projectdiscovery/nuclei-templates v10.4.0

Nuclei Templates v10.4.0 – Release Notes

on GitHub

New Templates Added: 94 | CVEs Added: 47 | First-time contributions: 12

🔥 Release Highlights 🔥

• [CVE-2026-27971] Qwik - Unauthenticated RCE via server$ Deserialization (@omarkurt) [critical] 🔥
• [CVE-2026-27944] Nginx UI < 2.3.3 - Information Disclosure (@omarkurt) [critical] 🔥
• [CVE-2026-1603] Ivanti Endpoint Manager - Authentication Bypass (@dhiyaneshdk, @watchtowrlabs) [high] (KEV) (vKEV) 🔥
• [CVE-2026-1492] WP User Registration & Membership <= 5.1.2 - Unauth Privilege Escalation (@omarkurt) [critical] (vKEV) 🔥
• [CVE-2026-1357] WPvivid Backup & Migration <= 0.9.123 - Arbitrary File Upload (@omarkurt) [critical] (vKEV) 🔥
• [CVE-2026-0770] Langflow < 1.3.0 - Remote Code Execution via validate_code() exec() (@affix) [critical] (vKEV) 🔥
• [CVE-2025-71243] SPIP Saisies - Remote Code Execution (@omarkurt) [critical] 🔥
• [CVE-2025-64328] FreePBX >= 17.0.2.36 && < 17.0.3 - Authenticated Command Injection (@_th3y) [critical] (KEV) (vKEV) 🔥
• [CVE-2025-40554] SolarWinds Web Help Desk - Authentication Bypass (@Bushi-gg) [critical] 🔥
• [CVE-2025-40552] SolarWinds Web Help Desk - Authentication Bypass (@watchtowr, @dhiyaneshdk) [critical] 🔥
• [CVE-2025-40536] SolarWinds Web Help Desk < 12.8.8 Hotfix 1 (HF1) - Security Control Bypass (@inokii) [high] (KEV) (vKEV) 🔥
• [CVE-2024-37261] WP-Lister Lite for Amazon <= 2.6.16 - Cross-Site Scripting (@Kazgangap) [medium] (vKEV) 🔥
• [CVE-2024-9643] Four-Faith F3x36 - Authentication Bypass (@trader642) [critical] (vKEV) 🔥
• [CVE-2023-3452] WordPress Canto Plugin <= 3.0.4 - File Inclusion (@omarkurt) [critical] 🔥
• [CVE-2021-28481] Microsoft Exchange - Pre-Auth SSRF / ACL Bypass (ProxyNotFound) (@daffainfo) [critical] (vKEV) 🔥
• [CVE-2021-28480] Microsoft Exchange - Pre-Auth SSRF / ACL Bypass (ProxyNotFound) (@daffainfo) [critical] 🔥

What's Changed

Bug Fixes

• Corrected wrong PoC in CVE-2025-54253 (template was using the PoC for CVE-2025-49533) (Issue #14783)
• Fixed @Host variable generation in multiple UniFi templates causing malformed requests (PR #15575)
• Fixed invalid reference URL in CVE-2021-37704 (PR #15524)
• Fixed broken reference URL in cpanel backup config template (PR #15379)
• Fixed malformed matcher formatting in CVE-2025-40554 (PR #15375)

False Negatives

• Fixed exposed-svn.yaml failing to detect valid SVN repositories despite receiving 200 OK responses (Issue #15060)

False Positives

• Reduced false positives in CVE-2025-14847 triggering on non-MongoDB services due to blind payload injection and flawed matcher logic (Issues #15519, #15560, PRs #15520, #15579)
• Fixed version comparison logic in CVE-2026-25892 causing false positives on non-vulnerable versions (Issue #15356, PR #15462)
• Fixed CVE-2024-2473 executing without confirming the target plugin is present (Issue #15525)
• Fixed CVE-2021-24527 generating false positive results (Issue #13607)
• Reduced false positives in the following templates:
  • CVE-2021-37833 HotelDruid fingerprint matcher (PR #15597)
  • CVE-2023-45648 Apache Tomcat version matcher (PR #15591)
  • laravel-env exposure via negative HTML body matcher (PR #15598)
  • checkmk-info-disclosure (PR #15564)
  • Charset detection template via missing Content-Type check (PR #15533)
  • CVE-2024-27198 JetBrains TeamCity (PR #15425)
  • CVE-2024-4295 (PR #11442)

