github projectdiscovery/nuclei-templates v10.4.3
Nuclei Templates v10.4.3 - Release Notes
on GitHub

6 hours ago

New Templates Added: 105 | CVEs Added: 62 | First-time contributions: 12

πŸ”₯ Release Highlights πŸ”₯

What's Changed

Bug Fixes

  • CI: migrated nuclei GitHub action to native Node.js runtime (PR #16061, PR #16049).
  • Removed duplicate template for BeyondTrust (PR #16024).
  • Removed duplicate matcher line in roundcube-log-disclosure.yaml (PR #16042).
  • Corrected invalid cve-id classification field values across templates (PR #16023).
  • Fixed invalid CPE format strings across templates (PR #15991, PR #15828).
  • Fixed tag formatting in CVE-2024-57727, CVE-2023-38875, CVE-2023-24322 (PR #15989, PR #15897, PR #15899).
  • Corrected YAML formatting in Retool postMessage XSS template (PR #15952).
  • Fixed file path for CVE-2026-2262 (PR #15998).
  • Renamed joomla-htaccess.yaml β†’ joomla-htaccess-file.yaml for clarity (PR #15987).
  • Renamed contrastapi-domain-recon.yaml to correct directory (PR #16025).
  • Renamed and updated superset-default-login.yaml (PR #15822).
  • Release preparation for Nuclei Templates v10.4.2 (PR #15920).

False Negatives

  • Fixed FN in tomcat-default-login by ordering payloads to avoid LockOutRealm shunning (PR #16053, Issue #15382).

False Positives

  • Reduced false positives and improved accuracy in the following templates:
    • ingress-nginx-valid-admission.yaml β€” added 200-status guard for verbose-debug PHP frameworks (PR #16046, Issue #14248).
    • CVE-2024-2473 β€” verify hidden login URL disclosure to avoid FP on WPS Hide Login (PR #15985, Issue #15871).
    • CVE-2019-5544 β€” fix FP triggered when port 427 is closed (PR #15979, Issue #15098).
    • CVE-2023-45648 β€” bound Tomcat version regex (PR #15459, Issue #15566).
    • ldap-anonymous-login-detect.yaml β€” honor Port parameter instead of forcing 389 (PR #15430, Issue #14736).
    • sentry-panel β€” added title check to prevent FP (PR #15984).

Enhancements

  • Added Microsoft domain to mx-service-detector (PR #16030).
  • Added registrar extractors to rdap-whois template (PR #15908).
  • Added references to CVE-2020-15718 (PR #16058).
  • Updated mitel-version-detect.yaml (PR #15839).
  • Linked CVE-2021-31589 to existing beyond-trust-xss.yaml (Issue #15273).

