Nuclei Templates v10.3.5 - Release Notes

New Templates Added: 57 | CVEs Added: 33

🔥 Release Highlights 🔥

• [CVE-2025-55182] React Server Components - Remote Code Execution [critical] 🔥 (vKEV)
• [CVE-2024-6220] WordPress Keydatas ≤ 2.5.2 - Arbitrary File Upload (@hnd3884) [critical] 🔥 (vKEV)
• [CVE-2023-37999] HT Mega <= 2.2.0 - Missing Auth to Privilege Escalation (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2023-30869] Easy Digital Downloads - Privilege Escalation (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2023-3277] MStore API <= 4.10.7 - Unauthorized Account Access and Privilege Escalation (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2023-2734] MStore API <= 3.9.1 - Authentication Bypass (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2022-34487] ShortCode Addons - Unauthenticated Options Update (@Sourabh-Sahu) [critical] 🔥 (vKEV)
• [CVE-2022-33198] WordPress Accordions - Unauthenticated Settings Update (@riteshs4hu) [critical] 🔥 (vKEV)
• [CVE-2021-36888] WordPress Image Hover Ultimate - Unauthenticated Settings Update (@riteshs4hu) [critical] 🔥 (vKEV)
• [CVE-2021-4073] RegistrationMagic <= 5.0.1.7 - Authentication Bypass (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2019-25213] WordPress Advanced Access Manager - Path Traversal (@riteshs4hu) [critical] 🔥 (vKEV)

What's Changed

Bug Fixes

• Fixed path for CVE-2022-28666 from 2021 to 2022 directory (PR #14183)
• Fixed path for CVE-2021-4449 (PR #14182)
• Fixed path for CVE-2024-47308 (PR #14180)
• Corrected file naming for CVE-2021-35211 (PR #14162)
• Updated CVE-2024-9161 template (PR #14159)
• Updated CSP script-src wildcard template (PR #14117)

False Negatives

• Fixed false negative in CVE-2022-31181 by adding product to wishlist functionality (Issue #13938, PR #14112)
• Corrected username and password in CVE-2022-0206 to reduce false negatives (PR #14148)
• Corrected username and password in CVE-2015-4063 to reduce false negatives (PR #14133)

False Positives

• Removed mailgun-takeover template due to false positive detections (Issue #13900, PR #14113)
• Fixed false positive in wp-functions-php-disclosure.yaml (PR #14124)
• Prevented false positive matches in CVE-2024-55591 (PR #14106)
• Reduced false positives in CVE-2021-45467 (PR #14086)

Enhancements

• Enhanced CVE-2025-55182 template with updated authors and details (PR #14235)
• Updated POC for CVE-2025-55182 (PR #14229)
• Added new templates, fixed false positives, and enhanced existing templates (PR #14081)

