github projectdiscovery/nuclei-templates v10.4.6
Nuclei Templates v10.4.6 - Release Notes

4 hours ago

New Templates Added: 74 | CVEs Added: 23 | First-time contributions: 6

๐Ÿ”ฅ Release Highlights ๐Ÿ”ฅ

What's Changed

Bug Fixes

  • Fixed invalid matcher type in CVE-2025-29635 (PR #16506).
  • Corrected incorrect delay seconds in the time-based SQL injection check (PR #16469).
  • Fixed typo in tags from 'okiko' to 'okiok' (PR #16425).
  • Corrected severity and description in concrete5-installer.yaml (PR #16523).
  • Updated GitHub Pages takeover detection templates to reflect the new GitHub policy (Issue #10514).
  • Fixed checksum generation ordering so it runs after template signing completes (PR #16450).
  • Removed duplicate and obsolete templates: Tomcat exposed-panels duplicates (PR #16530), mikrotik-routeros-old.yaml (PR #16527), and 3dprint-arbitrary-file-upload.yaml (PR #16426).
  • Corrected template names and file paths across a set of templates โ€” nuuo-network-login (PR #16547), fuji-xerox-internet-service (PR #16546), trino-unauth-cluster (PR #16560), echo-detect (PR #16559), XOOPS installer (PR #16531), osticket-installer (PR #16529), zoneminder-system-log (PR #16498), unauth-opcache-control-panel (PR #16424), fortiadc-panel (PR #16525), Checkmarx panel (PR #16519), Cisco TelePresence MCU / ServiceGrid / ACE 4710 panels (PRs #16522, #16521, #16520), Avaya Aura System Manager and Communication Manager panels (PRs #16518, #16517), joomla-com-fabrik-lfi (PR #16549), CVE-2016-9299 (PR #16548), and CVE-2025-47188 (PR #16433).

False Negatives

  • Fixed regex in CVE-2026-1731 that failed on targets returning company instead of default_company (PR #16545, Issue #16544).
  • Extended the Spring Boot heap dump template to cover additional BBO endpoints, catching instances previously missed (PR #16503, Issue #11653).
  • Added more selectors to dkim-record-detect.yaml to reduce missed records (PR #16535).
  • Added additional Keycloak admin panel paths (PR #16495, Issue #16376).
  • Added another Spring Boot Actuator HTTP path (PR #16571).

False Positives

  • Reduced false positives and improved accuracy in the following templates:
  • CVE-2024-37881 โ€” excluded multiple WordPress endpoints and generic redirects (PRs #16494, #16504, Issue #16423)
  • CVE-2024-34351 โ€” corrected wrong detection (PR #16500, Issue #11641)
  • Time-based SQL injection detection (PR #16510)
  • Casbin MCP Gateway default login (PR #16477)
  • dns/caa โ€” now matches only the ANSWER section (PR #16453)
  • apache-mod-negotiation-listing.yaml - incorrect severity (Issue #16540)
  • CVE-2019-5544 (Issue #16484)

Enhancements

  • Improved Inertia.js detection with proximity-bound matchers and additional adapters (PR #16435).
  • Refactored the SMB shares enumeration script (PR #16507).
  • Updated MinIO default login configuration (PR #16541).
  • Updated details, tags, and descriptions in MyBB installer (PR #16528), DzzOffice installer panel (PR #16524), and CVE-2010-4282 remediation (PR #16427).
  • Added reference links for CVE-2026-28496 (PR #16514) and CVE-2026-50751 (PR #16550).
  • Bumped actions/checkout from 4 to 7 (PR #16444).

