github projectdiscovery/nuclei-templates v10.3.9
Nuclei Templates v10.3.9 – Release Notes
on GitHub

6 hours ago

New Templates Added: 182 | CVEs Added: 116 | First-time contributions: 7

🔥 Release Highlights 🔥

What's Changed

Bug Fixes

False Negatives

  • Fixed false negative in CVE-2025-24963 on Linux targets (Ubuntu/Debian) due to strict /etc/passwd matching (PR #15301, Issue #15205)

False Positives

  • Reduced false positives in wp-wps-hide-login-log template that triggered on non-WordPress SPA sites (PR #15096, Issue #15089)
  • Fixed false positives in CVE-2021-35042 matcher — status_code == 500 alone was triggering on generic 500 pages (PR #15250)
  • Made matchers for weak-csp-detect more granular to avoid duplicate matching results (PR #15123)
  • Improved weak CSP detection logic, fixed matcher conditions and corrected regex typo (PR #15014)

Enhancements

  • Enhanced Cisco UCM username enumeration template to extract usernames, emails, and phone numbers added 3 new Cisco UCM templates (PR #15049)
  • Refactored Open WebUI template to make detection more generic (PR #15251)
  • Rewrote templates from RAW HTTP to normal HTTP for clustering support, saving ~150 requests per scan (PR #14743)
  • Added additional path to Tomcat detection for malformed URL error page disclosure (PR #15056)
  • Added various DNS templates — DMARC, SPF, DKIM, etc. (PR #14784)
  • Added ACME Challenge Detect template (PR #15058)