Templates Added

• [CVE-2025-55182] React Server Components - Remote Code Execution (@dhiyaneshdk, @princechaddha, @assetnote, @lachlan2k, @maple3142, @Iamnooob) [critical] 🔥 (vKEV)
• [CVE-2025-51586] PrestaShop - Information Disclosure (@mastercho) [medium] 🔥
• [CVE-2025-47445] WordPress Eventin (Themewinter) ≤ 4.0.26 - Arbitrary File Download (@hnd3884) [high] 🔥 (vKEV)
• [CVE-2025-11307] WP Google Maps < 9.0.48 - Cross-Site Scripting (@0x_Akoko) [high] 🔥
• [CVE-2025-10211] ChanCMS <= 3.3.0 - Server-Side Request Forgery (@Yu_Bao) [medium]
• [CVE-2025-10210] ChanCMS <= 3.3.0 - SQL Injection (@Yu_Bao) [medium]
• [CVE-2025-5301] ONLYOFFICE Docs (DocumentServer) - Reflected Cross-Site Scripting (@theamanrawat) [medium]
• [CVE-2024-47308] Templately <= 3.1.2 - Broken Access Control (@popcorn94) [medium] 🔥 (vKEV)
• [CVE-2024-9161] Rank Math SEO < 1.0.229 - Unauthenticated User and Term Metadata Insert/Update/Deletion (@Kazgangap) [medium] 🔥 (vKEV)
• [CVE-2024-6555] WP Popups - Information Disclosure (@theamanrawat) [medium]
• [CVE-2024-6220] WordPress Keydatas ≤ 2.5.2 - Arbitrary File Upload (@hnd3884) [critical] 🔥 (vKEV)
• [CVE-2023-41954] ProfilePress <= 4.13.1 — Unauthenticated Privilege Escalation (@daffainfo) [high] 🔥 (vKEV)
• [CVE-2023-40211] Post Grid <= 2.2.50 - Information Exposure via REST API (@daffainfo) [high]
• [CVE-2023-38875] PHP Login System 2.0.1 - Cross-Site Scripting (@0x_Akoko) [medium]
• [CVE-2023-37999] HT Mega – Absolute Addons for Elementor <= 2.2.0 - Missing Authorization to Privilege Escalation (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2023-30869] Easy Digital Downloads - Privilege Escalation (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2023-5815] News & Blog Designer Pack – WordPress Blog Plugin <= 3.4.1 - Unauthenticated Local File Inclusion (@daffainfo) [high]
• [CVE-2023-3277] MStore API <= 4.10.7 - Unauthorized Account Access and Privilege Escalation (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2023-2734] MStore API <= 3.9.1 - Authentication Bypass (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2022-34487] ShortCode Addons - Unauthenticated Options Update (@Sourabh-Sahu) [critical] 🔥 (vKEV)
• [CVE-2022-33198] WordPress Accordions - Unauthenticated Settings Update (@riteshs4hu) [critical] 🔥 (vKEV)
• [CVE-2022-31101] Prestashop Blockwishlist 2.1.0 SQL Injection (@mastercho) [high] 🔥
• [CVE-2022-28666] Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update (@Sourabh-Sahu) [medium]
• [CVE-2022-0879] Caldera Forms < 1.9.7 - Reflected Cross-Site Scripting (@0x_Akoko) [medium]
• [CVE-2021-36888] WordPress Image Hover Ultimate - Unauthenticated Settings Update (@riteshs4hu) [critical] 🔥 (vKEV)
• [CVE-2021-23394] elFinder < 2.1.58 - Remote Code Execution (@0xanis) [high]
• [CVE-2021-4073] RegistrationMagic <= 5.0.1.7 - Authentication Bypass (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2020-11732] Media Library Assistant < 2.82 - Unauthenticated Limited Local File Inclusion (@Sourabh-Sahu) [high]
• [CVE-2019-25213] WordPress Advanced Access Manager - Path Traversal (@riteshs4hu) [critical] 🔥 (vKEV)
• [CVE-2019-17671] WordPress <= 5.2.4 - Unauthenticated View Private/Draft Posts (@0x_Akoko) [medium]
• [CVE-2019-14950] WP Live Chat Support <= 8.0.27 — Stored Cross-Site Scripting (@daffainfo) [medium]
• [CVE-2019-10647] ZZZCMS ZZZPHP 1.6.3 – Remote PHP Code Execution (RCE) (@Sourabh-Sahu) [critical]
• [CVE-2018-17082] Apache2 - Transfer-Encoding Chunked XSS (@dhiyaneshdk) [medium]
• [google-storage-csp-bypass] Content-Security-Policy Bypass - Google Storage (@0x_Akoko) [medium]
• [spf-limit-lookup] SPF record DNS lookup limit (@theamanrawat) [info]
• [redis-commander-default-login] Redis Commander - Default Login (@dhiyaneshdk) [high]
• [ship-manager-dnv] Ship Manager DNV - Panel (@rxerium) [info]
• [apache-hive-config] Apache Hive Configuration - Exposure (@icarot) [medium]
• [codeclimate-config-exposure] CodeClimate Configuration File - Exposure (@0x_Akoko) [info]
• [deprecated-feature-policy] Deprecated Feature-Policy Header - Detection (@ritikchaddha) [info]
• [expect-ct-misconfigured] Expect-CT Header - Misconfigured (@theamanrawat) [info]
• [jenkins-users-exposure] Jenkins Users - Exposure (@theamanrawat) [info]
• [kafka-api-cluster] Kafka Operation API - Cluster (@dhiyaneshdk) [high]
• [unauth-munin] Munin Monitoring Dashboard - Exposure (@0x_Akoko) [medium]
• [weak-csp-detect] Weak Content Security Policy - Detect (@pussycat0x) [low]
• [apache-hive-detect] Apache Hive - Detect (@icarot) [info]
• [apache-httpd-eol] Apache HTTP Server End-of-Life - Detect (@Shivam Kamboj) [info]
• [laravel-eol] Laravel End-of-Life Detection (@Shivam Kamboj) [info]
• [nginx-eol] Nginx End-of-Life - Detect (@Shivam Kamboj) [info]
• [php-eol] PHP End-of-Life - Detect (@Shivam Kamboj) [info]
• [sharepoint-lists-api-disclosure] Microsoft SharePoint - List API Disclosure (@theamanrawat) [low]
• [wp-bbpress-fpd] WordPress bbPress Plugin - Full Path Disclosure (@0x_Akoko) [info]
• [wp-fastest-cache-fpd] WordPress WP Fastest Cache Plugin - Full Path Disclosure (@0x_Akoko) [info]
• [wp-mailchimp-for-wp-fpd] WordPress Mailchimp for WordPress Plugin - Full Path Disclosure (@0x_Akoko) [info]
• [wp-twentyfifteen-fpd] WordPress Twenty Fifteen Theme - Full Path Disclosure (@0x_Akoko) [info]
• [dameng-detect] Dameng Database - Detect (@pussycat0x) [info]
• [vnc-workflow] VNC Security Checks (@pussycat0x) [unknown]

New Contributors

• @murataslan1 made their first contribution in #14113

Full Changelog: v10.3.4...v10.3.5

Nuclei Templates v10.3.4 - Release Notes

New Templates Added: 68 | CVEs Added: 27 | First-time contributions: 11 | Bounties rewarded: 3

🔥 Release Highlights 🔥

• [CVE-2025-64764] Astro - Reflected XSS via server islands feature (@dhiyaneshdk, @zhero___) [high] 🔥
• [CVE-2025-61757] Oracle Identity Manager WebService - Auth Bypass (@ritikchaddha) [critical] 🔥 (vKEV)
• [CVE-2025-58360] GeoServer - XML External Entity Injection (@lbb, @xbow, @darses) [high] 🔥
• [CVE-2025-49706] Microsoft SharePoint Server - Auth Bypass (@daffainfo) [medium] 🔥 (vKEV)
• [CVE-2025-27915] Zimbra - XSS (@Snbig, @EhsanCreator, @eliotworkspac-max) [medium] 🔥 (vKEV)
• [CVE-2025-11833] Post SMTP <= 3.6.0 - Email Log Disclosure (@Kazgangap) [critical] 🔥 (vKEV)
• [CVE-2022-29081] Zoho ManageEngine - Access Control Bypass (@0xanis) [critical] 🔥 (vKEV)
• [CVE-2021-34427] Eclipse BIRT Viewer - Remote Code Execution (@us3r777, @synacktiv) [critical] 🔥
• [CVE-2021-4462] Employee Records System 1.0 - Unauth File Upload RCE (@JosephTTD) [critical] 🔥 (vKEV)
• [CVE-2021-4449] ZoomSounds Plugin - Unauth Arbitrary File Upload (@0xnemian) [critical] 🔥 (vKEV)
• [CVE-2017-5983] JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - RCE (XXE) (@us3r777, @synacktiv) [critical] 🔥

What's Changed

💰 Bounties Rewarded 💰

• CVE-2021-4462 - Employee Records System - Unrestricted File Upload 💰 (Issue #14040).
• CVE-2022-29081 - Zoho ManageEngine - Access Control Bypass 💰 (Issue #13982).
• CVE-2021-4449 - ZoomSounds WordPress - Unrestricted File Upload 💰 (Issue #13886).

Bug Fixes

• Fix CVE-2024-23897 (PR #13608).