Enhancements

• Enriched classification metadata (CVE IDs, CVSS scores, CPEs, NVD references) across multiple templates (PRs #15578, #15589, #15369, #15370, #15371)
• Updated ClawdBot Gateway exposure template with improved detection logic (PR #15548)
• Renamed Forcepoint Login panel template to follow naming conventions (PR #15582)

Templates Added

• [CVE-2026-27971] Qwik - Unauthenticated RCE via server$ Deserialization (@omarkurt) [critical] 🔥
• [CVE-2026-27944] Nginx UI < 2.3.3 - Information Disclosure (@omarkurt) [critical] 🔥
• [CVE-2026-27645] Changedetection.io RSS Single Watch - Cross-Site Scripting (@0x_Akoko) [medium]
• [CVE-2026-25512] Group-Office < 26.0.5 - Remote Code Execution (@omarkurt) [critical]
• [CVE-2026-23829] Mailpit < 1.28.2 - SMTP CRLF Injection (@omarkurt) [medium]
• [CVE-2026-2413] Ally – Web Accessibility & Usability <= 4.0.3 - SQL Injection (@Shivam Kamboj) [high]
• [CVE-2026-1603] Ivanti Endpoint Manager - Authentication Bypass (@dhiyaneshdk, @watchtowrlabs) [high] (KEV) (vKEV) 🔥
• [CVE-2026-1492] WordPress User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation (@omarkurt) [critical] (vKEV) 🔥
• [CVE-2026-1357] WPvivid Backup & Migration <= 0.9.123 - Arbitrary File Upload (@omarkurt) [critical] (vKEV) 🔥
• [CVE-2026-0829] Frontend File Manager Plugin <= 23.5 - Unauthenticated Arbitrary Email Sending (@0x_Akoko) [high]
• [CVE-2026-0770] Langflow < 1.3.0 - Remote Code Execution via validate_code() exec() (@affix) [critical] (vKEV) 🔥
• [CVE-2025-71243] SPIP Saisies - Remote Code Execution (@omarkurt) [critical] 🔥
• [CVE-2025-69971] FUXA <= 1.2.7 - Hardcoded JWT Secret Authentication Bypass (@trader642) [critical]
• [CVE-2025-64328] FreePBX >= 17.0.2.36 && < 17.0.3 - Authenticated Command Injection (@_th3y) [critical] (KEV) (vKEV) 🔥
• [CVE-2025-62780] ChangeDetection.io <= v0.50.33 - Stored XSS via Watch API (@0x_Akoko) [medium]
• [CVE-2025-62613] VDO.Ninja - DOM-Based Cross-Site Scripting (@0x_Akoko) [medium]
• [CVE-2025-54726] WordPress JS Archive List <= 6.1.5 - SQL Injection (@Shivam Kamboj) [high]
• [CVE-2025-48281] MyStyle Custom Product Designer <= 3.21.1 - SQL Injection (@Shivam Kamboj) [critical]
• [CVE-2025-40554] SolarWinds Web Help Desk - Authentication Bypass (@Bushi-gg) [critical] 🔥
• [CVE-2025-40552] SolarWinds Web Help Desk - Authentication Bypass (@watchtowr, @dhiyaneshdk) [critical] 🔥
• [CVE-2025-40536] SolarWinds Web Help Desk < 12.8.8 Hotfix 1 (HF1) - Security Control Bypass (@inokii) [high] (KEV) (vKEV) 🔥
• [CVE-2025-32355] Rocket TRUfusion Enterprise - Server Side Request Forgery (@princechaddha, @rcesecurity, @dhiyaneshdk) [high]
• [CVE-2025-27506] NocoDB < 0.258.0 - Reflected XSS in Password Reset (@0x_Akoko) [medium]
• [CVE-2025-22785] Course Booking System <= 6.0.6 - SQL Injection (@Shivam Kamboj) [critical]
• [CVE-2024-43965] SendGrid for WordPress <= 1.4 - SQL Injection (@Shivam Kamboj) [critical]
• [CVE-2024-37261] WP-Lister Lite for Amazon <= 2.6.16 - Cross-Site Scripting (@Kazgangap) [medium] (vKEV) 🔥