Templates Added

  • [CVE-2026-25892] Adminer 4.6.2 - 5.4.1 Unauthenticated Persistent DoS (@dhiyaneshdk) [high] 🔥
  • [CVE-2026-24128] XWiki Platform Distribution Flavor Main - Cross-Site Scripting (@ritikchaddha) [medium]
  • [CVE-2026-23744] MCPJam Inspector - Remote Code Execution (@louay-075) [critical] 🔥
  • [CVE-2026-22812] OpenCode < 1.0.216 - Unauthenticated Remote Code Execution (@princechaddha) [high] 🔥
  • [CVE-2026-21891] ZimaOS - Authentication Bypass (@dhiyaneshdk) [critical] 🔥
  • [CVE-2026-21877] n8n >= 0.123.0 and < 1.121.3 - Remote Code Execution (@s4e-io) [critical] 🔥
  • [CVE-2026-1731] BeyondTrust Remote Support - Unauthenticated WebSocket RCE (@attackerkb, @hacktron, @pdteam) [critical] (KEV) 🔥
  • [CVE-2026-1207] Django RasterField - SQL Injection (@omarkurt) [high] 🔥
  • [CVE-2026-0594] WordPress List Site Contributors < 1.1.8 - Reflected XSS (@m4sh_wacker) [medium]
  • [CVE-2025-68509] User Submitted Posts <= 20251121 - Unauthenticated Open Redirect (@Shivam Kamboj) [medium]
  • [CVE-2025-66744] Yonyou YonBIP - Path Traversal (@dhiyaneshdk) [high]
  • [CVE-2025-54068] Laravel Livewire v3 - Remote Command Execution (@flame-11) [critical] 🔥
  • [CVE-2025-40551] SolarWinds Web Help Desk < 2026.1 - Unauthenticated JNDI Injection RCE (@Horizon3.ai) [critical] (KEV) 🔥
  • [CVE-2025-32257] 1 Click WordPress Migration <= 2.2 - Unauthenticated Information Disclsoure (@pussycat0x) [medium]
  • [CVE-2025-28242] DAEnetIP4 METO v1.25 - Session Hijacking (@0x_Akoko) [high]
  • [CVE-2025-24786] WhoDB < 0.45.0 - Path Traversal (@basicbeny) [high]
  • [CVE-2025-24582] 12 Step Meeting List < 3.16.6 - Unauthenticated Sensitive Information Exposure (@pussycat0x) [medium]
  • [CVE-2025-22214] Landray EIS SQL注入漏洞 (@ark) [critical]
  • [CVE-2025-15503] Sangfor OSM - Arbitrary File Upload (@ark) [critical]
  • [CVE-2025-14528] D-Link DIR-803 - Authentication Bypass (@dhiyaneshdk) [high] 🔥
  • [CVE-2025-14155] Premium Addons for Elementor - Unauthenticated Information Disclosure (@dhiyaneshdk) [medium]
  • [CVE-2025-13956] LearnPress < 4.3.2 - Broken Access Control (@pussycat0x) [medium]
  • [CVE-2025-13138] WP Directory Kit <= 1.4.3 - Unauthenticated SQL Injection (@Shivam Kamboj) [high]
  • [CVE-2025-11368] LearnPress < 4.3.0 - Arbitrary Callback Execution to Information Exposure (@pussycat0x) [medium]
  • [CVE-2025-10353] Melis Technology Melis Platform - Unrestricted File Upload & Remote Code Execution (@ohmygod20260203) [critical]
  • [CVE-2025-10090] Jinher OA - SQL Injection (@dhiyaneshdk) [high]
  • [CVE-2025-8266] ChanCMS <= 3.1. - Remote Code Execution (@ark) [critical]
  • [CVE-2025-4652] Broadstreet WordPress plugin - Reflected XSS (@Sourabh-Sahu) [medium]
  • [CVE-2025-4078] Wangshen SecGate 3600 Path Traversal Vulnerability (@ark) [medium]
  • [CVE-2025-2611] ICTBroadcast - Command Injection (@Chocapikk) [critical] (vKEV) 🔥
  • [CVE-2025-1338] NUUO Camera <=20250203 - OS Command Injection (@ark) [critical]
  • [CVE-2025-1303] Plugin Oficial – Getnet para WooCommerce <= 1.8.0 - Cross-Site Scripting (@Shivam Kamboj) [medium]
  • [CVE-2025-1232] Site Reviews < 7.2.5 - Unauthenticated Stored XSS (@0x_Akoko) [high]
  • [CVE-2024-43283] Contest Gallery - Broken Access Control (@popcorn94) [medium]
  • [CVE-2024-37259] WP Extended < 3.0.0 - Stored Cross-Site Scripting (@0xanis) [medium]
  • [CVE-2024-32128] WordPress Realtyna Organic IDX Plugin <= 4.14.4 - Unauthenticated SQL Injection (@Shivam Kamboj) [critical]