False Negatives

• FIX [FALSE-NEGATIVE] error-logs template fails to detect exposed log files without Content-Type header (PR #14025).
• chore: remove redundant condition in CVE-2024-9047.yaml (PR #13496).
• [FALSE-NEGATIVE] error-logs template fails to detect exposed log files without Content-Type header (Issue #13519).

False Positives

• Fix FP wp-twenty-theme-fpd.yaml (PR #14048).
• Fix FP CVE-2020-26948.yaml (PR #13978).

Enhancements

• Update CVE-2025-58360 (PR #14088).
• Update unavailable documentation URLs (PR #14075).
• Refactor the "JITSI" template. (PR #14054).
• feat: Update Next.js detection (PR #14033).
• Update CVE-2025-20362 (PR #14016).
• Enhance Next.js/Vite public env exposure config (PR #14013).
• Improve CVE-2020-14179 detection with customfield identifier (PR #14007).
• Updated CVE-2017-9841 with new eval-stdin.php paths (PR #13991).
• chore: update CVE-2021-39226 (PR #13918).

Templates Added

• [CVE-2025-64764] Astro - Reflected XSS via server islands feature (@dhiyaneshdk, @zhero___) [high] 🔥
• [CVE-2025-64525] Astro - Broken Access Control (@zhero___, @dhiyaneshdk) [medium] 🔥
• [CVE-2025-61757] Oracle Identity Manager REST WebServices - Authentication Bypass (@ritikchaddha) [critical] 🔥 (vKEV)
• [CVE-2025-58360] GeoServer - XML External Entity Injection (@lbb, @xbow, @darses) [high] 🔥
• [CVE-2025-55523] Agent-Zero 0.8.0 - 0.9.4 - Arbitrary File Download (@0x_Akoko) [high]
• [CVE-2025-49706] Microsoft SharePoint Server - Authentication Bypass (@daffainfo) [medium] 🔥 (vKEV)
• [CVE-2025-27915] Zimbra - Cross-Site Scripting via ICS Files (@Snbig, @EhsanCreator, @eliotworkspac-max) [medium] 🔥 (vKEV)
• [CVE-2025-13315] Twonky Server 8.5.2 on Linux and Windows - Log File Exposure (@pussycat0x) [critical]
• [CVE-2025-12055] MPDV Mikrolab GmbH HYDRA X, MIP 2 & FEDRA 2 - Path Traversal (@theamanrawat) [high]
• [CVE-2025-11833] Post SMTP <= 3.6.0 - Email Log Disclosure (@Kazgangap) [critical] 🔥 (vKEV)
• [CVE-2025-11700] N-central - XML External Entities Injection (@dhiyaneshdk, @horizon3ai) [high]
• [CVE-2025-10204] AC Smart II - Authentication Bypass (@theeldruin) [high]
• [CVE-2025-9316] N-central - Authentication Bypass (@dhiyaneshdk, @horizon3ai) [medium]
• [CVE-2025-7901] yangzongzhuan RuoYi - DOM Based XSS (@nikhil Patidar) [medium]
• [CVE-2024-53995] SickChill - Open Redirect (@omarkurt) [low]
• [CVE-2024-20404] Cisco Finesse - Server-Side Request Forgery (SSRF) (@0x_Akoko) [medium] 🔥
• [CVE-2022-29081] Zoho ManageEngine - Access Control Bypass (@0xanis) [critical] 🔥 (vKEV)
• [CVE-2021-34427] Eclipse BIRT Viewer - Remote Code Execution (@us3r777, @synacktiv) [critical] 🔥
• [CVE-2021-4462] Employee Records System 1.0 - Unauthenticated File Upload RCE (@JosephTTD) [critical] 🔥 (vKEV)
• [CVE-2021-4449] ZoomSounds Plugin - Unauthenticated Arbitrary File Upload (@0xnemian) [critical] 🔥 (vKEV)
• [CVE-2019-19825] TOTOLINK/Realtek Routers - CAPTCHA Bypass (@ritikchaddha) [critical]
• [CVE-2019-19823] TOTOLINK/Realtek Routers - Information Disclosure (@ritikchaddha) [high]
• [CVE-2019-19822] TOTOLINK/Realtek Routers - Information Disclosure (@ritikchaddha) [high]
• [CVE-2018-13317] TOTOLINK A3002RU 1.0.8 - Information Disclosure (@ritikchaddha) [medium]
• [CVE-2017-17092] WordPress < 4.9.1 - Authenticated JavaScript File Upload (@0x_Akoko) [medium]
• [CVE-2017-14725] WordPress < 4.8.2 - Authenticated Open Redirect (@0x_Akoko) [medium]
• [CVE-2017-5983] JIRA Workflow Designer Plugin in Atlassian JIRA Server > 6.3.0 - Remote Code Execution (XXE) (@us3r777, @synacktiv) [critical] 🔥
• [jquery-cdn-csp-bypass] Content-Security-Policy Bypass - jQuery CDN (@0x_Akoko) [medium]
• [shai-hulud-supply-chain] Shai Hulud 2.0 - Supply Chain Malware Detection (@princechaddha, @wiz-research) [critical]
• [traggo-default-login] Traggo - Default Login (@0x_Akoko) [high]
• [vtigercrm-default-login] Vtiger CRM - Default Login (@icarot) [high]
• [cluster-trino-panel] Cluster Overview Trino - Panel (@dhiyaneshdk) [info]
• [vtigercrm-exposed-directory] Vtiger CRM - Exposed Directory (@icarot) [low]
• [crypto-address-detect] Exposed Cryptocurrency Wallet Address (@rxerium) [info]
• [aem-anonymous-write] Adobe Experience Manager (AEM) - Anonymous JCR Node Creation (@dhiyaneshdk, @0ang3el) [high]
• [blackbox-exporter-exposure] Blackbox Exporter - Exposure (@dhiyaneshdk) [high]
• [cluster-trino-admin-login] Cluster Overview Trino - Admin Login (@dhiyaneshdk) [high]
• [csp-script-src-wildcard] Content-Security-Policy "script-src" Wildcard Detected (@prithiv) [medium]
• [memtracker-exposure] MemTracker - Exposure (@dhiyaneshdk) [high]
• [sharepoint-files-disclosure] Microsoft SharePoint Files Disclosure (@pussycat0x) [info]
• [sharepoint-layouts-disclosure] Microsoft SharePoint - Layouts Disclosure (@dhiyaneshdk) [low]
• [sharepoint-masterpage-disclosure] Microsoft SharePoint - Master Page Disclosure (@dhiyaneshdk) [low]
• [sharepoint-site-metadata-disclosure] Microsoft SharePoint - Site Metadata Disclosure (@0x_Akoko) [low]
• [sharepoint-sitepages-disclosure] Microsoft SharePoint - Site Pages Disclosure (@pussycat0x) [low]
• [nginx-status-403-bypass] Nginx Status Page - 403 Bypass (@pussycat0x) [low]
• [postgresql-cluster-config] PostgreSQL Cluster - Configuration (@dhiyaneshdk) [high]
• [postrest-api-exposure] PostgREST API Server - Exposure (@dhiyaneshdk) [high]
• [unauth-akhq-dashboard] AKHQ Dashboard - Unauthenticated Access (@dhiyaneshdk) [high]
• [unauth-hawkeye-dashboard] Unauth Hawkeye Dashboard - Detect (@dhiyaneshdk) [high]
• [unauth-kafka-config-editor] Kafka Config Editor - Unauthenticated Access (@dhiyaneshdk) [high]
• [unauth-phoenix-dashboard] Unauth Phoenix Dashboard - Detect (@dhiyaneshdk) [high]
• [unauth-qdrantui] Qdrant UI - Unauthenticated Access (@dhiyaneshdk) [high]
• [unauth-supervisor-dashboard] Unauth Supervisor Dashboard - Detect (@dhiyaneshdk) [high]
• [agent-zero-detect] Agent-Zero Application - Detect (@0x_Akoko) [info]
• [cisco-finesse-detect] Cisco Finesse - Detect (@0x_Akoko) [info]
• [flower-detect] Flower - Detect (@righettod) [info]
• [sharepoint-web-services-discovery] Microsoft SharePoint - Web Services Discovery (@0x_Akoko) [info]
• [nostromo-detect] Nostromo Web Server (@Shivam Kamboj) [info]
• [odoo-detection] Odoo - Detect (@keyboard-slayer) [info]
• [traggo-server-detect] Traggo Time Tracking Server - Detect (@0x_Akoko) [info]
• [vtigercrm-detect] Vtiger CRM - Detect (@icarot) [info]
• [winstone-detect] Winstone Servlet Engine (@Shivam Kamboj) [info]
• [wp-security-hidden-login-exposure] WordPress All-in-One Security <=4.4.1 - Hidden Login Page Exposure (@theamanrawat) [medium]
• [wp-twenty-theme-fpd] WordPress Twenty Seventeen - Full Path Disclosure (@dhiyaneshdk) [low]
• [wp-twentysixteen-fpd] WordPress Twenty Sixteen - Full Path Disclosure (@theamanrawat) [low]
• [wp-twentytwenty-fpd] WordPress Twenty Twenty Theme - Full Path Disclosure (@0x_Akoko) [info]
• [functions-php-disclosure] functions.php Full Path Disclosure (@pussycat0x) [low]
• [yonyou-u9-patchfile-upload] Yonyou U9 PatchFile.asmx - Unauthenticated Arbitrary File Upload (@Co5mos, @projectdiscoveryai) [critical]