Templates Added

  • [CVE-2026-42167] ProFTPD mod_sql - Preauth User Backdoor (@pussycat0x) [high] πŸ”₯
  • [CVE-2026-42031] CKAN DataStore SQL Search - SQL Injection (@theamanrawat) [high]
  • [CVE-2026-41940] cPanel & WHM - Auth Bypass via Session-File CRLF Injection (@watchtowr, @hadrian.io, @dhiyaneshdk) [critical] (kev) (vKEV) πŸ”₯
  • [CVE-2026-41641] NocoBase - SQL Injection (@theamanrawat) [high]
  • [CVE-2026-41640] NocoBase - SQL Injection (@theamanrawat) [high]
  • [CVE-2026-41179] RClone RC - Command Injection (@theamanrawat) [critical] πŸ”₯
  • [CVE-2026-41176] Rclone RC - Broken Access Control (@theamanrawat) [critical] πŸ”₯
  • [CVE-2026-40887] Vendure Core - SQL Injection (@theamanrawat) [critical]
  • [CVE-2026-40466] Apache ActiveMQ - RCE via HTTP Discovery Transport Bypass (@dhiyaneshdk) [high] πŸ”₯
  • [CVE-2026-40308] My Calendar WordPress Plugin - Information Disclosure (@theamanrawat) [high]
  • [CVE-2026-40242] Arcane <= 1.17.2 - Server-Side Request Forgery (@0x_Akoko) [high]
  • [CVE-2026-40105] XWiki - Cross-Site Scripting (@ritikchaddha) [medium] πŸ”₯
  • [CVE-2026-39808] Fortinet FortiSandbox - Command Injection (@dhiyaneshdk) [critical] πŸ”₯
  • [CVE-2026-39363] Vite Dev Server - Arbitrary File Read (@theamanrawat) [high] πŸ”₯
  • [CVE-2026-39339] ChurchCRM - API Authentication Bypass via URL Injection (@AkhilShekhar) [critical]
  • [CVE-2026-35029] LiteLLM - Arbitrary File Read (@theamanrawat) [high] πŸ”₯
  • [CVE-2026-33626] LMDeploy - Server-Side Request Forgery (@theamanrawat) [high] (kev) (vKEV) πŸ”₯
  • [CVE-2026-33439] OpenAM <= 16.0.5 - Pre-Auth RCE via jato.clientSession Deserialization (@dhiyaneshdk) [critical] πŸ”₯
  • [CVE-2026-33057] Mesop AI Sandbox <= 1.2.2 - Remote Code Execution (@sammiee5311, @liyander) [critical]
  • [CVE-2026-33032] Nginx UI - Broken Access Control (@dhiyaneshdk) [critical] (kev) (vKEV) πŸ”₯
  • [CVE-2026-33017] Langflow < 1.9.0 - Remote Code Execution (@himind) [critical] (kev) (vKEV) πŸ”₯
  • [CVE-2026-28409] WeGIA <= 3.6.4 - Remote Code Execution (@0x_Akoko) [critical]
  • [CVE-2026-27176] MajorDoMo - Cross-Site Scripting (@dhiyaneshdk) [medium]
  • [CVE-2026-27174] MajorDoMo - Unauthenticated RCE (@0x_Akoko) [critical] (kev) (vKEV) πŸ”₯
  • [CVE-2026-24423] SmarterMail - Remote Code Execution (@jyoti369) [critical] (kev) (vKEV) πŸ”₯
  • [CVE-2026-23486] Blinko <= 1.8.3 - User Information Leak (@0x_Akoko) [low]
  • [CVE-2026-23483] Blinko <= 1.8.3 - Path Traversal via /plugins (@tx1ee) [medium]
  • [CVE-2026-23482] Blinko < 1.8.4 - Path Traversal (@tx1ee) [high]
  • [CVE-2026-21484] AnythingLLM - Username Enumeration via Password Recovery (@dhiyaneshdk) [medium] πŸ”₯
  • [CVE-2026-4631] Cockpit Web Console < 360 - Remote Code Execution (@dhiyaneshdk) [critical] πŸ”₯
  • [CVE-2026-3844] Breeze <= 2.4.4 - Arbitrary File Upload (@theamanrawat, @ritikchaddha) [critical] (kev) (vKEV) πŸ”₯
  • [CVE-2026-2262] Easy Appointments <= 3.12.21 - Information Disclosure (@0x_Akoko) [high]
  • [CVE-2026-1368] Video Conferencing with Zoom API < 4.6.6 - Unauthenticated SDK Signature Generation (@0x_Akoko) [high]
  • [CVE-2026-1314] WordPress 3D FlipBook <= 1.16.17 - Information Disclosure (@theamanrawat) [medium]