Templates Added

  • [CVE-2026-59801] 9Router - Unauth LLM Provider API Exposure (@0x_Akoko) [critical]
  • [CVE-2026-56782] Gorse < 0.5.10 - Unauth Database Dump (@0x_Akoko) [critical]
  • [CVE-2026-52815] Gogs < 0.14.3 - Unauth Organization Teams Disclosure (@0x_Akoko) [low] ๐Ÿ”ฅ
  • [CVE-2026-52774] YesWiki Bazar Widget - Reflected XSS via 'id' Parameter (@0x_Akoko) [medium]
  • [CVE-2026-50229] Apache Tomcat - Cross-Site Scripting (@yshahinzadeh, @AmirMSafari) [medium] ๐Ÿ”ฅ
  • [CVE-2026-48611] phpBB < 3.3.17 - Auth Bypass (@aikido, @dhiyaneshdk) [critical] ๐Ÿ”ฅ
  • [CVE-2026-48313] ColdFusion - Path Traversal (@watchtowr, @dhiyaneshdk) [high] ๐Ÿ”ฅ
  • [CVE-2026-48282] Adobe ColdFusion - RDS Arbitrary File Write (@watchtowr, @dhiyaneshdk) [critical] (kev) (vKEV) ๐Ÿ”ฅ
  • [CVE-2026-46339] 9Router <= 0.4.36 - Unauth RCE (@0x_Akoko) [critical]
  • [CVE-2026-44381] MISP < 2.5.37 - SQL Injection (@malcha) [medium] ๐Ÿ”ฅ
  • [CVE-2026-34413] Xerte Online Toolkits <= 3.15 - Remote Code Execution (@Aryu-RU) [critical]
  • [CVE-2026-30958] OneUptime < 10.0.21 - Path Traversal (@ashvinctrl, @iconnnjka) [high]
  • [CVE-2026-28496] FOSSBilling - Server-Side Template Injection (@dhiyaneshdk) [critical] (vKEV) ๐Ÿ”ฅ
  • [CVE-2026-24207] NVIDIA Triton Inference Server <= 26.02 - Auth Bypass (@VixianSchool) [critical] ๐Ÿ”ฅ
  • [CVE-2026-22778] vLLM 0.8.3 - 0.14.0 - Information Disclosure (@kenlacroix) [critical] ๐Ÿ”ฅ
  • [CVE-2026-13731] WPBot <= 8.4.9 - Cross-Site Scripting (@0x_Akoko) [high] (vKEV) ๐Ÿ”ฅ
  • [CVE-2026-10823] YMC Filter WordPress - Unauth Post Disclosure (@Hardik-369) [high]
  • [CVE-2026-8386] WP Go Maps < 10.0.10 - Unauth Marker Information Disclosure (@0x_Akoko) [medium] ๐Ÿ”ฅ
  • [CVE-2026-8383] LearnPress < 4.3.7 - Information Disclosure (@0x_Akoko) [medium] ๐Ÿ”ฅ
  • [CVE-2026-8037] Progress ADC LoadMaster - Command Injection (@watchtowr, @dhiyaneshdk) [critical] (vKEV) ๐Ÿ”ฅ
  • [CVE-2026-3326] XStore Theme < 9.7.3 - SQL Injection (@VixianSchool) [high] ๐Ÿ”ฅ
  • [CVE-2026-1890] LeadConnector < 3.0.22 - Unauth Arbitrary Data Write (@0x_Akoko) [medium] (vKEV) ๐Ÿ”ฅ
  • [CVE-2025-29635] D-Link DIR-823X set_prohibiting - Command Injection (@pussycat0x) [high] (kev) (vKEV) ๐Ÿ”ฅ
  • [dns-internal-ip-disclosure] Public DNS Resolving to Private IP Addresses (@infosec-asish, @DevamShah) [info]
  • [dahua-icc-default-login] Dahua ICC Default Login (@dhiyaneshdk) [high]
  • [array-networks-ssl-vpn-panel] Array Networks SSL VPN - Login Panel (@rxerium) [info]
  • [aruba-via-vpn-panel] Aruba VIA VPN - Login Panel (@rxerium) [info]
  • [cradlepoint-gateway-panel] CradlePoint Gateway - Login Panel (@rxerium) [info]
  • [ctrlpanel-panel] CtrlPanel Login Panel - Detect (@theamanrawat) [info]
  • [cyberoam-firewall-panel] Cyberoam Firewall - Login Panel (@rxerium) [info]
  • [ddwrt-panel] DD-WRT - Router Panel (@rxerium) [info]
  • [ecessa-panel] Ecessa WANworX - Login Panel (@rxerium) [info]
  • [elfiq-panel] Elfiq Link Balancer - Login Panel (@rxerium) [info]
  • [endian-firewall-panel] Endian Firewall - Login Panel (@rxerium) [info]
  • [featherpanel-panel] FeatherPanel Panel - Detect (@Th3l0newolf) [info]
  • [firemon-asset-manager-panel] FireMon Asset Manager - Login Panel (@rxerium) [info]
  • [fortinet-fortianalyzer-panel] Fortinet FortiAnalyzer - Login Panel (@rxerium) [info]