New Contributors

• @keyboard-slayer made their first contribution in #13958
• @eduquintanilha made their first contribution in #13920
• @0xanis made their first contribution in #13983
• @0xnemian made their first contribution in #13930
• @OrSmolnik made their first contribution in #14007
• @nikhilpatidar01 made their first contribution in #14015
• @brendan-rsoc made their first contribution in #14016
• @S9n3x made their first contribution in #13496
• @Snbig made their first contribution in #13581
• @JosephTTD made their first contribution in #14042
• @L-TEL...

Nuclei Templates v10.3.2 - Release Notes

New Templates Added: 129 | CVEs Added: 56 | First-time contributions: 9 | Bounties rewarded: 7

🔥 Release Highlights 🔥

• [CVE-2025-64446] FortiWeb - Authentication Bypass (@dhiyaneshdk, @watchtowr, @rapid7, @defusedcyber) [critical] (vKEV) 🔥
• [CVE-2025-64095] DNN - Unrestricted Arbitrary File Upload (@dhiyaneshdk, @pussycat0x) [critical] 🔥
• [CVE-2025-61884] Oracle E-Business Suite - SSRF (@Kazgangap) [high] (vKEV) 🔥
• [CVE-2025-59287] Windows Server Update Service - Insecure Deserialization (@pussycat0x, @princechaddha) [critical] (vKEV) 🔥
• [CVE-2025-58443] FOGProject <= 1.5.10.1673 - Authentication Bypass (@oleveloper) [critical] 🔥
• [CVE-2025-55190] ArgoCD Project API Token Repository Credentials Exposure (@nukunga[seunghyeonJeon]) [critical] 🔥
• [CVE-2025-54253] Adobe Experience Manager - Deserialization (@ritikchaddha, @dhiyaneshdk, @s4e-io) [critical] (vKEV) 🔥
• [CVE-2025-54236] Adobe Commerce - Authentication Bypass (@dhiyaneshdk, @slcyber, @johnk3r) [critical] (vKEV) 🔥
• [CVE-2025-52665] UniFi Access - Broken Access Control (@theamanrawat, @dhiyaneshdk) [critical] 🔥
• [CVE-2025-41243] Spring Cloud Gateway Server Webflux - Broken Access Control (@Redmomn) [critical] 🔥
• [CVE-2025-12101] Citrix NetScaler ADC & Gateway - Reflected XSS / Open Redirect (@dhiyaneshdk, @watchtowr) [medium] 🔥
• [CVE-2025-11749] WordPress AI Engine Plugin - Token Exposure (@4m3rr0r) [critical] 🔥
• [CVE-2025-8943] Flowise < 3.0.1 - Remote Command Execution (@zezezez) [critical] 🔥
• [CVE-2025-1550] Keras Model.load_model - Arbitrary Code Execution (@nukunga[seunghyeonJeon]) [critical] 🔥
• [CVE-2025-1302] JSONPath Plus < 10.3.0 - RCE (@Jaenact) [critical] 🔥
• [CVE-2024-53900] Mongoose < 8.8.3 - RCE (@h4mg) [critical] 🔥
• [CVE-2024-47575] FortiManager Unauth RCE (@0x_Akoko, @pussycat0x, @watchtowr) [critical] (vKEV) 🔥
• [CVE-2024-27443] Zimbra Collaboration - XSS (XSS) (@rxerium) [medium] (vKEV) 🔥
• [CVE-2024-23108] Fortinet FortiSIEM - OS Command Injection (@0x_Akoko) [critical] (vKEV) 🔥
• [CVE-2023-34048] VMware vCenter Server - Out-of-Bounds Write (@ritikchaddha) [critical] (vKEV) 🔥
• [CVE-2023-2437] UserPro <= 5.1.1 - Authentication Bypass (@intelligent-ears) [critical] (vKEV) 🔥
• [CVE-2021-45467] Control Web Panel (CWP) - File Inclusion (@ritikchaddha) [critical] (vKEV) 🔥
• [CVE-2020-14644] Oracle WebLogic Server - RCE (Insecure Deserialization) (@hnd3884) [critical] (vKEV) 🔥