  • [CVE-2026-0560] LolLMS < 2.2.0 - Server-Side Request Forgery (@ritikchaddha) [high]
  • [CVE-2025-69411] ionCube Tester Plus <= 1.3 - Local File Inclusion (@pussycat0x) [high]
  • [CVE-2025-62039] AI ChatBot with ChatGPT by AYS <= 2.6.6 - Unauthenticated API Key Exposure (@pussycat0x) [high]
  • [CVE-2025-59582] Ajax Load More < 7.6.1 - Unauthenticated Sensitive Information Exposure (@pussycat0x) [medium]
  • [CVE-2025-59342] esm.sh <= v136 - Arbitrary File Write via Path Traversal (@0x_Akoko) [medium]
  • [CVE-2025-59341] esm.sh <= v136 - Local File Inclusion (@0x_Akoko) [high]
  • [CVE-2025-59136] WordPress Gerencianet Oficial <= 3.1.3 - Unauthenticated Order Status Disclosure (@pussycat0x) [medium]
  • [CVE-2025-58226] WordPress 3D FlipBook Plugin <= 1.16.17 - Sensitive Information Exposure (@pussycat0x) [medium]
  • [CVE-2025-49002] DataEase - Remote Code Execution (@weqi) [high]
  • [CVE-2025-41242] Spring Framework - Path Traversal (@dhiyaneshdk) [medium] πŸ”₯
  • [CVE-2025-32395] Vite - Path Traversal (@ChrisJr404) [medium] πŸ”₯
  • [CVE-2025-23211] Tandoor Recipes < 1.5.24 - Jinja2 SSTI RCE (@sammiee5311) [critical]
  • [CVE-2025-13801] Yoco Payments <= 3.8.8 - Path Traversal (@0x_Akoko) [high]
  • [CVE-2025-13390] WP Directory Kit <= 1.4.4 - Authentication Bypass (@maxthepm) [critical] (kev) (vKEV) πŸ”₯
  • [CVE-2025-11693] Export WP Page to Static HTML <= 4.3.4 - Cookie Exposure (@0x_Akoko) [critical]
  • [CVE-2025-10897] WooCommerce Designer Pro <= 1.9.28 - Arbitrary File Read (@0x_Akoko) [high]
  • [CVE-2025-10162] WordPress OrderConvo < 14 - Path Traversal (@0x_Akoko) [high]
  • [CVE-2025-9209] RestroPress 3.0.0-3.2.1 - Authentication Bypass (@0x_Akoko) [critical]
  • [CVE-2025-4524] WordPress Madara Theme < 2.2.2.1 - Local File Inclusion (@0x_Akoko) [high]
  • [CVE-2025-1361] IP2Location Country Blocker < 2.38.9 - Unauthenticated Information Disclosure (@pussycat0x) [high]
  • [CVE-2024-38773] FormLift for Infusionsoft Web Forms <= 7.5.17 - SQL Injection (@Shivam Kamboj) [critical]
  • [CVE-2024-32825] Simply Static - Information Disclosure (@pussycat0x) [medium]
  • [CVE-2024-26291] Avid NEXIS Agent - Arbitrary File Read (@dhiyaneshdk) [high]
  • [CVE-2023-49438] Python Flask-Security-Too <=5.3.2 - Open Redirect (@ritikchaddha) [medium] πŸ”₯
  • [CVE-2021-45328] Gitea < 1.4.3 - Open Redirect (@ritikchaddha) [medium] πŸ”₯
  • [CVE-2021-26947] Odoo <= 15.0 - Cross-Site Scripting (@ritikchaddha) [medium] πŸ”₯
  • [CVE-2021-3152] Home Assistant HACS - Local File Inclusion (@dhiyaneshdk) [high] πŸ”₯
  • [CVE-2017-6478] MaNGOSWebV4 < 4.0.8 - Cross-Site Scripting (@0xr2r) [medium]
  • [default-admin-account-enabled] Default Administrator Account Enabled (@boonchuan) [medium]
  • [office-macros-not-restricted] Microsoft Office Macros Not Restricted (@boonchuan) [high]
  • [windows-auto-update-disabled] Windows Automatic Updates Disabled (@boonchuan) [high]
  • [apache-casbin-mcp-gateway-default-login] Apache Casbin MCP Gateway - Default Login (@icarot) [high]
  • [avaya-phone-default-login] Avaya Phone Web Interface - Default Login (@tpierru) [high]
  • [claris-filemaker-panel] Claris FileMaker Server Admin Console - Detect (@s4e-io) [info]
  • [device42-panel] Device42 Panel - Detect (@righettod) [info]
