projectdiscovery/nuclei-templates v10.4.1

Nuclei Templates v10.4.1 – Release Notes

on GitHub

New Templates Added: 76 | CVEs Added: 42 | First-time contributions: 10

🔥 Release Highlights 🔥

• [CVE-2026-32596] Glances - Information Disclosure (@theamanrawat) [high] 🔥
• [CVE-2026-31816] Budibase - Authentication Bypass (@theamanrawat) [critical] 🔥
• [CVE-2026-27483] MindsDB - Remote Code Execution (@thewhiteh4t) [high] 🔥
• [CVE-2026-24477] AnythingLLM - Information Disclosure (@dhiyaneshdk) [high] 🔥
• [CVE-2026-22739] Spring Cloud Config Server - Path Traversal (@0x_Akoko, @vulnh0lic) [high] 🔥
• [CVE-2026-21445] Langflow - Broken Access Control (@dhiyaneshdk) [critical] 🔥
• [CVE-2026-3055] Citrix NetScaler SAML IDP - Memory Overread (@watchtowr, @shaikhyaser, @dhiyaneshdk) [critical] (kev) (vKEV) 🔥
• [CVE-2026-1581] wpForo Forum <= 2.4.14 - SQL Injection (@Shivam Kamboj) [critical] (kev) (vKEV) 🔥
• [CVE-2025-71260] BMC FootPrints - Deserialization of Untrusted Data (RCE) (@watchtowr, @dhiyaneshdk) [critical] 🔥
• [CVE-2025-68043] LottieFiles WordPress Plugin <= 3.0.0 - Missing Authorization (@pussycat0x) [high] 🔥
• [CVE-2025-32463] Sudo - Local Privilege Escalation via chroot (@SeungAh-Hong) [critical] (kev) (vKEV) 🔥
• [CVE-2025-14437] WordPress Hummingbird <= 3.18.0 - Sensitive Information Exposure via Log File (@pussycat0x) [high] 🔥
• [CVE-2025-6984] langchain-ai langchain - XML External Entity Injection (@nukunga) [high] 🔥
• [CVE-2025-5947] Service Finder Bookings - Authentication Bypass (@sedat4ras) [critical] (kev) (vKEV) 🔥
• [CVE-2024-43144] Cost Calculator Builder <= 3.2.15 - SQL Injection (@Shivam Kamboj) [critical] 🔥
• [CVE-2023-34092] Vite Dev Server - Information Exposure (@ritikchaddha) [high] 🔥

What's Changed

Bug Fixes

• Fixed invalid hostname generation affecting template execution (PR #15641, Issue #15624).
• Fixed extractor DSL by adding a missing condition (PR #15729).
• Moved CVE-2026-23829 from http to the correct network folder (PR #15738, Issue #15633).
• Fixed reference URLs in CVE-2025-66516 (PR #15646).

False Negatives

• Improved detection in FTP Service - Credential Weakness template, reducing underreporting (PR #15726, Issue
  #15681).
• Addressed false negative in CVE-2024-3273 detection (Issue #15654).
• Addressed false negative in CVE-2021-25032 detection (Issue #13647).

False Positives

• Reduced false positives and improved accuracy in the following templates:
  • CVE-2025-71243 — excluded pages that echo back user input (PR #15665).
  • CVE-2025-66516 — tightened matcher logic (PR #15581).
  • CVE-2023-5652 (PR #15622).
  • CVE-2023-7337 (PR #15620).
  • CVE-2022-21587 — added matchers-condition: and (PR #15621).
  • CVE-2009-1872 ColdFusion fingerprint (PR #15601).
  • CVE-2002-1131 SquirrelMail fingerprint (PR #15595).
  • CVE-2021-35042 (Issue #15241).
  • flexnet-operations-panel — reduced high false positive rate (PR #15600).
  • mercurial-hgignore — added text/xml and <?xml to negative matchers (PR #15623).
  • aws-bucket-takeover — excluded S3 account regional namespace buckets (PR #15608).
  • hubspot-takeover — switched to header-based detection for NotFoundResolver (PR #15583).

Enhancements

• Enriched classification metadata and renamed CVE-2020-15718 (PR #15677).
• Updated classification metadata for CVE-2024-55550 (PR #15666).
• Updated classification metadata for CVE-2024-13726 (PR #15648).
• Updated apache-activemq-artemis-detect.yaml detection logic (PR #15717).
• Applied AI-assisted tagging improvements across multiple templates (PR #15571).

