github projectdiscovery/nuclei-templates v10.4.2
Nuclei Templates v10.4.2 – Release Notes
on GitHub

15 hours ago

New Templates Added: 121 | CVEs Added: 61 | First-time contributions: 15

🔥 Release Highlights 🔥

What's Changed

Bug Fixes

False Negatives

  • Fixed false negatives in CVE-2024-8529 (LearnPress SQLi): body matchers were unreliable for blind SQLi responses and a randstr bypass was added to defeat DB query cache (Issue #15768, PR #15844).

False Positives

  • Reduced extremely high false positives in credentials-disclosure template caused by over-permissive [\w-]+ value regex with no minimum length enforcement, flagging short UI strings like "ClientSecret":"Client" as credential leaks (Issue #15563, PR #15845).
  • Reduced false positives in the Apache ActiveMQ Artemis Console Default Login template; tightened matcher to require a valid JSON login response with expectedartemis username (Issue #15762, PR #15861).
  • Resolved false positives in molgenis-default-login template triggered by JSESSIONID cookies on custom 404 pages (Issue #12603).
  • Removed false positive subdomain takeover detection templates for Netlify, Shopify, Azure Azurewebsites, Cloudapp, and Trafficmanager - these services are no longer vulnerable due to enforced TXT verification, deprecation, or claimed namespace blocking (PR #15724).
  • Fixed false positive webpack-config detection triggered by SPA catch-all routing (PR #15869).
  • Improved CVE-2022-3254 matchers to reduce false positives on HTML error responses (PR #15840).
  • Fixed false positives in CVE-2024-52762 (PR #15833).
  • Fixed false positives in CVE-2025-49113 (PR #15777).

Enhancements

  • Refactored matchers in CVE-2024-42009 for improved detection accuracy (PR #15835).
  • Added and normalized CWE metadata across HTTP templates (PR #15804).
  • Added additional EOL version entries to end-of-life detection templates (PR #15891).
  • Updated CVE-2025-30208 detection coverage (PR #15784).