• [CVE-2024-30502] WP Travel Engine <= 5.7.9 - SQL Injection (@Shivam Kamboj) [critical]
• [CVE-2024-30498] CRM Perks Forms <= 1.1.4 - SQL Injection (@Shivam Kamboj) [critical]
• [CVE-2024-30464] WPZOOM Social Icons Widget <= 4.2.15 - Missing Authorization (@pussycat0x) [medium]
• [CVE-2024-12025] WordPress Collapsing Categories <= 3.0.8 - SQL Injection (@Shivam Kamboj) [high]
• [CVE-2024-9765] EKC Tournament Manager WordPress plugin - Path Traversal (@Sourabh-Sahu) [medium]
• [CVE-2024-9643] Four-Faith F3x36 - Authentication Bypass (@trader642) [critical] (vKEV) 🔥
• [CVE-2024-8625] WordPress TS Poll < 2.4.0 - SQL Injection (@riteshs4hu) [high]
• [CVE-2023-50839] JS Help Desk <= 2.8.1 - SQL Injection (@Shivam Kamboj) [critical]
• [CVE-2023-40600] EWWW Image Optimizer <= 7.2.0 - Unauthenticated Information Disclosure (@Shivam Kamboj) [medium]
• [CVE-2023-32590] Subscribe to Category <= 2.7.4 - SQL Injection (@Shivam Kamboj) [critical]
• [CVE-2023-7337] JS Help Desk <= 2.8.2 - SQL Injection (@Shivam Kamboj) [critical]
• [CVE-2023-6030] LogDash Activity Log <= 1.1.3 - SQL Injection (@Shivam Kamboj) [critical]
• [CVE-2023-5652] WP Hotel Booking <= 2.0.7 - SQL Injection (@Shivam Kamboj) [critical]
• [CVE-2023-5203] WP Sessions Time Monitoring Full Automatic <= 1.0.8 - SQL Injection (@Shivam Kamboj) [critical]
• [CVE-2023-3643] CAREL Boss Mini <= 1.4.0 - Local File Inclusion (@Kazgangap) [critical]
• [CVE-2023-3452] WordPress Canto Plugin <= 3.0.4 - File Inclusion (@omarkurt) [critical] 🔥
• [CVE-2022-44588] Cryptocurrency Widgets Pack <= 1.8.1 - SQL Injection (@Shivam Kamboj) [critical]
• [CVE-2022-1453] RSVPMaker <= 9.2.5 - SQL Injection (@Shivam Kamboj) [critical]
• [CVE-2022-0439] Email Subscribers & Newsletters <= 5.3.1 - Authenticated SQL Injection (@Shivam Kamboj) [high]
• [CVE-2021-28481] Microsoft Exchange - Pre-Auth SSRF / ACL Bypass (ProxyNotFound) (@daffainfo) [critical] (vKEV) 🔥
• [CVE-2021-28480] Microsoft Exchange - Pre-Auth SSRF / ACL Bypass (ProxyNotFound) (@daffainfo) [critical] 🔥
• [apache-syncope-default-login] Apache Syncope - Default Login (@icarot) [high]
• [circutor-default-login] Circutor Line-TCPRS1 - Default Login (@s4e-io) [high]
• [gitness-default-login] Gitness - Default Login (@0x_Akoko) [high]
• [carel-boss-mini-panel] CAREL Boss Mini - Login Panel Detected (@Kazgangap) [info]
• [hpe-autopass-panel] HPE AutoPass License Server - Panel Detection (@Kylianghd) [info]
• [recoverpoint-panel] Dell EMC RecoverPoint Panel - Detect (@rxerium) [info]
• [ypareo-panel] YPAREO Panel - Detect (@righettod) [info]
• [interswitch-webpay] Interswitch Webpay - Credentials Exposure (@LloydCoder) [info]
• [paystack-secret-live] Paystack Secret/Live Key - Exposure (@LloydCoder) [info]
• [remita-credentials] Remita Merchant ID & API Key - Exposure (@LloydCoder) [low]
• [sportybet-api] SportyBet / BetKing Admin or API Token - Exposure (@LloydCoder) [info]
• [wix-detect] Wix Detection (@chirag Mistry) [info]
• [apache-syncope-detect] Apache Syncope - Detect (@icarot) [info]
• [bentoml-detect] BentoML Prediction Service - Detection (@rxerium) [info]