What's Changed

💰 Bounties Rewarded 💰

• CVE-2024-0799 - Arcserve Unified Data Protection - Authentication Bypass (Issue #13804, PR #13844)
• CVE-2024-0801 - Arcserve Unified Data Protection - Denial of Service (Issue #13829, PR #13845)
• CVE-2025-1023 - ChurchCRM - SQL Injection (Issue #13792, PR #13800)
• CVE-2025-6403 - School Fees Payment System - SQL Injection (Issue #13785, PR #13786)
• CVE-2025-51482 - Letta 0.7.12 - Remote Code Execution (Issue #13745, PR #13750)
• CVE-2021-4374 - WordPress Automatic Plugin - Broken Access Control (Issue #13872, PR #13850)
• CVE-2020-14644 - Oracle WebLogic Server (Issue #12428, PR #13846)

Bug Fixes

• Corrected CVE-2025-64446 vulnerability details (PR #13947, PR #13932)
• Updated CVE-2025-12101 with open redirect information (PR #13928)
• Updated CVE-2021-39226 template (PR #13918)
• Fixed external service interaction template (PR #13818, Issue #13765)
• Corrected file path for CVE-2024-28623 (PR #13810)
• Improved open-redirect-generic template accuracy (PR #13787)
• Fixed command execution in CVE-2020-2883 template (PR #13780)
• Enhanced CVE-2021-41467 with new matchers (PR #13776)
• Corrected file naming for CVE-2016-8735 (PR #13773, Issue #13770)
• Fixed payload typo in CVE-2023-38192 (PR #13760)
• Corrected domain variable name in CVE-2025-59287 (PR #13759, PR #13756)
• Updated PHP Backup template (PR #13753)
• Fixed file naming for CVE-2022-26143 (PR #13749, Issue #13748)
• Corrected CVSS score and severity mismatch in CVE-2024-30569 (Issue #13714)

False Negatives

• Improved detection in CVE-2020-35338 template (Issue #13676)
• Enhanced default-asp-net-page template to detect modern ASP.NET welcome pages (Issue #13543)

False Positives

• CVE-2020-26948 (PR #13978)
• CVE-2025-5777 / CitrixBleed 2 (PR #13905, PR #13815, Issue #13197)
• CVE-2000-0760 Snoop.jsp endpoint detection (PR #13830, Issue #13522)
• CVE-2023-37582 (PR #13823)
• config-json.yaml exposure detection (PR #13774, Issue #13763)
• External Service Interaction (Issue #13765)
• api-dbt token spray (Issue #11289)
• CVE-2017-3132 (Issue #10975)
• OSINT user enumeration templates (Issue #10158, PR #13742)

Enhancements

• Enhanced eclipse-birt-panel template detection (PR #13955)
• Added missing service tags to improve categorization (PR #13926)
• Fixed tag typos across multiple templates (PR #13925)
• Resolved duplicate template ID issue in gradio-lfi (PR #13922, Issue #13917)
• Enriched GITBLIT template detection (PR #13898)
• Improved IIS Shortname detection capabilities (PR #13885, Issue #4911)
• Enhanced CVE-2025-61884 and CVE-2025-61882 templates (PR #13822, Issue #13813)
• Converted non-CVE templates to proper CVE template format (PR #13797, Issue #13779)
• Enhanced AEM querybuilder bypass detection (PR #13746)
• Added HTTP/2 protocol support improvements (Issue #13709)