Templates Added

  • [CVE-2026-39987] Marimo <= 0.20.4 - Pre-Auth Terminal WebSocket RCE (@ritikchaddha) [critical] 🔥 (vKEV)
  • [CVE-2026-39365] Vite Dev Server - Path Traversal in Optimized Deps .map Handling (@theamanrawat) [medium] 🔥
  • [CVE-2026-39364] Vite Dev Server - Directory Traversal (@ritikchaddha) [high] 🔥
  • [CVE-2026-35616] FortiClient EMS - Authentication Bypass (@ritikchaddha) [high] 🔥 (kev) (vKEV)
  • [CVE-2026-34885] WordPress Media Library Assistant <= 3.34 - SQL Injection (@theamanrawat) [high] 🔥
  • [CVE-2026-34605] SiYuan Note - Cross-Site Scripting (@ritikchaddha) [medium]
  • [CVE-2026-34453] SiYuan <= v3.6.1 - Bookmark Data Disclosure (@0x_Akoko) [high]
  • [CVE-2026-34197] Apache ActiveMQ - Remote Code Execution (@dhiyaneshdk, @horizon3) [critical] 🔥
  • [CVE-2026-34156] NocoBase - VM Sandbox Escape to Remote Code Execution (@theamanrawat) [critical] 🔥
  • [CVE-2026-33478] AVideo <= 26.0 - WWBN AVideo - Remote Code Execution (@pussycat0x) [critical]
  • [CVE-2026-33340] LoLLMs WEBUI - Server-Side Request Forgery (@theamanrawat) [critical] 🔥
  • [CVE-2026-31809] SiYuan <= v3.5.9 - Cross Site Scripting (@0x_Akoko) [medium]
  • [CVE-2026-31807] SiYuan <= v3.5.9 - SVG Animate Element XSS (@0x_Akoko) [medium]
  • [CVE-2026-30824] Flowise - NVIDIA NIM Endpoints Missing Authentication (@dhiyaneshdk) [high] 🔥
  • [CVE-2026-29183] SiYuan Note - Cross-Site Scripting (@ritikchaddha) [medium]
  • [CVE-2026-29066] TinaCMS - Path Traversal (@theamanrawat) [medium]
  • [CVE-2026-29014] MetInfo CMS <= 8.1 - Remote Code Execution (@0x_Akoko) [critical]
  • [CVE-2026-28414] Gradio - Absolute Path Traversal (@0x_Akoko) [high] 🔥
  • [CVE-2026-28358] NocoDB - User Enumeration (@dhiyaneshdk) [medium] 🔥
  • [CVE-2026-26980] Ghost CMS Content API - SQL Injection (@domwhewell-sage) [critical] 🔥
  • [CVE-2026-25616] Blesta <= 5.13.1 - Cross-Site Scripting (@0x_Akoko) [medium]
  • [CVE-2026-21643] Fortinet FortiClientEMS 7.4.4 - SQL Injection (@ritikchaddha) [critical] 🔥 (kev) (vKEV)
  • [CVE-2026-20079] Cisco Secure Firewall Management Center - Authentication Bypass (@theamanrawat) [critical] 🔥
  • [CVE-2026-6203] User Registration & Membership WordPress plugin - Open Redirect (@theamanrawat) [medium] 🔥
  • [CVE-2026-6118] AstrBot <= 4.22.1 - Command Injection (@jyoti369) [high]
  • [CVE-2026-5615] VvvebJs <= 2.0.5 - Cross-Site Scripting (@theamanrawat) [medium]
  • [CVE-2026-4257] WordPress Contact Form by Supsystic - Server-Side Template Injection (@theamanrawat) [critical] 🔥
  • [CVE-2026-4106] HT Mega < 3.0.7 - Sensitive Information Disclosure (@efetr) [high] 🔥
  • [CVE-2026-4020] Gravity SMTP WordPress Plugin - Sensitive Information Exposure (@theamanrawat) [high] 🔥 (vKEV)
  • [CVE-2026-3584] WordPress Kali Forms <= 2.4.9 - Remote Code Execution (@pussycat0x) [critical] 🔥 (vKEV)
  • [CVE-2026-3396] WCAPF WooCommerce Ajax Product Filter - SQL Injection (@theamanrawat) [high] 🔥
  • [CVE-2026-2699] Progress ShareFile Storage Zones Controller - Authentication Bypass (@dhiyaneshdk) [critical] 🔥
  • [CVE-2026-2416] Geo Mashup <= 1.13.17 - SQL Injection (@Shivam Kamboj) [high]
  • [CVE-2025-67303] ComfyUI-Manager < 3.38 - Configuration Overwrite (@maciejklimek) [critical] 🔥
  • [CVE-2025-64500] Symfony HttpFoundation - Access Control Bypass via PATH_INFO (@dhiyaneshdk) [high] 🔥
  • [CVE-2025-59528] Flowise - Remote Code Execution (@xtr0nix) [critical] 🔥 (vKEV)
  • [CVE-2025-55150] Stirling-PDF < 1.1.0 - Server-Side Request Forgery (@weqi) [high] 🔥
  • [CVE-2025-54597] Heimdall Application Dashboard < 2.7.3 - Reflected XSS (@0x_Akoko) [medium]
  • [CVE-2025-53533] Pi-hole Reflected XSS in 404-Error Page (@dhiyaneshdk) [medium] 🔥