  • [CVE-2024-30490] ProfileGrid <= 5.7.8 - SQL Injection (@Shivam Kamboj) [critical]
  • [CVE-2024-14015] Studiocart <= 2.9.0 - Cross-Site Scripting (@Shivam Kamboj) [medium]
  • [CVE-2024-13727] MemberSpace WordPress - Cross-Site Scripting (@Sourabh-Sahu) [medium]
  • [CVE-2024-13634] Post Sync Plugin <= 1.1 - Cross-Site Scripting (@Sourabh-Sahu) [medium]
  • [CVE-2024-13630] NewsTicker <= 1.0 - Reflected Cross-Site Scripting (@Sourabh-Sahu) [medium]
  • [CVE-2024-13628] WP Pricing Table - Reflected XSS (@Sourabh-Sahu) [medium]
  • [CVE-2024-13627] OWL Carousel Slider - Cross-Site Scripting (@Sourabh-Sahu) [medium]
  • [CVE-2024-13625] Tube Video Ads Lite - Reflected XSS (@Sourabh-Sahu) [high]
  • [CVE-2024-13619] LifterLMS < 8.0.1 - Cross-Site Scripting (@Shivam Kamboj) [medium]
  • [CVE-2024-13609] WordPress 1 Click Migration Plugin < 2.3 - Information Exposure (@pussycat0x) [medium]
  • [CVE-2024-13570] WordPress Stray Random Quotes <= 1.9.9 - Cross-Site Scripting (@Sourabh-Sahu) [medium]
  • [CVE-2024-13569] WordPress Front End Users - Reflected XSS (@Sourabh-Sahu) [high]
  • [CVE-2024-13543] Zarinpal Paid Download - Reflected XSS (@Sourabh-Sahu) [medium]
  • [CVE-2024-13492] Guten Free Options - Cross Site Scripting (@Sourabh-Sahu) [medium]
  • [CVE-2024-13352] Legull WordPress - Cross-Site Scripting (@Sourabh-Sahu) [high]
  • [CVE-2024-13331] WP Dream Carousel < 1.0.1b - Cross-Site Scripting (@Sourabh-Sahu) [medium]
  • [CVE-2024-13330] JustRows WordPress - Cross-Site Scripting (@Sourabh-Sahu) [high]
  • [CVE-2024-13328] Giga Messenger WordPress - Cross-Site Scripting (@Sourabh-Sahu) [medium]
  • [CVE-2024-13327] Musicbox WordPress - Reflected XSS (@Sourabh-Sahu) [medium]
  • [CVE-2024-13326] iBuildApp <= 0.2.0 - Reflected Cross-Site Scripting (@Sourabh-Sahu) [medium]
  • [CVE-2024-13325] Glossy WordPress - Reflected XSS (@Sourabh-Sahu) [medium]
  • [CVE-2024-13226] A5 Custom Login Page - Reflected XSS (@Sourabh-Sahu) [medium]
  • [CVE-2024-13225] ECT Home Page Products - Reflected XSS (@Sourabh-Sahu) [medium]
  • [CVE-2024-13224] SlideDeck 1 Lite Content Slider - Cross-Site Scripting (@Sourabh-Sahu) [medium]
  • [CVE-2024-13222] WordPress User Messages <= 1.2.4 - Reflected XSS (@Sourabh-Sahu) [medium]
  • [CVE-2024-13221] Fantastic ElasticSearch Plugin <= 4.1.0 - Cross-Site Scripting (@Sourabh-Sahu) [medium]
  • [CVE-2024-13220] WordPress Google Map Professional - Cross-Site Scripting (@Sourabh-Sahu) [medium]
  • [CVE-2024-13219] Privacy Policy Genius - Cross-Site Scripting (@Sourabh-Sahu) [medium]
  • [CVE-2024-13114] WP Projects Portfolio <= 3.0 - Cross-Site Scripting (@Sourabh-Sahu) [medium]
  • [CVE-2024-13112] WP MediaTagger <= 4.1.1 - Cross-Site Scripting (@Sourabh-Sahu) [medium]
  • [CVE-2024-13099] Widget4Call WordPress - Cross-Site Scripting (@Sourabh-Sahu) [medium]
  • [CVE-2024-13098] WordPress Email Newsletter - Reflected XSS (@Sourabh-Sahu) [medium]
  • [CVE-2024-13097] WP Finance Plugin <= 1.3.6 - Cross-Site Scripting (@Sourabh-Sahu) [medium]
  • [CVE-2024-13094] WP Triggers Lite - Cross-Site Scripting (@Sourabh-Sahu) [high]
  • [CVE-2024-13055] Dyn Business Panel Plugin <= 1.0.0 - Cross-Site Scripting (@Sourabh-Sahu) [high]
  • [CVE-2024-12878] Lazy Blocks <= 3.8.2 - Cross-Site Scripting (@Shivam Kamboj) [medium]
  • [CVE-2024-12873] Custom Field Manager WordPress - Cross-Site Scripting (@Sourabh-Sahu) [medium]