Templates Added

• [CVE-2025-64446] FortiWeb - Authentication Bypass (@dhiyaneshdk, @watchtowr, @rapid7, @defusedcyber) [critical] (vKEV) 🔥
• [CVE-2025-64095] DNN - Unrestricted Arbitrary File Upload (@dhiyaneshdk, @pussycat0x) [critical] 🔥
• [CVE-2025-61884] Oracle E-Business Suite - SSRF (@Kazgangap) [high] (vKEV) 🔥
• [CVE-2025-59287] Windows Server Update Service - Insecure Deserialization (@pussycat0x, @princechaddha) [critical] (vKEV) 🔥
• [CVE-2025-58443] FOGProject <= 1.5.10.1673 - Authentication Bypass (@oleveloper) [critical] 🔥
• [CVE-2025-55190] ArgoCD Project API Token Repository Credentials Exposure (@nukunga[seunghyeonJeon]) [critical] 🔥
• [CVE-2025-54253] Adobe Experience Manager - Deserialization (@ritikchaddha, @dhiyaneshdk, @s4e-io) [critical] (vKEV) 🔥
• [CVE-2025-54236] Adobe Commerce - Authentication Bypass (@dhiyaneshdk, @slcyber, @johnk3r) [critical] (vKEV) 🔥
• [CVE-2025-52665] UniFi Access - Broken Access Control (@theamanrawat, @dhiyaneshdk) [critical] 🔥
• [CVE-2025-52472] XWiki - HQL Injection (@ritikchaddha) [high]
• [CVE-2025-51991] XWiki <= 17.3.0 - Server-Side Template Injection (SSTI) (@0x_Akoko) [critical]
• [CVE-2025-51990] XWiki – Stored XSS (XSS) (@0x_Akoko) [medium]
• [CVE-2025-51482] Letta Letta 0.7.12 - RCE (@RaghavArora14) [high]
• [CVE-2025-44137] MapTiler Tileserver-php v2.0 - Unauth File Read (@0x_Akoko) [high]
• [CVE-2025-44136] MapTiler Tileserver-php v2.0 - Unauth XSS (@0x_Akoko) [medium]
• [CVE-2025-41243] Spring Cloud Gateway Server Webflux - Broken Access Control (@Redmomn) [critical] 🔥
• [CVE-2025-32429] XWiki Platform - SQL Injection (@ritikchaddha) [critical]
• [CVE-2025-31486] Vite server.fs.deny Bypass - Local File Inclusion (@wn147) [medium]
• [CVE-2025-24354] Imgproxy < 3.27.2 - SSRF (SSRF) (@oksuzkayra) [medium]
• [CVE-2025-12480] Triofox - Improper Access Control (@johnk3r, @GTi) [critical]
• [CVE-2025-12101] Citrix NetScaler ADC & Gateway - Reflected XSS / Open Redirect (@dhiyaneshdk, @watchtowr) [medium] 🔥
• [CVE-2025-11749] WordPress AI Engine Plugin - Token Exposure (@4m3rr0r) [critical] 🔥
• [CVE-2025-9985] Featured Image from URL (FIFU) <= 5.2.7 - Unauth Information Exposure via Log File (@zer0p0int) [medium]
• [CVE-2025-8943] Flowise < 3.0.1 - Remote Command Execution (@zezezez) [critical] 🔥
• [CVE-2025-6403] Code-Projects School Fees Payment System 1.0 - SQL Injection (@hnd3884) [critical]
• [CVE-2025-6174] WordPress Qwizcards < 3.95 - XSS (Reflected) (@0x_Akoko) [medium]
• [CVE-2025-5605] WSO2 Management Console - Authentication Bypass (@dhiyaneshdk) [medium]
• [CVE-2025-4302] Stop User Enumeration WordPress plugin - Authentication Bypass (@Kazgangap) [medium]
• [CVE-2025-1550] Keras Model.load_model - Arbitrary Code Execution (@nukunga[seunghyeonJeon]) [critical] 🔥
• [CVE-2025-1302] JSONPath Plus < 10.3.0 - RCE (@Jaenact) [critical] 🔥
• [CVE-2025-1023] ChurchCRM - SQL Injection (@Kazgangap) [critical]
• [CVE-2024-53900] Mongoose < 8.8.3 - RCE (@h4mg) [critical] 🔥
• [CVE-2024-50857] GestioIP - Reflected XSS (@gaurang) [medium]
• [CVE-2024-47575] FortiManager Unauth RCE (@0x_Akoko, @pussycat0x, @watchtowr) [critical] (vKEV) 🔥
• [CVE-2024-37656] GnuBoard5 5.5.16 - Open Redirect (@0x_Akoko) [medium]
• [CVE-2024-28623] RiteCMS 3.0.0 - XSS (@0x_Akoko) [medium]
• [CVE-2024-27443] Zimbra Collaboration - XSS (XSS) (@rxerium) [medium] (vKEV) 🔥
• [CVE-2024-23108] Fortinet FortiSIEM - OS Command Injection (@0x_Akoko) [critical] (vKEV) 🔥
• [CVE-2024-11238] Landray EKP - Path Traversal (@theamanrawat) [medium]
• [CVE-2024-10146] Simple File List < 6.1.13 - Reflected XSS (@0x_AKoko) [medium]
• [CVE-2024-8852] All-in-One WP Migration < 7.87 - Unauth Information Disclosure (@flx) [medium]
• [CVE-2024-6690] WP Content Copy Protection & No Right Click - Open Redirect (@0x_Akoko) [medium]
• [CVE-2024-4180] The Events Calendar < 6.4.0.1 - XSS (@0x_Akoko) [medium]
• [CVE-2024-0801] Arcserve Unified Data Protection - Unauth DoS in ASNative.dll (@daffainfo) [high]
• [CVE-2024-0799] Arcserve Unified Data Protection - Authentication Bypass (@daffainfo) [critical]
• [CVE-2023-39121] Emlog 2.1.9 - SQL Injection (@wjch611) [high]
• [CVE-2023-34048] VMware vCenter Server - Out-of-Bounds Write (@ritikchaddha) [critical] (vKEV) 🔥
• [CVE-2023-2437] UserPro <= 5.1.1 - Authentication Bypass (@intelligent-ears) [critical] (vKEV) 🔥
• [CVE-2022-26143] Mitel MiCollab - Information Disclosure & Denial of Service (@theamanrawat) [critical]
• [CVE-2021-45467] Control Web Panel (CWP) - File Inclusion (@ritikchaddha) [critical] (vKEV) 🔥
• [CVE-2021-41419] QVIS NVR/DVR - RCE (@me91...

Nuclei Templates v10.3.1 - Release Notes

New Templates Added: 119 | CVEs Added: 88 | First-time contributions: 10 | Bounties rewarded: 12

