New Templates Added: 74 | CVEs Added: 23 | First-time contributions: 6
๐ฅ Release Highlights ๐ฅ
- [CVE-2026-52815] Gogs < 0.14.3 - Unauth Organization Teams Disclosure (@0x_Akoko) [low] ๐ฅ
- [CVE-2026-50229] Apache Tomcat - Cross-Site Scripting (@yshahinzadeh, @AmirMSafari) [medium] ๐ฅ
- [CVE-2026-48611] phpBB < 3.3.17 - Auth Bypass (@aikido, @dhiyaneshdk) [critical] ๐ฅ
- [CVE-2026-48313] ColdFusion - Path Traversal (@watchtowr, @dhiyaneshdk) [high] ๐ฅ
- [CVE-2026-48282] Adobe ColdFusion - RDS Arbitrary File Write (@watchtowr, @dhiyaneshdk) [critical] (kev) (vKEV) ๐ฅ
- [CVE-2026-44381] MISP < 2.5.37 - SQL Injection (@malcha) [medium] ๐ฅ
- [CVE-2026-28496] FOSSBilling - Server-Side Template Injection (@dhiyaneshdk) [critical] (vKEV) ๐ฅ
- [CVE-2026-24207] NVIDIA Triton Inference Server <= 26.02 - Auth Bypass (@VixianSchool) [critical] ๐ฅ
- [CVE-2026-22778] vLLM 0.8.3 - 0.14.0 - Information Disclosure (@kenlacroix) [critical] ๐ฅ
- [CVE-2026-13731] WPBot <= 8.4.9 - Cross-Site Scripting (@0x_Akoko) [high] (vKEV) ๐ฅ
- [CVE-2026-8386] WP Go Maps < 10.0.10 - Unauth Marker Information Disclosure (@0x_Akoko) [medium] ๐ฅ
- [CVE-2026-8383] LearnPress < 4.3.7 - Information Disclosure (@0x_Akoko) [medium] ๐ฅ
- [CVE-2026-8037] Progress ADC LoadMaster - Command Injection (@watchtowr, @dhiyaneshdk) [critical] (vKEV) ๐ฅ
- [CVE-2026-3326] XStore Theme < 9.7.3 - SQL Injection (@VixianSchool) [high] ๐ฅ
- [CVE-2026-1890] LeadConnector < 3.0.22 - Unauth Arbitrary Data Write (@0x_Akoko) [medium] (vKEV) ๐ฅ
- [CVE-2025-29635] D-Link DIR-823X set_prohibiting - Command Injection (@pussycat0x) [high] (kev) (vKEV) ๐ฅ
What's Changed
Bug Fixes
- Fixed invalid matcher type in CVE-2025-29635 (PR #16506).
- Corrected incorrect delay seconds in the time-based SQL injection check (PR #16469).
- Fixed typo in tags from 'okiko' to 'okiok' (PR #16425).
- Corrected severity and description in concrete5-installer.yaml (PR #16523).
- Updated GitHub Pages takeover detection templates to reflect the new GitHub policy (Issue #10514).
- Fixed checksum generation ordering so it runs after template signing completes (PR #16450).
- Removed duplicate and obsolete templates: Tomcat exposed-panels duplicates (PR #16530), mikrotik-routeros-old.yaml (PR #16527), and 3dprint-arbitrary-file-upload.yaml (PR #16426).
- Corrected template names and file paths across a set of templates โ nuuo-network-login (PR #16547), fuji-xerox-internet-service (PR #16546), trino-unauth-cluster (PR #16560), echo-detect (PR #16559), XOOPS installer (PR #16531), osticket-installer (PR #16529), zoneminder-system-log (PR #16498), unauth-opcache-control-panel (PR #16424), fortiadc-panel (PR #16525), Checkmarx panel (PR #16519), Cisco TelePresence MCU / ServiceGrid / ACE 4710 panels (PRs #16522, #16521, #16520), Avaya Aura System Manager and Communication Manager panels (PRs #16518, #16517), joomla-com-fabrik-lfi (PR #16549), CVE-2016-9299 (PR #16548), and CVE-2025-47188 (PR #16433).
False Negatives
- Fixed regex in CVE-2026-1731 that failed on targets returning company instead of default_company (PR #16545, Issue #16544).
- Extended the Spring Boot heap dump template to cover additional BBO endpoints, catching instances previously missed (PR #16503, Issue #11653).
- Added more selectors to dkim-record-detect.yaml to reduce missed records (PR #16535).
- Added additional Keycloak admin panel paths (PR #16495, Issue #16376).
- Added another Spring Boot Actuator HTTP path (PR #16571).
False Positives
- Reduced false positives and improved accuracy in the following templates:
- CVE-2024-37881 โ excluded multiple WordPress endpoints and generic redirects (PRs #16494, #16504, Issue #16423)
- CVE-2024-34351 โ corrected wrong detection (PR #16500, Issue #11641)
- Time-based SQL injection detection (PR #16510)
- Casbin MCP Gateway default login (PR #16477)
- dns/caa โ now matches only the ANSWER section (PR #16453)
- apache-mod-negotiation-listing.yaml - incorrect severity (Issue #16540)
- CVE-2019-5544 (Issue #16484)
Enhancements
- Improved Inertia.js detection with proximity-bound matchers and additional adapters (PR #16435).