  • [headscale-panel] Headscale - Login Panel (@rxerium) [info]
  • [hillstone-ssl-vpn-panel] Hillstone Networks SSL VPN - Login Panel (@rxerium) [info]
  • [jotty-page-login-panel] jottyยทpage Login - Panel Detect (@Th3l0newolf) [info]
  • [kestra-panel] Kestra Login - Panel Detect (@Th3l0newolf) [info]
  • [maxkb-panel] MaxKB Panel - Detect (@rxerium) [info]
  • [netgate-pfsenseplus-panel] Netgate pfSense Plus - Login Panel (@rxerium) [info]
  • [netsweeper-webadmin-panel] Netsweeper WebAdmin - Login Panel (@rxerium) [info]
  • [nuage-networks-vsp-panel] Nokia Nuage Networks VSP - Dashboard Panel (@rxerium) [info]
  • [ocserv-panel] OpenConnect VPN Server (ocserv) - Detect (@rxerium) [info]
  • [peplink-incontrol-panel] Peplink InControl - Login Panel (@rxerium) [info]
  • [qualys-cloud-platform-login] Qualys Cloud Platform Login Panel - Detect (@rxerium) [info]
  • [sangfor-iam-panel] Sangfor Internet Access Management - Login Panel (@rxerium) [info]
  • [sangfor-ngaf-panel] Sangfor Next-Generation Application Firewall (NGAF) - Login Panel (@rxerium) [info]
  • [silver-peak-edgeconnect-panel] Silver Peak / HPE Aruba EdgeConnect - Orchestrator Panel (@rxerium) [info]
  • [sma-opcon-panel] SMA OpCon Panel - Detect (@righettod) [info]
  • [smoothwall-firewall-panel] Smoothwall Firewall - Login Panel (@rxerium) [info]
  • [sonicwall-analytics-panel] SonicWall Analytics - Login Panel (@rxerium) [info]
  • [sophos-utm-panel] Sophos UTM User Portal - Login Panel (@rxerium) [info]
  • [stormshield-network-security-panel] Stormshield Network Security - Login Panel (@rxerium) [info]
  • [thegreenbowvpn-panel] TheGreenBow VPN - Login Panel (@rxerium) [info]
  • [trend-micro-deep-security-panel] Trend Micro Deep Security Manager - Login Panel (@rxerium) [info]
  • [ubiquiti-edgerouter-panel] Ubiquiti EdgeRouter - Login Panel (@rxerium) [info]
  • [unifi-securitygateway-panel] Ubiquiti UniFi Security Gateway - Login Panel (@rxerium) [info]
  • [wg-easy-panel] WireGuard Easy (wg-easy) - Login Panel (@rxerium) [info]
  • [zywall-usg-panel] ZyXEL ZyWALL USG - Login Panel (@rxerium) [info]
  • [openremote-detect] OpenRemote IoT Platform - Detection (@pussycat0x) [info]
  • [ctrlpanel-installer] CtrlPanel Installer Exposure (@theamanrawat) [high]
  • [marimo-unauth] motionEye Partial - Auth Bypass (@pussycat0x) [critical]
  • [seaweedfs-unauth] SeaweedFS Filer - Unauth Access (@Th3l0newolf) [high]
  • [godaddy-parked-domain] GoDaddy Parked Domain - Subdomain Takeover (@ritikchaddha) [medium]
  • [bitnami-apache-solr] Bitnami Apache Solr Stack - Detection (@Th3l0newolf) [info]
  • [google-iap-detect] Google Identity-Aware Proxy (IAP) - Detect (@davidfegyver) [info]
  • [tibco-businessworks-detect] TIBCO BusinessWorks - Detect (@righettod) [info]
  • [ecology-execforstr-rce] Weaver Ecology ExecForStr Remote Command Execution (@dhiyaneshdk) [critical]
  • [weaver-ecology9-doc-list-sqli] Weaver E-cology9 api/doc/out/more/list SQL Injection (@dhiyaneshdk) [high]
  • [weaver-getemdslist-disclosure] Weaver E-cology getEmDsList Sensitive Information Disclosure (@dhiyaneshdk) [high]
  • [open-socks-proxy] Open SOCKS4/SOCKS5 proxy (@snicket2100) [medium]

New Contributors

Full Changelog: v10.4.5...v10.4.6

Don't miss a new nuclei-templates release

NewReleases is sending notifications on new releases.