananispiwpiw made their first contribution in #14556
@MuhammadWaseem29 made their first contribution in #14810
@garciaizcoa made their first contribution in #14785
@rajesh-social-tech made their first contribution in #14649
@shino made their first contribution in #14838
@SadDrummer made their first contribution in #14890
@Ezzer17 made their first contribution in #14900
@686f6c61 made their first contribution in #14925
@alicemara made their first contribution in #14977
@MathematicianGoat made their first contribution in #14951
@Winz18 made their first contribution in #14825
@Kylianghd made their first contribution in #15013

Full Changelog: v10.3.7...v10.3.8

projectdiscovery/nuclei-templates v10.3.8 Nuclei Templates v10.3.8 – Release Notes on GitHub

New Templates Added: 457 | CVEs Added: 43 | First-time contributions: 13

🔥 Release Highlights 🔥

What's Changed

Templates Added

New Contributors

projectdiscovery/nuclei-templates v10.3.8
Nuclei Templates v10.3.8 – Release Notes

on GitHub

New Templates Added: `457` | CVEs Added: `43` | First-time contributions: `13`