- Refactored the SMB shares enumeration script (PR #16507).
- Updated MinIO default login configuration (PR #16541).
- Updated details, tags, and descriptions in MyBB installer (PR #16528), DzzOffice installer panel (PR #16524), and CVE-2010-4282 remediation (PR #16427).
- Added reference links for CVE-2026-28496 (PR #16514) and CVE-2026-50751 (PR #16550).
- Bumped actions/checkout from 4 to 7 (PR #16444).
Templates Added
- [CVE-2026-59801] 9Router - Unauth LLM Provider API Exposure (@0x_Akoko) [critical]
- [CVE-2026-56782] Gorse < 0.5.10 - Unauth Database Dump (@0x_Akoko) [critical]
- [CVE-2026-52815] Gogs < 0.14.3 - Unauth Organization Teams Disclosure (@0x_Akoko) [low] ๐ฅ
- [CVE-2026-52774] YesWiki Bazar Widget - Reflected XSS via 'id' Parameter (@0x_Akoko) [medium]
- [CVE-2026-50229] Apache Tomcat - Cross-Site Scripting (@yshahinzadeh, @AmirMSafari) [medium] ๐ฅ
- [CVE-2026-48611] phpBB < 3.3.17 - Auth Bypass (@aikido, @dhiyaneshdk) [critical] ๐ฅ
- [CVE-2026-48313] ColdFusion - Path Traversal (@watchtowr, @dhiyaneshdk) [high] ๐ฅ
- [CVE-2026-48282] Adobe ColdFusion - RDS Arbitrary File Write (@watchtowr, @dhiyaneshdk) [critical] (kev) (vKEV) ๐ฅ
- [CVE-2026-46339] 9Router <= 0.4.36 - Unauth RCE (@0x_Akoko) [critical]
- [CVE-2026-44381] MISP < 2.5.37 - SQL Injection (@malcha) [medium] ๐ฅ
- [CVE-2026-34413] Xerte Online Toolkits <= 3.15 - Remote Code Execution (@Aryu-RU) [critical]
- [CVE-2026-30958] OneUptime < 10.0.21 - Path Traversal (@ashvinctrl, @iconnnjka) [high]
- [CVE-2026-28496] FOSSBilling - Server-Side Template Injection (@dhiyaneshdk) [critical] (vKEV) ๐ฅ
- [CVE-2026-24207] NVIDIA Triton Inference Server <= 26.02 - Auth Bypass (@VixianSchool) [critical] ๐ฅ
- [CVE-2026-22778] vLLM 0.8.3 - 0.14.0 - Information Disclosure (@kenlacroix) [critical] ๐ฅ
- [CVE-2026-13731] WPBot <= 8.4.9 - Cross-Site Scripting (@0x_Akoko) [high] (vKEV) ๐ฅ
- [CVE-2026-10823] YMC Filter WordPress - Unauth Post Disclosure (@Hardik-369) [high]
- [CVE-2026-8386] WP Go Maps < 10.0.10 - Unauth Marker Information Disclosure (@0x_Akoko) [medium] ๐ฅ
- [CVE-2026-8383] LearnPress < 4.3.7 - Information Disclosure (@0x_Akoko) [medium] ๐ฅ
- [CVE-2026-8037] Progress ADC LoadMaster - Command Injection (@watchtowr, @dhiyaneshdk) [critical] (vKEV) ๐ฅ
- [CVE-2026-3326] XStore Theme < 9.7.3 - SQL Injection (@VixianSchool) [high] ๐ฅ
- [CVE-2026-1890] LeadConnector < 3.0.22 - Unauth Arbitrary Data Write (@0x_Akoko) [medium] (vKEV) ๐ฅ
- [CVE-2025-29635] D-Link DIR-823X set_prohibiting - Command Injection (@pussycat0x) [high] (kev) (vKEV) ๐ฅ
- [dns-internal-ip-disclosure] Public DNS Resolving to Private IP Addresses (@infosec-asish, @DevamShah) [info]
- [dahua-icc-default-login] Dahua ICC Default Login (@dhiyaneshdk) [high]
- [array-networks-ssl-vpn-panel] Array Networks SSL VPN - Login Panel (@rxerium) [info]
- [aruba-via-vpn-panel] Aruba VIA VPN - Login Panel (@rxerium) [info]
- [cradlepoint-gateway-panel] CradlePoint Gateway - Login Panel (@rxerium) [info]
- [ctrlpanel-panel] CtrlPanel Login Panel - Detect (@theamanrawat) [info]
- [cyberoam-firewall-panel] Cyberoam Firewall - Login Panel (@rxerium) [info]
- [ddwrt-panel] DD-WRT - Router Panel (@rxerium) [info]
- [ecessa-panel] Ecessa WANworX - Login Panel (@rxerium) [info]
- [elfiq-panel] Elfiq Link Balancer - Login Panel (@rxerium) [info]
- [endian-firewall-panel] Endian Firewall - Login Panel (@rxerium) [info]
- [featherpanel-panel] FeatherPanel Panel - Detect (@Th3l0newolf) [info]
- [firemon-asset-manager-panel] FireMon Asset Manager - Login Panel (@rxerium) [info]