  • [CVE-2025-50578] Heimdall - Host Header Injection & Open Redirect (@dhiyaneshdk) [medium]
  • [CVE-2025-32614] EventON Lite <= 2.4 - Authenticated Local File Inclusion (@pussycat0x) [high] 🔥
  • [CVE-2025-14340] Payara Server - Cross-Site Scripting (@0x_Akoko, @0xr2r) [high] 🔥
  • [CVE-2025-14124] Team WordPress Plugin (TLP Team) <= 5.0.9 - SQL Injection (@neosmith1, @0x_Akoko) [high] 🔥
  • [CVE-2025-13652] WordPress CBX Bookmark & Favorite Plugin <= 2.0.4 - SQL Injection (@neosmith1) [critical] 🔥
  • [CVE-2025-12536] SureForms <= 1.13.1 - Sensitive Information Exposure (@pussycat0x) [medium] 🔥
  • [CVE-2025-5350] WSO2 - Server Side Request Forgery (@sourabh Grover) [medium] 🔥
  • [CVE-2025-2558] WordPress The Wound Theme <= 0.0.1 - Local File Inclusion (@pussycat0x) [high]
  • [CVE-2025-2221] WordPress WPCOM Member <= 1.7.6 - SQL Injection (@neosmith1, @0x_Akoko) [high] 🔥
  • [CVE-2024-49357] ZimaOS <= v1.2.4 - Sensitive Information Disclosure (@dhiyaneshdk) [high]
  • [CVE-2024-38819] Spring Framework Path Traversal in Functional Web Frameworks (@dhiyaneshdk) [high] 🔥
  • [CVE-2024-28752] Apache CXF < 4.0.4 - Aegis DataBinding SSRF / Local File Read (@maciejklimek) [high] 🔥
  • [CVE-2024-8252] WordPress Clean Login <= 1.14.5 Authenticated (Contributor+) - Local File Inclusion (@pussycat0x) [high] 🔥
  • [CVE-2023-49293] Vite dev server - Cross-Site Scripting (@ritikchaddha) [medium] 🔥
  • [CVE-2023-40924] SolarView Compact < 6.00 - Directory Traversal (@dhiyaneshdk) [high]
  • [CVE-2023-7165] JetBackup <= 2.0.9.7 - Sensitive Information Exposure via Directory Listing (@pussycat0x) [high] 🔥
  • [CVE-2023-6825] WordPress File Manager <= 7.2.1 - Directory Traversal (@pussycat0x) [critical] 🔥
  • [CVE-2023-6750] WordPress WP Clone <= 2.4.2 - Database Backup Exposure (@pussycat0x) [critical] 🔥
  • [CVE-2023-6592] WordPress FastDup <= 2.1.9 Sensitive Information Exposure - Directory Listing (@pussycat0x) [medium] 🔥
  • [CVE-2022-41678] Apache ActiveMQ < 5.16.5/5.17.3 - Remote Code Execution (@maciejklimek) [high] 🔥
  • [CVE-2021-46371] AntD Admin - Sensitive Information Disclosure (@ritikchaddha) [high]
  • [CVE-2021-23337] Lodash Template - Server-Side Template Injection (RCE) (@dhiyaneshdk) [high] 🔥
  • [apache-sling-default-login] Apache Sling - Default Login (@icarot) [high]
  • [astrbot-default-login] AstrBot - Default Login (@theamanrawat) [high]
  • [checkmk-default-login] Checkmk - Default Login (@0xBassia) [high]
  • [freepbx-default-login] FreePBX - Default Admin Credentials (@0x_Akoko) [high]
  • [graylog-default-login] Graylog - Default Login (@0x_Akoko, @0xBassia) [high]
  • [grocy-default-login] Grocy - Default Admin Credentials (@0x_Akoko) [high]
  • [mirth-connect-default-login] Mirth Connect - Default Admin Credentials (@0x_Akoko) [high]
  • [netbox-default-login] NetBox - Default Admin Credentials (@0x_Akoko) [high]
  • [owncast-default-login] Owncast - Default Credentials (@0x_Akoko) [high]
  • [superset-default-login] Apache Superset - Default Login (@theamanrawat) [high]
  • [activepieces-panel] Activepieces Panel - Detect (@rxerium) [info]
  • [agentgpt-panel] AgentGPT Panel - Detect (@rxerium) [info]
  • [anythingllm-panel] AnythingLLM Panel - Detect (@rxerium) [info]
  • [astrbot-panel-detect] AstrBot WebUI Login Panel - Detect (@theamanrawat) [info]
  • [clearml-panel] ClearML Panel - Detect (@rxerium) [info]
  • [cvat-panel] CVAT Computer Vision Annotation Tool - Detect (@rxerium) [info]
  • [devtron-panel] Devtron Panel Login Panel - Detect (@johnk3r) [info]
  • [easydiffusion-panel] Easy Diffusion Panel - Detect (@rxerium) [info]
