github projectdiscovery/nuclei-templates v10.4.4
Nuclei Templates v10.4.4 - Release Notes
on GitHub

6 hours ago

New Templates Added: 179 | CVEs Added: 43 | First-time contributions: 20

🔥 Release Highlights 🔥

What's Changed

Bug Fixes

  • Corrected the classification.cve-id mismatch in the CVE-2024-38856 template, which was pointing to CVE-2024-32113 (PR #16277).
  • Fixed a YAML parsing failure in gradio-image-ssrf caused by an unclosed string literal in DSL matchers, after the stricter govaluate fork surfaced it (PRs #16171, #16210, #16243).
  • Added the missing cve-id classification to CVE-2023-2745 (PR #16152).
  • Added the missing words key in CVE-2023-46347, which previously caused a YAML syntax error and prevented execution (PR #16097).
  • Resolved a duplicate template id conflict for fortisandbox-panel by renaming the Fortinet-scoped template (PR #16070) and removed the leftover duplicate plus stray contrastapi recon templates as release-prep cleanup (PR #16118).
  • Renamed the malware template id from ransomware_windows_hydracrypt for consistency (PR #16114).
  • Renamed the eol-magento template id to magento-eol to follow naming conventions (PR #16154).
  • Relocated opendcim-detect.yaml out of the non-existent http/detect folder (PR #16266).
  • Removed unused extractors from CVE-2025-13418 (PR #16204).

False Negatives
- CVE-2023-2745: removed an unnecessary authentication requirement so the template fires against unauthenticated targets (Issue #16133, PR #16139).
- CVE-2021-40438: added support for custom Interactsh server hostnames so detection no longer requires the oast* naming convention (Issue #12074, PR #16052).

False Positives
- CVE-2026-3844 (Issue #16124, PR #16161).
- CVE-2025-22457 (Issue #15955, PR #16162).
- http-missing-security-headers: dropped the clear-site-data matcher on the base URL (Issue #12008, PR #16050) and unanchored the Content-Type regexes so matches are position-independent (PR #16125).
- workspace-one-uem panel: removed a matcher that misfired on paths placed inside content="" attributes (PR #16117).

Enhancements

  • Enhanced CVE-2026-33017 by removing the redundant build_public_tmp exploit request that relied on a null flow UUID (Issue #16134, PR #16149).
  • Converted legacy http/vulnerabilities templates to CVE templates as part of the broader cleanup tracked in Issue #15275: sar2html RCE → CVE-2025-34030 (PR #16144), Cloudlog SQLi → CVE-2024-48259 (PR #16146), beward-ipcamera-disclosure → CVE-2019-25246 (PR #16248), bems-api-lfi → CVE-2021-4463 (PR #16249), ozeki-10-sms-gateway → CVE-2023-7327 (PR #16250), and watchguard credentials disclosure → CVE-2020-10532 (PR #16251).
  • Normalized classification.cwe-id metadata across HTTP exposure and misconfiguration templates (PR #16062).
  • Updated CVE-2022-0218 metadata to remove inaccurate stored-XSS framing and reflect the broken access control nature of the check (PR #16203).
  • Updated CVE-2025-62168 template (PR #16242).
  • Added the passive tag to CVE-2026-38361 (PR #16202).
  • Added redirect options to nginx-eol.yaml (PR #16199).
  • Expanded the MSSQL default-login wordlist (PR #16198).
  • Added a success-message confirmation for FTP anonymous login (PR #16197).
  • Switched the polycom-hdx-web-exposure matcher from contains_all to contains_any for broader coverage (PR #16196).
  • Added a 403 status matcher to trace-axd-detect.yaml (PR #16140).
  • Migrated the Nuclei GitHub Action workflow to native Node.js (PR #16113).