  • [CVE-2024-12749] WordPress Competition Form Plugin <= 2.0 - Cross-Site Scripting (@Sourabh-Sahu) [high]
  • [CVE-2024-12737] WP BASE Booking - Reflected XSS (@Sourabh-Sahu) [medium]
  • [CVE-2024-12734] Advance Post Prefix WordPress plugin - Reflected XSS (@Sourabh-Sahu) [medium]
  • [CVE-2024-12732] AffiliateImporterEb <= 1.0.6 - Reflected XSS (@Sourabh-Sahu) [medium]
  • [CVE-2024-12724] WP DeskLite - Reflected XSS (@Sourabh-Sahu) [medium]
  • [CVE-2024-12638] Bulk Me Now! Plugin <= 2.0 - Cross-Site Scripting (@Sourabh-Sahu) [high]
  • [CVE-2024-12585] PropertyHive < 2.1.1 - Cross-Site Scripting (@Shivam Kamboj) [medium]
  • [CVE-2024-11868] LearnPress < 4.2.7.4 - Course Material - Information Disclosure (@pussycat0x) [medium]
  • [CVE-2024-10152] Simple Certain Time to Show Content - Cross-Site Scripting (@Sourabh-Sahu) [high]
  • [CVE-2024-8943] LatePoint <= 5.0.12 - Authentication Bypass (@daffainfo) [critical] (vKEV) 🔥
  • [CVE-2024-8911] LatePoint <= 5.0.11 - SQL Injection (@daffainfo) [critical] (vKEV) 🔥
  • [CVE-2024-6671] WhatsUp Gold GetStatisticalMonitorList SQL Injection - Authentication Bypass (@daffainfo, @jjcho) [critical] (vKEV) 🔥
  • [CVE-2024-6265] UsersWP <= 1.2.10 - Unauthenticated SQL Injection (@Shivam Kamboj) [critical]
  • [CVE-2024-6250] LOLLMS WebUI - Absolute Path Traversal (@ritikchaddha) [high] 🔥
  • [CVE-2024-5483] LearnPress < 4.2.6.8.1 - Information Disclosure (@pussycat0x) [medium]
  • [CVE-2024-5333] WordPress Events Calendar 6.8.2.1 - Information Disclosure (@dhiyaneshdk) [medium]
  • [CVE-2024-3605] WP Hotel Booking <= 2.1.0 - SQL Injection (@Shivam Kamboj) [critical]
  • [CVE-2024-3408] D-Tale 3.10.0 - 3.15.1 - Authentication Bypass & Remote Code Execution (@ohmygod20260203) [critical]
  • [CVE-2024-3231] Popup4Phone <= 1.3.2 - Unauthenticated Stored Cross-Site Scripting (@Shivam Kamboj) [medium]
  • [CVE-2024-1751] Tutor LMS <= 2.1.10 - SQL Injection (@Shivam Kamboj) [high]
  • [CVE-2024-0705] Stripe Payment Plugin for WooCommerce <= 3.7.9 - Unauthenticated SQL Injection (@Shivam Kamboj) [critical] 🔥
  • [CVE-2023-45648] Apache Tomcat - HTTP Request Smuggling (@0x_Akoko) [medium]
  • [CVE-2023-44982] WordPress Perfect Images (WP Retina 2x) < 6.4.6 - Sensitive Information Exposure (@pussycat0x) [medium]
  • [CVE-2023-35708] MOVEit Transfer - SQL Injection (@daffainfo, @jjcho) [critical] (vKEV) 🔥
  • [CVE-2023-28787] Quiz and Survey Master <= 8.1.4 - SQL Injection (@Shivam Kamboj) [critical]
  • [CVE-2023-24000] WordPress GamiPress <= 2.5.7 - SQL Injection (@Shivam Kamboj) [critical]
  • [CVE-2023-6970] WP Recipe Maker <= 9.1.0 - Reflected XSS via Referer Header (@Shivam Kamboj) [medium]
  • [CVE-2023-5204] WordPress AI ChatBot (WPBot) <= 4.8.9 - SQL Injection (@Shivam Kamboj) [critical]
  • [CVE-2023-3197] WordPress MStore API <= 4.0.1 - Unauthenticated SQL Injection (@Shivam Kamboj) [critical]
  • [CVE-2022-45836] WordPress Download Manager <= 3.2.59 - Reflected XSS (@Shivam Kamboj) [high]
  • [CVE-2022-31678] VMWare Cloud Foundation NSX-V - XML External Entity (XXE) (@daffainfo) [critical] (vKEV) 🔥
  • [CVE-2022-29495] WordPress Popup Builder <= 4.1.11 - Cross-Site Request Forgery (@Shivam Kamboj) [medium]
  • [CVE-2022-28987] Zoho ManageEngine ADSelfService Plus 6121 - Username Enumeration (@ritikchaddha) [medium]
  • [CVE-2022-3254] AWP Classifieds <= 4.2.1 - Unauthenticated SQL Injection (@Shivam Kamboj) [critical]