  • [fortisandbox-panel] Fortinet FortiSandbox Panel - Detect (@umut Γ–ZEN) [info]
  • [fortisandbox-panel] FortiSandbox Panel - Detect (@rxerium) [info]
  • [mealie-panel] Mealie Panel - Detect (@ChrisJr404) [info]
  • [openbao-webui-detect] OpenBao Web UI Panel - Detect (@ritikchaddha) [info]
  • [outline-panel] Outline Panel - Detect (@ChrisJr404) [info]
  • [paperless-ngx-panel] Paperless-ngx Panel - Detect (@ChrisJr404) [info]
  • [supabase-studio-panel] Supabase Studio Panel - Detect (@ChrisJr404) [info]
  • [typesense-search-server] Typesense Search Server - Detect (@ChrisJr404) [info]
  • [chroma-api-exposure] ChromaDB - Unauthenticated API Exposure (@pussycat0x) [medium]
  • [weglot-api-key-exposure] Weglot API Key - Exposed (@0x_Akoko) [medium]
  • [prisma-schema-exposure] Exposed Prisma Database Schema - Exposure (@umut Γ–ZEN) [medium]
  • [contrastapi-domain-recon] ContrastAPI Domain Reconnaissance (@UPinar) [info]
  • [contrastapi-ip-recon] ContrastAPI IP Reconnaissance (@UPinar) [info]
  • [apache-skywalking-dashboard] Apache SkyWalking - Dashboard (@icarot) [high]
  • [chainlit-unauth-access] Chainlit - Unauthenticated Access (@pussycat0x) [low]
  • [chatwoot-installer] Chatwoot - Installation (@0x_Akoko) [high]
  • [chromadb-installer] ChromaDB Installer - Detected (@pussycat0x) [info]
  • [filestash-installer] Filestash - Installer Exposure (@dhiyaneshdk) [high]
  • [krayin-installer] Krayin CMS - Installer (@theamanrawat) [high]
  • [supabase-studio-exposure] Supabase Studio - Exposure (@theamanrawat) [high]
  • [download-monitor-unauth-log-export] Download Monitor < 1.9.7 - Unauthenticated Download Log Export (@0x_Akoko) [high]
  • [apache-casbin-mcp-gateway-detect] Apache Casbin MCP Gateway - Detection (@icarot) [info]
  • [browserless-swagger-detect] Browserless API Swagger - Detect (@theamanrawat) [info]
  • [inertiajs-detect] Inertia.js - Detect (@antonkulyk) [info]
  • [nginx-opencloudos-test-page] Nginx Test Page for OpenCloudOS (@pussycat0x) [info]
  • [vendure-detect] Vendure - Detect (@theamanrawat) [info]
  • [gitea-open-redirect-bypass] Gitea < 1.21.0 - Open Redirect (@ritikchaddha) [medium]
  • [odoo-login-redirect] Reflected Odoo - Open Redirect (@dhiyaneshdk) [low]
  • [retool-postmessage-xss] Retool Self-Hosted - postMessage XSS via Custom Component Collections (@dhiyaneshdk) [high]
  • [rabbitmq-amqp-default-login] RabbitMQ AMQP - Default Login (@dhiyaneshdk) [high]
  • [perforce-info-disclosure] Perforce Server - Information Disclosure (@morgan Robertson) [medium]
  • [perforce-user-enumeration] Perforce Server - User Enumeration (@morgan Robertson) [medium]
  • [perforce-passwordless-users] Perforce Server - Passwordless User Accounts (@morgan Robertson) [critical]
  • [perforce-remote-depot-unauth] Perforce Server - Unauthenticated Remote Depot Access (@morgan Robertson) [high]
  • [mdns-ptzoptics-detect] PTZOptics Device via mDNS - Detect (@rxerium) [info]
  • [perforce-detection] Perforce Server - Detection (@morgan Robertson) [info]

New Contributors

Full Changelog: v10.4.2...v10.4.3

Check out latest releases or
releases around projectdiscovery/nuclei-templates v10.4.3

Don't miss a new nuclei-templates release

NewReleases is sending notifications on new releases.

Get notifications