🔥 Release Highlights 🔥

• [CVE-2025-49844] Redis Lua Parser < 8.2.2 - Use After Free (@pussycat0x) [critical] 🔥
• [CVE-2025-46819] Redis < 8.2.1 Lua Long-String Delimiter - Out-of-Bounds Read (@pussycat0x) [high] 🔥
• [CVE-2025-46818] Redis Lua Sandbox < 8.2.2 - Cross-User Escape (@pussycat0x) [high] 🔥
• [CVE-2025-46817] Redis < 8.2.1 lua script - Integer Overflow (@pussycat0x) [critical] 🔥
• [CVE-2025-20281] Cisco ISE - Remote Code Execution (@daffainfo) [critical] (vKEV) 🔥
• [CVE-2024-42009] Roundcube Webmail - Cross-Site Scripting (@rxerium) [critical] (vKEV) 🔥
• [CVE-2023-40044] WS_FTP Server - Insecure Deserialization (@0x_Akoko) [critical] (vKEV) 🔥
• [CVE-2023-37582] Apache RocketMQ - Remote Command Execution (@daffainfo) [critical] (vKEV) 🔥
• [CVE-2023-21839] Oracle WebLogic Server - Unauthorized Access (@daffainfo) [high] (vKEV) 🔥
• [CVE-2023-3519] Citrix NetScaler ADC and NetScaler Gateway - RCE (@pussycat0x, @ritikchaddha) [critical] (vKEV) 🔥
• [CVE-2022-31711] VMware vRealize Log Insight < v8.10.2 - Information Disclosure (@dhiyaneshdk) [medium] 🔥
• [CVE-2022-31706] VMware vRealize Log Insight - Path Traversal (@ritikchaddha) [critical] (vKEV) 🔥
• [CVE-2022-31704] VMware vRealize Log Insight - Improper Access Control to RCE (@ritikchaddha) [critical] (vKEV) 🔥
• [CVE-2022-24682] Zimbra Collaboration Suite < 8.8.15 - Improper Encoding (@rxerium) [medium] 🔥
• [CVE-2022-24086] Adobe Commerce (Magento) - Remote Code Execution (@daffainfo) [critical] (vKEV) 🔥
• [CVE-2022-22956] VMware Workspace ONE Access - Authentication Bypass (@daffainfo) [critical] (vKEV) 🔥
• [CVE-2021-33766] Microsoft Exchange - Authentication Bypass (@daffainfo) [high] (vKEV) 🔥
• [CVE-2021-32478] Moodle 3.8-3.10.3 - Reflected XSS & Open Redirect (@hackergautam) [medium] 🔥
• [CVE-2021-30118] Kaseya VSA < 9.5.7 - Arbitrary File Upload to Remote Code Execution (@daffainfo) [critical] (vKEV) 🔥
• [CVE-2021-30116] Kaseya VSA < 9.5.7 - Credential Disclosure via Windows Agent (@daffainfo) [critical] (vKEV) 🔥
• [CVE-2021-26072] Atlassian Confluence < 5.8.6 - Server-Side Request Forgery (@TechbrunchFR) [medium] 🔥
• [CVE-2021-24220] Multiple Thrive Themes < 2.0.0 - Arbitrary File Upload (@pussycat0x) [critical]
• [CVE-2021-3287] Zoho ManageEngine OpManager < 12.5.329 - Remote Code Execution (@theamanrawat) [critical] (vKEV) 🔥
• [CVE-2020-3952] VMware vCenter Server LDAP Broken Access Control (@0x_Akoko) [critical] (vKEV) 🔥
• [CVE-2020-2883] Oracle WebLogic Server - Remote Code Execution (@daffainfo) [critical] (vKEV) 🔥
• [CVE-2019-16072] Enigma NMS < 65.0.0 - Authenticated OS Command Injection (@0x_Akoko) [critical]
• [CVE-2019-12989] Citrix SD-WAN and NetScaler SD-WAN - SQL Injection (@ritikchaddha) [critical] (vKEV) 🔥
• [CVE-2018-18325] DotNetNuke 9.2 - 9.2.2 - Weak Encryption & Cookie Deserialization (@pdteam) [high] 🔥
• [CVE-2018-15811] DotNetNuke 9.2 - 9.2.1 - Weak Encryption & Cookie Deserialization (@pdteam) [high] 🔥
• [CVE-2018-11138] Quest KACE System Management Appliance 8.0.318 - RCE (@ritikchaddha) [critical] (vKEV) 🔥
• [CVE-2017-18362] Kaseya VSA 2017 ConnectWise ManagedITSync - RCE (@pussycat0x) [critical] (vKEV) 🔥
• [CVE-2010-20103] ProFTPd-1.3.3c - Backdoor Command Execution (@pussycat0x) [critical] 🔥

What's Changed

💰 Bounties Rewarded 💰

• CVE-2025-20281 - Cisco ISE - Remote Code Execution (KEV and vKEV) (PR #13610)
• CVE-2022-22956 - VMware Workspace ONE Access - Authentication Bypass (vKEV) (PR #13597)
• CVE-2023-37582 - Apache RocketMQ NameServer - Remote Command Execution (vKEV) (PR #13580)
• CVE-2021-30118 - Kaseya VSA - Arbitrary File Upload Leading to RCE (vKEV) (PR #13560)
• CVE-2021-30116 - Kaseya VSA - Credential Disclosure (KEV and vKEV) (PR #13558)
• CVE-2023-30194 - PrestaShop posstaticfooter - SQL Injection (vKEV) (PR #13551)
• CVE-2021-33766 - Microsoft Exchange Server - Information Disclosure (KEV and vKEV) (PR #13547)
• CVE-2023-21839 - Oracle WebLogic Server - Unauthorized Access (KEV and vKEV) (PR #13546)
• CVE-2021-38154 - Canon Devices - Authentication Bypass (vKEV) (PR #13545)
• CVE-2022-31181 - PrestaShop - SQL Injection (vKEV) (PR #13544)
• CVE-2022-43939 - Hitachi Vantara Pentaho - Security Restriction Bypass (KEV and vKEV) (PR #13395)

Bug Fixes

• Fixed CVE-2025-49825 version matching (PR #13701)
• Fixed typo in CVE-2021-35064.yaml (PR #13699)
• Fixed detection in CVE-2022-31711.yaml (PR #13618)
• Fixed typo in BIGipServer matcher (PR #13633)
• Fixed CVE-2022-22956.yaml (PR #13673)
• Fixed IBM Eclipse Help System false positive (PR #13589)

False Negatives

• Addressed false negative in CVE-2025-61882 template (Issue #13540)
• Addressed false negative in generic-linux-lfi.yaml (Issue #12864)
• Addressed false negative in CVE-2023-20198 Cisco IOS XE RCE (Issue #12324)

False Positives

• Reduced false positives and improved accuracy in the following templates:
  • CVE-2024-2782 (Issue #13525, PR #13668)
  • CVE-2020-11514 (Issue #13520)
  • CVE-2025-5777 - CitrixBleed 2 (Issue #13197)
  • CVE-2022-1595.yaml - Multiple false positives (Issue #12792)
  • addeventlistener-detect (Issue #11589)
  • external-service-interaction (Issue #10850)