Templates Added

  • [CVE-2026-47668] DbGate - Remote Code Execution via Anonymous JWT (@benharvey-sage) [critical] 🔥
  • [CVE-2026-46725] TYPO3 ceselector Extension - Insecure Deserialization (@dhiyaneshdk) [critical] 🔥
  • [CVE-2026-46670] YesWiki < 4.6.4 - Unauthenticated SQL Injection (@0x_Akoko) [critical]
  • [CVE-2026-46372] SillyTavern - Server-Side Request Forgery (@theamanrawat) [high]
  • [CVE-2026-44578] Next.js WebSocket Upgrade Handler - SSRF (@hacktron, @dhiyaneshdk) [high] 🔥
  • [CVE-2026-42569] phpVMS < 7.0.6 - Legacy Importer Authorization Bypass (@0x_Akoko) [critical]
  • [CVE-2026-42281] MagicMirror <= 2.35.0 - Server-Side Request Forgery (@aleff-github) [critical]
  • [CVE-2026-40878] Mailcow < 2026-03b - Href Link Injection (@ritikchaddha) [low] 🔥
  • [CVE-2026-39352] Frappe Framework < 16.15.0 - Arbitrary File Read via render_include Path Traversal (@dhiyaneshdk) [medium]
  • [CVE-2026-38361] dash-uploader 0.1.0 - 0.7.0a2 - Denial-of-Service via flowTotalChunks (@a1ohadance) [high]
  • [CVE-2026-38360] dash-uploader 0.1.0 - 0.7.0a2 - Unauthenticated Arbitrary File Write via Path Traversal (@a1ohadance) [critical]
  • [CVE-2026-34847] Hoppscotch <= 2026.2.1 - Open Redirect (@ritikchaddha) [medium]
  • [CVE-2026-34486] Apache Tomcat Tribes EncryptInterceptor Bypass - Remote Code Execution (@dhiyaneshdk) [critical] 🔥
  • [CVE-2026-33534] EspoCRM <= 9.3.3 - Server-Side Request Forgery (@EntroVyx) [medium]
  • [CVE-2026-33453] Apache Camel camel-coap - Remote Code Execution (@dhiyaneshdk) [critical] 🔥
  • [CVE-2026-32230] Uptime-Kuma < v1.23.0 - Improper Access Control (@ritikchaddha) [medium]
  • [CVE-2026-26341] Tattile Camera < 1.181.5 - Default Login (@0x_Akoko) [high]
  • [CVE-2026-25545] Astro SSR - Server-Side Request Forgery (@ritikchaddha) [high] 🔥
  • [CVE-2026-20182] Cisco Catalyst SD-WAN Controller - vHub Authentication Bypass (@sfewer-r7, @Crypto-Cat, @pussycat0x, @dhiyaneshdk) [critical] 🔥 (kev) (vKEV)
  • [CVE-2026-9082] Drupal Core - Anonymous SQL Injection via PostgreSQL Entity Query (@slcyber, @dhiyaneshdk) [critical] 🔥 (kev) (vKEV)
  • [CVE-2026-8679] WordPress AudioIgniter <= 2.0.2 - Unauthenticated IDOR (@0x_Akoko) [high]
  • [CVE-2026-8181] WordPress Burst Statistics 3.4.0-3.4.1.1 - Authentication Bypass (@0x_Akoko) [critical] 🔥 (kev) (vKEV)
  • [CVE-2026-6433] FlipperCode Custom CSS, JS & PHP <= 2.0.7 - Remote Code Execution (@theamanrawat) [critical]
  • [CVE-2026-5718] Drag and Drop Multiple File Upload - CF7 <= 1.3.9.6 - Remote Code Execution (@zer0p0int) [critical] 🔥 (kev) (vKEV)
  • [CVE-2026-4810] Google ADK-Python - Unauthenticated Builder Endpoint (@dwisiswant0) [critical] 🔥
  • [CVE-2026-0740] Ninja Forms File Uploads <= 3.3.26 - Arbitrary File Upload (@whattheslime) [critical] 🔥 (kev) (vKEV)
  • [CVE-2026-0545] MLflow Job API - Authentication Bypass (@dhiyaneshdk) [critical] 🔥
  • [CVE-2025-62168] Squid Proxy - HTTP Authentication Credentials Disclosure (@xtr0nix) [critical] 🔥
  • [CVE-2025-48157] WordPress Formality Plugin <= 1.5.9 - Local File Inclusion (@pussycat0x) [critical]