  • [CVE-2022-3236] Sophos Firewall <= 19.0 MR1 - Remote Code Execution (@daffainfo) [critical] (KEV) 🔥
  • [CVE-2021-41097] Aurelia-Path < 1.1.7 - Prototype Pollution (@0x_Akoko) [high]
  • [CVE-2021-24786] Download Monitor < 4.4.5 - SQL Injection (@mrharsh) [high]
  • [CVE-2021-24139] 10Web Photo Gallery < 1.5.55 - SQL Injection (@riteshs4hu) [critical]
  • [CVE-2021-22017] vCenter Server - Improper Access Control (@daffainfo) [medium] (KEV) 🔥
  • [CVE-2020-37123] Pinger 1.0 - Remote Code Execution (@bswearingen) [critical]
  • [CVE-2019-13608] Citrix StoreFront Server - XML External Entity (@daffainfo) [high] (KEV) 🔥
  • [CVE-2018-16363] WordPress File Manager < 3.0 - Cross-Site Scripting (@Shivam Kamboj) [medium]
  • [CVE-2017-9841] PHPUnit - Remote Code Execution (@Random_Robbie, @pikpikcu) [critical] (KEV) 🔥
  • [k8s-clusterrole-nodes-proxy-rce] ClusterRoles with Risky nodes/proxy GET Permission (@princechaddha) [high]
  • [aaaa-fingerprint] AAAA Record - IPv6 Detection (@rxerium) [info]
  • [acme-challenge-detect] ACME DNS Challenge - Detect (@rxerium) [info]
  • [srv-service-detect] SRV Record Service - Detect (@rxerium) [info]
  • [tlsa-record-detect] TLSA Record - DANE Detection (@rxerium) [info]
  • [wildcard-dns-detect] Wildcard DNS Configuration - Detection (@rxerium) [info]
  • [gude-default-login] GUDE - Default Login (@Bretss) [high]
  • [rustdesk-webclient-default-login] RustDesk Web Client - Default login (@0x_Akoko) [high]
  • [checkmate-panel] Checkmate Login Panel - Detect (@theamanrawat) [info]
  • [cisco-ucm-selfcare-portal] Cisco Unified Communications Self-Service User Portal - Detection (@morgan Robertson) [info]
  • [cloudflare-access-panel] Cloudflare Access - Login Panel Detection (@rxerium) [info]
  • [dokploy-panel] Dokploy Login Panel - Detect (@theamanrawat) [info]
  • [flexnet-operations-panel] FlexNet Operations Panel - Detect (@righettod) [info]
  • [headlamp-panel] Headlamp Kubernetes UI Panel - Detect (@shamo0) [medium]
  • [rails-admin-dashboard-exposure] RailsAdmin Dashboard Exposure (@0x_Akoko) [high]
  • [resa-vista-panel] RESA Vista Panel - Detect (@righettod) [info]
  • [sap-management-console-panel] SAP Management Console - Panel (@lrvt, @l4rm4nd) [info]
  • [smartermail-panel] SmarterMail Login Panel - Detect (@rxerium) [info]
  • [freshrss-fever-api] FreshRSS Fever API - Exposure (@ritikchaddha) [low]
  • [sweetrice-backup-disclosure] SweetRice CMS 1.5.1 - Backup Disclosure (@mananispiwpiw) [medium]
  • [cpanel-backup-exclude-exposure] cPanel Backup Exclusion Configuration - Exposure (@0x_Akoko) [info]
  • [dockerrun-aws-json-exposure] AWS Elastic Beanstalk Dockerrun.aws.json - Exposure (@0x_Akoko) [medium]
  • [exposed-filezilla-config] Exposed FileZilla Configuration File - Exposure (@pussycat0x) [medium]
  • [hp-laserjet-config] HP LaserJet Configuration Exposure (@dhiyaneshdk) [medium]
  • [openvpn-as-config-exposure] OpenVPN Access Server - Configuration Exposure (@0x_Akoko) [high]
  • [llms-file-enum] llms.txt - Enumeration (@ritikchaddha) [info]
  • [wp-links-opml] WordPress wp-links-opml.php - Version Disclosure (@princechaddha) [info]
  • [craftcms-log-disclosure] Craft CMS - Log File Disclosure (@pussycat0x) [medium]
  • [cacti-guest-access-enabled] Cacti - Guest User Access Enabled (@dhiyaneshdk) [medium]
  • [craftcms-debug-exposure] CraftCMS Debug Methods Exposed (@0x_Akoko) [medium]
  • [craftcms-install-exposure] Craft CMS Installation Wizard Exposure (@0x_Akoko) [high]