Templates Added

• [CVE-2026-33868] Mastodon - Open Redirect (@theamanrawat) [medium] 🔥
• [CVE-2026-32596] Glances - Information Disclosure (@theamanrawat) [high] 🔥
• [CVE-2026-32583] Webnus Inc. Modern Events Calendar - Broken Access Control (@theamanrawat) [medium] 🔥
• [CVE-2026-31816] Budibase - Authentication Bypass (@theamanrawat) [critical] 🔥
• [CVE-2026-30928] Glances - Information Disclosure (@theamanrawat) [high] 🔥
• [CVE-2026-28288] Dify User Enumeration via Observable Response Discrepancy (@dhiyaneshdk) [medium] 🔥
• [CVE-2026-27483] MindsDB - Remote Code Execution (@thewhiteh4t) [high] 🔥
• [CVE-2026-24477] AnythingLLM - Information Disclosure (@dhiyaneshdk) [high] 🔥
• [CVE-2026-22739] Spring Cloud Config Server - Path Traversal (@0x_Akoko, @vulnh0lic) [high] 🔥
• [CVE-2026-21445] Langflow - Broken Access Control (@dhiyaneshdk) [critical] 🔥
• [CVE-2026-3055] Citrix NetScaler SAML IDP - Memory Overread (@watchtowr, @shaikhyaser, @dhiyaneshdk) [critical] (kev) (vKEV) 🔥
• [CVE-2026-2025] Mail Mint < 1.19.5 - Unauthenticated Email Disclosure (@0x_Akoko) [high]
• [CVE-2026-1581] wpForo Forum <= 2.4.14 - SQL Injection (@Shivam Kamboj) [critical] (kev) (vKEV) 🔥
• [CVE-2026-1557] WP Responsive Images <= 1.0 - Arbitrary File Read (@Shivam Kamboj) [high]
• [CVE-2026-1405] WordPress Slider Future <= 1.0.5 - Unauthenticated Arbitrary File Upload (@pussycat0x) [critical]
• [CVE-2026-1306] WordPress midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload (@pussycat0x) [critical]
• [CVE-2026-1296] Frontend Post Submission Manager Lite <= 1.2.7 - Open Redirect (@Shivam Kamboj) [medium]
• [CVE-2026-1277] URL Shortify <= 1.12.1 - Open Redirect (@Shivam Kamboj) [medium]
• [CVE-2026-0926] Prodigy Commerce <= 3.3.0 - Local File Inclusion (@Shivam Kamboj) [critical]
• [CVE-2025-71260] BMC FootPrints - Deserialization of Untrusted Data (RCE) (@watchtowr, @dhiyaneshdk) [critical] 🔥
• [CVE-2025-71259] BMC FootPrints 'feedUrl' - Server-Side Request Forgery (@watchtowr, @dhiyaneshdk) [high] 🔥
• [CVE-2025-71258] BMC FootPrints 'searchWeb' - Server-Side Request Forgery (@watchtowr, @dhiyaneshdk) [high] 🔥
• [CVE-2025-71257] BMC FootPrints - Authentication Bypass (@watchtowr, @dhiyaneshdk) [medium] 🔥
• [CVE-2025-68602] Accept Donations with PayPal <= 1.5.2 - Open Redirect (@Shivam Kamboj) [medium]
• [CVE-2025-68043] LottieFiles WordPress Plugin <= 3.0.0 - Missing Authorization (@pussycat0x) [high] 🔥
• [CVE-2025-62512] Piwigo - User Enumeration via Password Reset (@dhiyaneshdk) [medium] 🔥
• [CVE-2025-62126] WordPress Varnish/Nginx Proxy Caching <= 1.8.3 - Information Exposure (@pussycat0x) [medium]
• [CVE-2025-59716] ownCloud Guests - User Enumeration (@dhiyaneshdk) [medium] 🔥
• [CVE-2025-58044] JumpServer - Open Redirect via Referer Header (@dhiyaneshdk) [medium] 🔥
• [CVE-2025-54793] Astro SSR - Open Redirect (@dhiyaneshdk) [medium] 🔥
• [CVE-2025-46565] Vite Dev Server - Information Exposure (@ritikchaddha) [medium] 🔥
• [CVE-2025-32463] Sudo - Local Privilege Escalation via chroot (@SeungAh-Hong) [critical] (kev) (vKEV) 🔥
• [CVE-2025-14437] WordPress Hummingbird <= 3.18.0 - Sensitive Information Exposure via Log File (@pussycat0x) [high] 🔥
• [CVE-2025-13920] WP Directory Kit < 1.5.0 - Unauthenticated Email Exposure (@0x_Akoko) [medium]
• [CVE-2025-6984] langchain-ai langchain - XML External Entity Injection (@nukunga) [high] 🔥
• [CVE-2025-5947] Service Finder Bookings - Authentication Bypass (@sedat4ras) [critical] (kev) (vKEV) 🔥
• [CVE-2025-4576] Liferay Portal & DXP - Cross-Site Scripting (@xtr0nix) [medium] 🔥
• [CVE-2024-57241] DedeCMS - Open Redirect via download.php (@0x_Akoko) [medium]
• [CVE-2024-43144] Cost Calculator Builder <= 3.2.15 - SQL Injection (@Shivam Kamboj) [critical] 🔥