  • [CVE-2025-47577] TI WooCommerce Wishlist <= 2.9.2 - Arbitrary File Upload (@CEHCVKR) [high]
  • [CVE-2025-34030] sar2html <=3.2.2 Plot Parameter - Remote Code Execution (@gy741, @TATANKA97) [critical] 🔥 (kev) (vKEV)
  • [CVE-2025-32966] DataEase 2.10.4-2.10.7 - Remote Code Execution (@ChrisJr404) [critical]
  • [CVE-2025-32778] Web-Check < 2.0.1 Screenshot API - OS Command Injection (@gugacyber) [critical] 🔥 (kev) (vKEV)
  • [CVE-2025-14726] WordPress Widgets for Social Photo Feed <= 1.8 - Information Disclosure (@0x_Akoko) [medium]
  • [CVE-2025-12841] WordPress Bookit < 2.5.1 - Unauthenticated Stripe Settings Update (@0x_Akoko) [high]
  • [CVE-2024-48259] Cloudlog - SQL Injection (@s4e-io) [high]
  • [CVE-2024-36420] Flowise 1.4.3 - Arbitrary File Read (@fineman999) [high] 🔥
  • [CVE-2024-32114] Apache ActiveMQ 6.x < 6.1.2 - Broken Access Control (@ChrisJr404) [high] 🔥 (kev) (vKEV)
  • [CVE-2024-10763] WordPress Campress Theme <= 1.35 - Unauthenticated Local File Inclusion (@pussycat0x) [critical]
  • [CVE-2024-9362] Polyaxon - Unauthenticated Directory Traversal (@Yunseo) [high]
  • [CVE-2024-4322] LoLLMS WebUI < 9.8 - Path Traversal (@MJ-bin) [high]
  • [CVE-2021-24916] WordPress Qubely < 1.8.6 - Unauthenticated Email Sending (@roberto) [high]
  • [CVE-2019-25246] BEWARD N100 H.264 VGA IP Camera M2.1.6 - Arbitrary File Disclosure (@geeknik, @liangtovi-debug) [high]
  • [weak-service-binary-permissions] Weak Service Binary Permissions (@domwhewell-sage) [high]
  • [android-request-install-packages-permission] Android Dangerous Permission - REQUEST_INSTALL_PACKAGES (@Th3l0newolf) [medium]
  • [frappe-default-login] Frappe Framework - Default Login Credentials (@dhiyaneshdk) [high]
  • [grandstream-grp-default-login] Grandstream GRP - Default Login (@dhiyaneshdk) [high]
  • [ibm-mfp-default-login] IBM MobileFirst Foundation - Default Credentials (@Vishal Vishwakarma) [critical]
  • [infinispan-default-login] Infinispan - Default Admin Login (@DhiyanesDk) [high]
  • [aapanel-linux-panel] aaPanel Linux Panel - Detect (@Th3l0newolf) [info]
  • [airbyte-panel] Airbyte Panel - Detect (@ChrisJr404) [info]
  • [andover-continuum-panel] Andover Continuum BMS - Login Panel (@rxerium) [info]
  • [argilla-panel] Argilla Panel - Detect (@rxerium) [info]
  • [arize-phoenix-panel] Arize Phoenix - Detect (@rxerium) [info]
  • [aveva-edge-panel] AVEVA Edge SCADA - Login Panel (@rxerium) [info]
  • [aveva-intouch-access-anywhere-panel] AVEVA InTouch Access Anywhere - Panel (@rxerium) [info]
  • [beckhoff-twincat-hmi-panel] Beckhoff TwinCAT HMI Server - Login Panel (@rxerium) [info]
  • [big-agi-panel] big-AGI Panel - Detect (@rxerium) [info]
  • [blinko-login-panel] Blinko - Login Panel Detection (@0x_Akoko) [info]
  • [botpress-panel] Botpress Admin Panel - Detect (@rxerium) [info]
  • [chainlit-panel] Chainlit Panel - Detect (@rxerium) [info]
  • [chatbot-ui-panel] Chatbot UI Panel - Detect (@rxerium) [info]
  • [clearscada-panel] Schneider Electric ClearSCADA - Panel (@rxerium) [info]
  • [codesys-webvisu-panel] CODESYS WebVisu - Panel (@rxerium) [info]