  • [sap-abapreadsyslog-disclosure] SAPControl ABAPReadSyslog - Disclosure (@lrvt, @l4rm4nd) [medium]
  • [sap-getenvironment-disclosure] SAPControl GetEnvironment - Disclosure (@lrvt, @l4rm4nd) [medium]
  • [sap-getinstanceproperties-disclosure] SAPControl Webmethods - Disclosure (@lrvt, @l4rm4nd) [medium]
  • [sap-getversion-info] SAPControl GetVersionInfo - Detect (@lrvt, @l4rm4nd) [info]
  • [sap-listconfigfiles-disclosure] SAPControl ListConfigFiles - Disclosure (@lrvt, @l4rm4nd) [medium]
  • [sap-listlogfiles-disclosure] SAPControl ListLogFiles - Disclosure (@lrvt, @l4rm4nd) [medium]
  • [sap-osexecute-rce] SAPControl OSExecute - Remote Code Execution (RCE) (@lrvt, @l4rm4nd) [critical]
  • [sap-readconfig-disclosure] SAPControl Read DEFAULT.PFL - Disclosure (@lrvt, @l4rm4nd) [medium]
  • [sap-readlogfile-disclosure] SAPControl ReadDeveloperTrace Log - Disclosure (@lrvt, @l4rm4nd) [medium]
  • [wordpress-events-manager-fpd] WordPress Events Manager - Full Path Disclosure (@dhiyaneshdk) [low]
  • [wordpress-joinchat-fpd] WordPress Joinchat - Full Path Disclosure (@dhiyaneshdk) [low]
  • [wordpress-rocket-lazy-load-fpd] WordPress LazyLoad Plugin - Full Path Disclosure (@dhiyaneshdk) [low]
  • [wordpress-simple-social-icons-fpd] WordPress Simple Social Icons - Full Path Disclosure (@dhiyaneshdk) [low]
  • [wp-h5vp-fpd] WordPress H5VP Plugin - Full Path Disclosure (@theamanrawat) [low]
  • [a-blog-cms-detect] a-blog cms - Detect (@Shivam Kamboj) [info]
  • [apache-tika-detect] Apache Tika - Detection (@icarot) [info]
  • [apostrophecms-detect] ApostropheCMS - Detect (@Shivam Kamboj) [info]
  • [appdynamics-rum-detect] AppDynamics (Cisco) RUM - Detect (@Shivam Kamboj) [info]
  • [cisco-ucm-detect] Cisco Unified Communications Manager - Detect (@morgan Robertson) [info]
  • [cmsimple-detect] CMSimple - Detect (@Shivam Kamboj) [info]
  • [datadog-rum-detect] Datadog Browser RUM - Detect (@Shivam Kamboj) [info]
  • [dynatrace-rum-detect] Dynatrace RUM - Tech Detect (@Shivam Kamboj) [info]
  • [launchdarkly-detect] LaunchDarkly - Detect (@Shivam Kamboj) [info]
  • [livewire-detect] Laravel Livewire - Detect (@Shivam Kamboj) [info]
  • [materialize-css-detect] Materialize CSS - Detect (@Shivam Kamboj) [info]
  • [meteor-detect] Meteor.js Framework - Detect (@Shivam Kamboj) [info]
  • [mixpanel-detect] Mixpanel Analytics - Detect (@Shivam Kamboj) [info]
  • [posthog-rum-detect] PostHog Browser RUM - Detect (@Shivam Kamboj) [info]
  • [sap-message-server-console] SAP Message Server Console - Exposure (@lrvt, @l4rm4nd) [info]
  • [sap-message-server-detect] SAP Message Server HTTP - Detect (@lrvt, @l4rm4nd) [info]
  • [semantic-ui-detect] Semantic UI Framework - Detect (@Shivam Kamboj) [info]
  • [zurb-foundation-detect] ZURB Foundation Framework - Detect (@Shivam Kamboj) [info]
  • [cisco-ucm-cluster-enum] Cisco Unified Communications Manager - Cluster Enumeration (@morgan Robertson) [low]
  • [confluence-xslt-macro-ssrf] Atlassian Confluence XSLT Macro - Server-Side Request Forgery (@ritikchaddha) [high]
  • [wpml-multilingual-cms-xss] WordPress WPML Multilingual CMS < 4.6.1 - Cross-Site Scripting (@ritikchaddha) [high]

New Contributors

Full Changelog: v10.3.8...v10.3.9

Check out latest releases or
releases around projectdiscovery/nuclei-templates v10.3.9

Don't miss a new nuclei-templates release

NewReleases is sending notifications on new releases.

Get notifications