• [bigcommerce-detect] BigCommerce Detection (@chirag Mistry) [info]
• [bitrix-detect] Bitrix Detection (@chirag Mistry) [info]
• [blogger-detect] Blogger Detection (@chirag Mistry) [info]
• [cloudflare-speedtest] Cloudflare Speedtest - Detect (@dhiyaneshdk) [info]
• [comfyui-detect] ComfyUI - Detect (@rxerium) [info]
• [concrete5-detect] Concrete5 Detection (@chirag Mistry) [info]
• [django-detect] Django Detection (@chirag Mistry) [info]
• [jaeger-eol] Jaeger End-of-Life - Detect (@Shivam Kamboj) [info]
• [msexchange-eol] Microsoft Exchange Server End-of-Life - Detect (@Shivam Kamboj) [info]
• [plesk-eol] Plesk End-of-Life - Detect (@Shivam Kamboj) [info]
• [squid-eol] Squid End-of-Life - Detect (@Shivam Kamboj) [info]
• [wordpress-eol] WordPress End-of-Life - Detect (@Shivam Kamboj) [info]
• [expressionengine-detect] ExpressionEngine Detection (@chirag Mistry) [info]
• [feast-detect] Feast Feature Store - Detect (@rxerium) [info]
• [flask-detect] Flask Detection (@chirag Mistry) [info]
• [mezzanine-cms-detect] Mezzanine CMS - Detect (@chirag Mistry) [info]
• [opencart-detect] OpenCart Detection (@chirag Mistry) [info]
• [openspeedtest-speedtest] OpenSpeedTest - Detect (@dhiyaneshdk) [info]
• [oscommerce-detect] osCommerce Detection (@chirag Mistry) [info]
• [pocketbase-detect] PocketBase Detection (@aykutgokbulut) [info]
• [portkey-ai-detect] Portkey AI Detection (@rxerium) [info]
• [prefect-detect] Prefect - Detect (@rxerium) [info]
• [shopify-detect] Shopify Detection (@chirag Mistry) [info]
• [silverstripe-detect] SilverStripe Detection (@chirag Mistry) [info]
• [squarespace-detect] Squarespace Detection (@chirag Mistry) [info]
• [weaviate-console-detect] Weaviate Console - Detect (@rxerium) [info]
• [weebly-detect] Weebly Detection (@chirag Mistry) [info]
• [user-registration] WordPress User Registration & Membership Plugin Detection (@omarkurt) [info]
• [limesurvey-open-redirect] LimeSurvey - Open Redirect via editorLink (@melvin Lammerts) [medium]
• [dagu-rce] Dagu Workflow Engine - Remote Code Execution (@omarkurt) [critical]
• [gradio-file-redirect] Gradio - Open Redirect (@neo-ai-engineer, @dhiyaneshdk) [low]
• [vlife-fastjson-rce] Vlife FastJSON - Remote Code Execution (@omarkurt) [critical]
• [maverick-ssh-detect] Maverick SSH Service - Detect (@johnk3r) [info]

New Contributors

• @trader642 made their first contribution in #15331
• @y9206345-cmyk made their first contribution in #15369
• @Bushi-gg made their first contribution in #15362
• @Samfresh-ai made their first contribution in #15425
• @4ykutG made their first contribution in #15439
• @LloydCoder made their first contribution in #14253
• @n3integration made their first contribution in #15578
• @thoger-rh made their first contribution in #15575
• @zsbahtiar made their first contribution in #15520
• @shriyanss made their first contribution in #15319
• @mcorybillington made their first contribution in #15570
• @vatsalgargg made their first contribution in #15598

Full Changelog: v10.3.9...v10.4.0