  • [cogent-datahub-panel] Cogent DataHub (OPC DataHub) - Panel (@rxerium) [info]
  • [cognita-panel] Cognita Panel - Detect (@rxerium) [info]
  • [copa-data-zenon-panel] Copa-Data zenon - Login Panel (@rxerium) [info]
  • [couchbase-server-console] Couchbase Server Console - Detect (@Th3l0newolf) [info]
  • [deep-sea-electronics-dse855-detect] Deep Sea Electronics DSE 855 Generator Controller - Detect (@rxerium) [info]
  • [digi-router-panel] Digi International Router - Login Panel (@rxerium) [info]
  • [echelon-ilon-smartserver-panel] Echelon i.LON SmartServer - Login Panel (@rxerium) [info]
  • [emoncms-panel] OpenEnergyMonitor emonCMS - Login Panel (@rxerium) [info]
  • [espocrm-detect] EspoCRM - Detect (@theamanrawat) [info]
  • [evidently-ai-panel] Evidently AI Panel - Detect (@rxerium) [info]
  • [facefusion-panel] FaceFusion Panel - Detect (@rxerium) [info]
  • [fastgpt-panel] FastGPT Panel - Detect (@rxerium) [info]
  • [fastmile-5g-gateway-panel] FastMile 5G Gateway Panel - Detect (@Th3l0newolf) [info]
  • [fronius-datalogger-web-panel] Fronius Datalogger Web - Login Panel (@rxerium) [info]
  • [fronius-inverter-panel] Fronius Inverter - Login Panel (@rxerium) [info]
  • [fuxa-scada-panel] FUXA - SCADA/HMI Panel (@rxerium) [info]
  • [ge-proficy-webspace-panel] GE Proficy WebSpace - Login Panel (@rxerium) [info]
  • [growatt-shinelink-panel] Growatt Shinelink - Login Panel (@rxerium) [info]
  • [inductive-automation-ignition-panel] Inductive Automation Ignition - Gateway Panel (@rxerium) [info]
  • [janitza-gridvis-detect] Janitza GridVis Energy Management - Detect (@rxerium) [info]
  • [janitza-umg-panel] Janitza UMG Power Meter - Login Panel (@rxerium) [info]
  • [jupyterhub-panel] JupyterHub Panel - Detect (@rxerium) [info]
  • [kaco-new-energy-detect] KACO New Energy Solar Inverter - Detect (@rxerium) [info]
  • [kaeser-sigma-air-manager-panel] Kaeser Sigma Air Manager - Panel (@Th3l0newolf) [info]
  • [kubeflow-pipelines-panel] Kubeflow Pipelines Panel - Detect (@rxerium) [info]
  • [langfuse-panel] Langfuse Panel - Detect (@ChrisJr404) [info]
  • [langsmith-panel] LangSmith Panel - Detect (@rxerium) [info]
  • [laravel-login-panel] Laravel Login - Panel Detection (@projectdiscoveryai) [info]
  • [letta-panel] Letta Panel - Detect (@rxerium) [info]
  • [linkwarden-panel] Linkwarden Panel - Detect (@ChrisJr404) [info]
  • [lmstudio-panel] LM Studio Panel - Detect (@rxerium) [info]
  • [localgpt-panel] LocalGPT Panel - Detect (@rxerium) [info]
  • [mageai-panel] Mage AI Panel - Detect (@ChrisJr404) [info]
  • [marimo-panel] Marimo Panel - Detect (@rxerium) [info]
  • [metaflow-ui-panel] Metaflow UI Panel - Detect (@rxerium) [info]
  • [microsys-promotic-panel] Microsys Promotic SCADA - Login Panel (@rxerium) [info]
  • [mlflow-panel] MLflow Panel - Detect (@rxerium) [info]
  • [morningstar-prostar-mppt-detect] Morningstar ProStar MPPT Solar Charge Controller - Detect (@rxerium) [info]
  • [moxa-mxview-panel] Moxa MXview One - Network Management Panel (@rxerium) [info]
  • [nmon-login-panel] nMon Panel - Detect (@Th3l0newolf) [info]