• [CVE-2023-34092] Vite Dev Server - Information Exposure (@ritikchaddha) [high] 🔥
• [CVE-2022-1692] CP Image Store with Slideshow <= 1.0.67 - SQL Injection (@Shivam Kamboj) [critical]
• [CVE-2020-15718] RosarioSIS 6.7.2 - Cross-Site Scripting (@0xr2r, @jarvis-survives) [medium]
• [unquoted-service-paths] Unquoted Service Paths (@domwhewell-sage) [high]
• [alfresco-default-login] Alfresco - Default Admin Credentials (@0x_Akoko) [high]
• [apache-polaris-default-login] Apache Polaris - Default Login (@icarot) [high]
• [brickcom-camera-default-login] Brickcom Camera - Default Login (@0x_Akoko) [high]
• [casdoor-default-login] Casdoor - Default Admin Credentials (@0x_Akoko) [high]
• [doccano-default-login] Doccano - Default Login (@0x_Akoko) [high]
• [harbor-default-login] Harbor Registry - Default Admin Credentials (@0x_Akoko) [high]
• [homebridge-default-login] Homebridge - Default Admin Credentials (@0x_Akoko) [high]
• [ilias-default-login] ILIAS LMS - Default Admin Credentials (@0x_Akoko) [high]
• [limesurvey-default-login] LimeSurvey - Default Admin Credentials (@0x_Akoko) [high]
• [ntopng-default-login] ntopng - Default Login (@0x_Akoko) [high]
• [openproject-default-login] OpenProject - Default Admin Credentials (@0x_Akoko) [high]
• [pfsense-default-login] pfSense - Default Admin Credentials (@0x_Akoko) [high]
• [redmine-default-login] Redmine - Default Admin Credentials (@0x_Akoko) [high]
• [xerox-default-login] Xerox Fuji/VersaLink - Default Login (@dhiyaneshdk) [high]
• [arcane-login-panel] Arcane Login Panel - Detect (@Kazgangap) [info]
• [budibase-login-detect] Budibase Login Panel - Detect (@theamanrawat) [info]
• [odoo-website-info-exposure] Odoo Website - Information Disclosure (@aushack) [info]
• [xerox-panel] Xerox Fuji/VersaLink Login - Panel (@dhiyaneshdk) [info]
• [apache-polaris-metrics-exposure] Apache Polaris - Information Disclosure (@icarot) [medium]
• [remote-spark-gateway-config] Remote Spark Gateway Configuration/Credentials - Exposure (@domwhewell-sage) [medium]
• [google-gemini-key-exposure] Google Gemini API Key - Exposure (@mestizo) [high]
• [brickcom-camera-unauth-snapshot] Brickcom Camera - Unauthenticated Snapshot Access (@0xr2r) [high]
• [graphiql-exposure] GraphiQL - Exposure (@vincent Olagbemide) [low]
• [ghost-cms-installer] Ghost CMS Installation Setup - Exposure (@0x_Akoko) [high]
• [mistserver-installer] MistServer Installation Wizard - Exposure (@dhiyaneshdk) [high]
• [synology-dsm-system-info] Synology DSM System Info - Detect (@dhiyaneshdk) [info]
• [confluence-eol] Atlassian Confluence End-of-Life - Detect (@Shivam Kamboj) [info]
• [forgejo-eol] Forgejo End-of-Life - Detect (@Shivam Kamboj) [info]
• [leantime-detect] Leantime - Detect (@icarot) [info]
• [litellm-swagger-detect] LiteLLM API - Swagger UI Detection (@rxerium) [info]
• [rustfs-detect] Rustfs - Detect (@icarot) [info]
• [wyse-devicegroup-register] Dell Wyse Management Suite - Unauthenticated Device Registration (@dhiyaneshdk) [high]
• [sanhuismg-radius-rce] Synway SMG Gateway 9-2radius.php - Remote Command Execution (@chenkh) [critical]

New Contributors

• @thewhiteh4t made their first contribution in #15568
• @vincentayorinde made their first contribution in #15615
• @J-Run made their first contribution in #15600
• @jarvis-survives made their first contribution in #15309
• @venjaku made their first contribution in #15608
• @SrFlipFlop made their first contribution in #15583
• @mestizo made their first contribution in #15652
• @xtronix2000 made their first contribution in #15706
• @whatyourname12345 made their first contribution in #15661
• @sedat4ras made their first contribution in #15656

Full Changelog: v10.4.0...v10.4.1