- [fortinet-fortianalyzer-panel] Fortinet FortiAnalyzer - Login Panel (@rxerium) [info]
- [headscale-panel] Headscale - Login Panel (@rxerium) [info]
- [hillstone-ssl-vpn-panel] Hillstone Networks SSL VPN - Login Panel (@rxerium) [info]
- [jotty-page-login-panel] jottyยทpage Login - Panel Detect (@Th3l0newolf) [info]
- [kestra-panel] Kestra Login - Panel Detect (@Th3l0newolf) [info]
- [maxkb-panel] MaxKB Panel - Detect (@rxerium) [info]
- [netgate-pfsenseplus-panel] Netgate pfSense Plus - Login Panel (@rxerium) [info]
- [netsweeper-webadmin-panel] Netsweeper WebAdmin - Login Panel (@rxerium) [info]
- [nuage-networks-vsp-panel] Nokia Nuage Networks VSP - Dashboard Panel (@rxerium) [info]
- [ocserv-panel] OpenConnect VPN Server (ocserv) - Detect (@rxerium) [info]
- [peplink-incontrol-panel] Peplink InControl - Login Panel (@rxerium) [info]
- [qualys-cloud-platform-login] Qualys Cloud Platform Login Panel - Detect (@rxerium) [info]
- [sangfor-iam-panel] Sangfor Internet Access Management - Login Panel (@rxerium) [info]
- [sangfor-ngaf-panel] Sangfor Next-Generation Application Firewall (NGAF) - Login Panel (@rxerium) [info]
- [silver-peak-edgeconnect-panel] Silver Peak / HPE Aruba EdgeConnect - Orchestrator Panel (@rxerium) [info]
- [sma-opcon-panel] SMA OpCon Panel - Detect (@righettod) [info]
- [smoothwall-firewall-panel] Smoothwall Firewall - Login Panel (@rxerium) [info]
- [sonicwall-analytics-panel] SonicWall Analytics - Login Panel (@rxerium) [info]
- [sophos-utm-panel] Sophos UTM User Portal - Login Panel (@rxerium) [info]
- [stormshield-network-security-panel] Stormshield Network Security - Login Panel (@rxerium) [info]
- [thegreenbowvpn-panel] TheGreenBow VPN - Login Panel (@rxerium) [info]
- [trend-micro-deep-security-panel] Trend Micro Deep Security Manager - Login Panel (@rxerium) [info]
- [ubiquiti-edgerouter-panel] Ubiquiti EdgeRouter - Login Panel (@rxerium) [info]
- [unifi-securitygateway-panel] Ubiquiti UniFi Security Gateway - Login Panel (@rxerium) [info]
- [wg-easy-panel] WireGuard Easy (wg-easy) - Login Panel (@rxerium) [info]
- [zywall-usg-panel] ZyXEL ZyWALL USG - Login Panel (@rxerium) [info]
- [openremote-detect] OpenRemote IoT Platform - Detection (@pussycat0x) [info]
- [ctrlpanel-installer] CtrlPanel Installer Exposure (@theamanrawat) [high]
- [marimo-unauth] motionEye Partial - Auth Bypass (@pussycat0x) [critical]
- [seaweedfs-unauth] SeaweedFS Filer - Unauth Access (@Th3l0newolf) [high]
- [godaddy-parked-domain] GoDaddy Parked Domain - Subdomain Takeover (@ritikchaddha) [medium]
- [bitnami-apache-solr] Bitnami Apache Solr Stack - Detection (@Th3l0newolf) [info]
- [google-iap-detect] Google Identity-Aware Proxy (IAP) - Detect (@davidfegyver) [info]
- [tibco-businessworks-detect] TIBCO BusinessWorks - Detect (@righettod) [info]
- [ecology-execforstr-rce] Weaver Ecology ExecForStr Remote Command Execution (@dhiyaneshdk) [critical]
- [weaver-ecology9-doc-list-sqli] Weaver E-cology9 api/doc/out/more/list SQL Injection (@dhiyaneshdk) [high]
- [weaver-getemdslist-disclosure] Weaver E-cology getEmDsList Sensitive Information Disclosure (@dhiyaneshdk) [high]
- [open-socks-proxy] Open SOCKS4/SOCKS5 proxy (@snicket2100) [medium]
New Contributors
- @haemuls made their first contribution in #16259
- @AliHzSec made their first contribution in #16477
- @Hardik-369 made their first contribution in #16488
- @ashvinctrl made their first contribution in #16449
- @VixianSchool made their first contribution in #16478
- @eloydegen made their first contribution in #16535
Full Changelog: v10.4.5...v10.4.6