  • [openllm-panel] OpenLLM Panel - Detect (@rxerium) [info]
  • [openscada-panel] OpenSCADA - Panel (@rxerium) [info]
  • [opto22-groov-panel] Opto 22 groov - Panel (@rxerium) [info]
  • [osisoft-pi-vision-panel] OSIsoft PI Vision - Login Panel (@rxerium) [info]
  • [outback-power-detect] OutBack Power Mate3s Gateway - Detect (@rxerium) [info]
  • [perplexica-panel] Perplexica Panel - Detect (@rxerium) [info]
  • [pimcore-admin-login-panel] Pimcore Admin Login - Panel Detect (@Th3l0newolf) [info]
  • [polynote-panel] Polynote Panel - Detect (@rxerium) [info]
  • [ptc-thingworx-panel] PTC ThingWorx - Panel (@rxerium) [info]
  • [ragflow-panel] RAGFlow Panel - Detect (@rxerium) [info]
  • [raritan-pdu-panel] Raritan PDU - Login Panel (@rxerium) [info]
  • [redlion-hmi-panel] Red Lion HMI - Login Panel (@rxerium) [info]
  • [reliable-controls-panel] Reliable Controls MACH-Pro - Login Panel (@rxerium) [info]
  • [rockwell-factorytalk-viewpoint-panel] Rockwell Automation FactoryTalk ViewPoint - Panel (@rxerium) [info]
  • [scadabr-panel] ScadaBR - Login Panel (@rxerium) [info]
  • [schneider-tac-vista-panel] Schneider TAC Vista - Login Panel (@rxerium) [info]
  • [sel-rtac-panel] SEL Real-Time Automation Controller - Login Panel (@rxerium) [info]
  • [serge-panel] Serge Panel - Detect (@rxerium) [info]
  • [skyvern-panel] Skyvern Panel - Detect (@rxerium) [info]
  • [solar-log-panel] Solar-Log - Monitoring Panel (@rxerium) [info]
  • [solaredge-monitoring-panel] SolarEdge Monitoring - Login Panel (@rxerium) [info]
  • [sonar-poller-panel] Sonar Poller Login - Panel Detect (@Th3l0newolf) [info]
  • [splunk-mcp-server-ide-login] Splunk MCP Server IDE Login - Detect (@Th3l0newolf) [info]
  • [swarmui-panel] SwarmUI Panel - Detect (@rxerium) [info]
  • [taskingai-panel] TaskingAI Panel - Detect (@rxerium) [info]
  • [tensorboard-panel] TensorBoard Panel - Detect (@rxerium) [info]
  • [typebot-panel] Typebot Panel - Detect (@rxerium) [info]
  • [uisp-fiber-panel] UISP Fiber Panel - Detect (@Th3l0newolf) [info]
  • [unitronics-plc-panel] Unitronics PLC - Login Panel (@rxerium) [info]
  • [vanna-panel] Vanna AI Panel - Detect (@rxerium) [info]
  • [vllm-api-detect] vLLM OpenAI-Compatible Server - Detect (@ChrisJr404) [info]
  • [voila-panel] Voilà Panel - Detect (@rxerium) [info]
  • [vtscada-panel] VTScada - Internet Client Panel (@rxerium) [info]
  • [westermo-router-panel] Westermo Industrial Router - Login Panel (@rxerium) [info]
  • [windmill-panel] Windmill Panel - Detect (@ChrisJr404) [info]
  • [xinference-panel] Xinference Panel - Detect (@rxerium) [info]
  • [zitadel-panel] ZITADEL Panel - Detect (@ChrisJr404) [info]
  • [coveralls-configuration-file-exposure] Coveralls Configuration File Exposure (@0x_Akoko) [medium]
  • [librechat-config-exposure] librechat - Config Exposure (@icarot) [low]
  • [laravel-ignition-log-viewer] Laravel Ignition - Log Viewer Information Disclosure (@moamenbasel) [medium]
  • [grandstream-grp-panel] Grandstream GRP Panel - Detect (@dhiyaneshdk) [info]
  • [crypto-address-detect] Exposed Cryptocurrency Wallet Address (@rxerium) [info]