  • [flowise-panel] Flowise Panel - Detect (@rxerium) [info]
  • [h2o-wave-panel] H2O Wave ML Application Server - Detect (@rxerium) [info]
  • [koboldai-panel] KoboldAI Panel - Detect (@rxerium) [info]
  • [openclaw-control-detect] OpenClaw Control - Detect (@pbuff07) [info]
  • [openhands-panel] OpenHands Panel - Detect (@rxerium) [info]
  • [showdoc-panel] ShowDoc Panel Detection (@rxerium) [info]
  • [sillytavern-panel] SillyTavern Panel - Detect (@rxerium) [info]
  • [superagi-panel] SuperAGI Panel - Detect (@rxerium) [info]
  • [devtron-env-config-js] Devtron JavaScript Environment Configuration - Exposure (@johnk3r) [low]
  • [argo-workflows-unauth] Argo Workflows - Unauthenticated Dashboard (@0xBassia) [high]
  • [baget-exposure] BaGet - Exposure (@dhiyaneshdk) [medium]
  • [blockchain-rpc-debug-exposure] Blockchain RPC Debug Trace Methods - Exposure (@0xBassia) [medium]
  • [blockchain-rpc-txpool-exposed] Blockchain RPC - txpool_content Exposed (@0xBassia) [high]
  • [dbgate-anonymous-access] DbGate Anonymous Access - Detection (@benharvey-sage) [high]
  • [glitchtip-public-signup] Gitea Public Registration Enabled (@dhiyaneshdk) [medium]
  • [heimdall-dashboard-exposure] Heimdall Application Dashboard - Unauthenticated Access (@0x_Akoko) [medium]
  • [3cx-installer] 3CX Phone System - Installer Page Exposure (@dhiyaneshdk) [high]
  • [azuracast-installer] AzuraCast - Unfinished Installation (@dhiyaneshdk) [high]
  • [freescout-installer] FreeScout Installer Exposure (@dhiyaneshdk) [high]
  • [icinga-installer] Icinga Web 2 Installer Exposure (@pussycat0x) [high]
  • [leantime-install-page-exposed] Leantime - Unfinished Installation (@0x_Akoko) [high]
  • [modx-installer] ModX CMS - Unfinished Installation (@dhiyaneshdk) [high]
  • [revive-adserver-installer] Revive Adserver - Exposed Installer (@dhiyaneshdk) [high]
  • [node-red-unauth] Node-RED - Unauthenticated Access (@0xBassia) [high]
  • [opentext-filr-guest-access] OpenText Filr - Guest Access Enabled (@pussycat0x) [medium]
  • [photoprism-unauth-exposure] PhotoPrism - Unauthenticated Exposure (@pussycat0x) [high]
  • [piwik-unauthenticated-access] Piwik/Matomo - Unauthenticated Access (@0x_Akoko) [high]
  • [sabnzbd-unauth-access] SABnzbd - Unauthenticated Web Interface Access (@0x_Akoko) [high]
  • [weak-hsts-detect] Weak HTTP Strict-Transport-Security - Detect (@saint_orion) [info]
  • [apache-sling-detect] Apache Sling - Detect (@icarot) [info]
  • [chromadb-detect] ChromaDB Vector Database - Detect (@rxerium) [info]
  • [langflow-detect] Langflow - Detect (@rxerium) [info]
  • [llamacpp-detect] llama.cpp - Detect (@rxerium) [info]
  • [marqo-detect] Marqo Vector Search Engine - Detect (@rxerium) [info]
  • [nicegui-detect] NiceGUI Detection (@theamanrawat) [info]
  • [sdwebui-detect] Stable Diffusion WebUI - Detect (@rxerium) [info]
  • [weights-biases-detect] Weights & Biases - Detect (@rxerium) [info]
  • [xinference-detect] Xinference - Detect (@rxerium) [info]
  • [chanjet-crm-sqli] Chanjet CRM - SQL Injection (@luckying1314@139.com) [high]
  • [magento-polyshell-rce] Magento PolyShell – Unauthenticated File Upload to RCE (@slcyber, @dhiyaneshdk) [critical]
  • [marimo-proxy-abuse] Marimo > 0.9.20 - Proxy Abuse (@ritikchaddha) [medium]
  • [zqnb-educationcloud-exposure] ZhongQing Education Cloud Platform - Information Exposure (@ritikchaddha) [high]

New Contributors

Full Changelog: v10.4.1...v10.4.2

Check out latest releases or
releases around projectdiscovery/nuclei-templates v10.4.2

Don't miss a new nuclei-templates release

NewReleases is sending notifications on new releases.

Get notifications