  • [gitea-userenum] Gitea - User Enumeration (@icarot) [low]
  • [hazelcast-management-exposure] Hazelcast Management Center - Configuration Exposure (@s3r4ph) [medium]
  • [uptime-kuma-installer] Uptime Kuma - Installer (@0x_Akoko) [high]
  • [kong-status-endpoint] Kong API Gateway - Internal Status Endpoint (@amjad Ali) [info]
  • [laravel-clockwork-exposure] Laravel Clockwork - Sensitive Information Exposure (@moamenbasel) [medium]
  • [laravel-debugbar-exposure] Laravel Debugbar - Sensitive Information Exposure (@moamenbasel) [medium]
  • [laravel-nova-unauth] Laravel Nova - Unauthenticated Admin Panel Access (@moamenbasel) [high]
  • [laravel-passport-keys-exposed] Laravel Passport - OAuth2 Keys Exposed (@moamenbasel) [high]
  • [laravel-pulse-unauth] Laravel Pulse - Unauthenticated Dashboard Access (@moamenbasel) [medium]
  • [laravel-sanctum-misconfig] Laravel Sanctum - Stateful Domain CSRF Misconfiguration (@moamenbasel) [medium]
  • [litellm-unauth-model-exposure] LiteLLM Proxy - Model Exposure (@DevamShah) [medium]
  • [puppetdb-dashboard-unauth] PuppetDB Dashboard - Unauthenticated Access (@dhiyaneshdk, @pussycat0x) [high]
  • [redis-exporter-metrics] Redis Exporter Metrics - Exposure (@KoungQ) [low]
  • [springboot-httpexchanges] Detects Springboot HTTP Exchanges Actuator (@parkyoungdu) [low]
  • [springboot-sbom] Spring Boot Actuator SBOM - Exposure (@KoungQ) [low]
  • [unauthenticated-opencode-web] OpenCode Web - Unauthenticated Access (@Kazgangap) [medium]
  • [bubble-detect] Bubble - Detect (@johnk3r) [info]
  • [infinispan-detect] Infinispan Console - Detection (@dhiyaneshdk) [info]
  • [ivanti-xtraction-detect] Ivanti Xtraction - Detect (@rxerium) [info]
  • [opendcim-detect] openDCIM - Detect (@rxerium) [info]
  • [sysreptor-detect] Sysreptor - Detection (@icarot) [info]
  • [divi-form-builder-detect] Divi Form Builder - Detect (@rxerium) [info]
  • [appsmith-info-disclosure] Appsmith <= v1.97 - Information Disclosure (@ritikchaddha) [medium]
  • [cpanel-mailman-xss] cPanel Mailman - Cross-Site Scripting (@yshahinzadeh, @AmirMSafari) [medium]
  • [phpjabbers-event-booking-xss] PHPJabbers Event Booking Calendar - Reflected XSS (@0x_Akoko) [medium]
  • [wp-livechat-stored-xss] WordPress LiveChat < 3.7.6 - Unauthenticated Stored XSS (@0x_Akoko) [high]
  • [ikev2-detect] IKEv2 Service - Detection (@pussycat0x) [info]
  • [ikev2-transforms-enum] IKEv2 Supported Transforms - Enumeration (@pussycat0x) [info]
  • [ikev2-vid-version] IKEv2 Deep Vendor ID Version - Detection (@pussycat0x) [info]
  • [daytime-detect] Daytime Service - Detect (@pussycat0x) [info]
  • [mssql-browser-detect] MS-SQL Browser Service - Detect (@pussycat0x) [info]
  • [netbios-udp-detect] NetBIOS Name Service (NBTStat) - Detect (@pussycat0x) [info]
  • [rpc-udp-detect] RPC Portmapper (UDP) - Detect (@pussycat0x) [info]

New Contributors

Full Changelog: v10.4.3...v10.4.4

Check out latest releases or
releases around projectdiscovery/nuclei-templates v10.4.4

Don't miss a new nuclei-templates release

NewReleases is sending notifications on new releases.

Get notifications