Enhancements

• Implemented asset-discovery and vulnerability detection distinction across templates (PR #13648)
• Enhanced Hashicorp Vault detection by removing vault-unsealed-unauth and improving hashicorp-vault-detect (PR #13660)
• Enhanced XWiki RCE detection capabilities (PR #13684)
• Added new POC for yonyou-nc-arbitrary-file-read (PR #13624)
• Improved Moodle changelog file detection for newer versions (PR #13654)
• Removed cloudapp.net from takeover templates as no longer exploitable (PR #13679)
• Enhanced SNMPv3 fingerprint detection (PR #13661)

Templates Added

• [CVE-2025-61666] Traccar(Windows) 6.1- 6.8.1 - Local File Inclusion (@securitytaters) [high]
• [CVE-2025-59049] Mockoon < 9.2.0 - Path Traversal (@iamnoooob, @rootxharsh, @pdresearch) [high]
• [CVE-2025-58751] Vite Dev Server - Path Traversal (@wn147) [low]
• [CVE-2025-57808] ESPHome - Authentication Bypass (@Sean-Kim) [high]
• [CVE-2025-55748] XWiki Platform - Path Traversal (@Redmomn) [high]
• [CVE-2025-55747] XWiki Platform - Information Disclosure (@Redmomn) [high]
• [CVE-2025-53771] Microsoft SharePoint Server - AuthBypass (ToolShell) (@_l0gg, @SamIntruder, @sfewer-r7, @iamnoooob, @pdresearch) [medium] (vKEV) 🔥
• [CVE-2025-49844] Redis Lua Parser < 8.2.2 - Use After Free (@pussycat0x) [critical] 🔥
• [CVE-2025-48703] CWP (Control Web Panel) < 0.9.8.1205 - Remote Code Execution (@theamanrawat) [critical] (vKEV)
• [CVE-2025-46819] Redis < 8.2.1 Lua Long-String Delimiter - Out-of-Bounds Read (@pussycat0x) [high] 🔥
• [CVE-2025-46818] Redis Lua Sandbox < 8.2.2 - Cross-User Escape (@pussycat0x) [high] 🔥
• [CVE-2025-46817] Redis < 8.2.1 lua script - Integer Overflow (@pussycat0x) [critical] 🔥
• [CVE-2025-34509] Sitecore Experience Manager (XM) and Experience Platform (XP) - Hardcoded Credentials (@daffainfo) [high]
• [CVE-2025-34038] Fanwei e-cology - SQL Injection (@ritikchaddha) [high]
• [CVE-2025-25037] Aquatronica Controller System <= 5.1.6 - Information Disclosure (@s4e-io) [high]
• [CVE-2025-25034] SugarCRM - Unauthenticated Remote Code Execution via PHP Object Injection (@Redmomn) [critical] (vKEV)
• [CVE-2025-20281] Cisco ISE - Remote Code Execution (@daffainfo) [critical] (vKEV) 🔥
• [CVE-2025-11750] Dify - User Enumeration via "Account not found" Message (@Kazgangap) [medium]
• [CVE-2025-11371] Gladinet CentreStack & TrioFox - Local File Inclusion (@Kazgangap) [medium]
• [CVE-2025-9242] WatchGuard IKEv2 Out-of-Bounds Write Vulnerability (@pussycat0x, @dhiyaneshdk, @watchtowr) [critical]
• [CVE-2025-9196] Trinity Audio <= 5.21.0 - Information Exposure (@Kazgangap) [medium]
• [CVE-2025-5701] HyperComments <= 1.2.2 - Arbitrary Options Update (@kylew1004) [critical]
• [CVE-2024-42009] Roundcube Webmail - Cross-Site Scripting (@rxerium) [critical] (vKEV) 🔥
• [CVE-2024-35286] Mitel MiCollab <= 9.8.0.33 - SQL Injection (@daffainfo) [critical]
• [CVE-2024-13979] St. Joe ERP system - SQL Injection (@dhiyaneshdk) [critical]
• [CVE-2024-10708] System Dashboard < 2.8.15 - Admin+ Path Traversal (@0x_Akoko) [medium]
• [CVE-2024-9166] TitanNit Web Control 2.01/Atemio 7600 - Remote Code Execution (@dhiyaneshdk) [critical]
• [CVE-2023-40044] WS_FTP Server - Insecure Deserialization (@0x_Akoko) [critical] (vKEV) 🔥
• [CVE-2023-37582] Apache RocketMQ - Remote Command Execution (@daffainfo) [critical] (vKEV) 🔥
• [CVE-2023-34133] SonicWall GMS and Analytics - SQL Injection (@theamanrawat) [high] (vKEV)
• [CVE-2023-30194] Prestashop posstaticfooter <= 1.0.0 - SQL Injection (@daffainfo) [critical]
• [CVE-2023-21839] Oracle WebLogic Server - Unauthorized Access (@daffainfo) [high] (vKEV) 🔥
• [CVE-2023-6655] Hongjing e-HR 2020 - SQL Injection (@pussycat0x) [high]
• [CVE-2023-3519] Citrix NetScaler ADC and NetScaler Gateway - RCE (@pussycat0x, @ritikchaddha) [critical] (vKEV) 🔥
• [CVE-2022-48323] Sunflower Simple and Personal 1.0.1.43315 - Remote Code Execution (@daffainfo) [critical]
• [CVE-2022-43939] Hitachi Pentaho Business Analytics Server - Bypass Authorization (@daffainfo) [high]
• [CVE-2022-38812] AeroCMS 0.1.1 - SQL Injection (@shivampand3y) [medium]
• [CVE-2022-37122] Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Path Traversal (@gy741) [high]
• [CVE-2022-31711] VMware vRealize Log Insight < v8.10.2 - Information Disclosure (@dhiyaneshdk) [medium] 🔥
• [CVE-2022-31706] VMware vRealize Log Insight - Path Traversal (@ritikchaddha) [critical] (vKEV) 🔥
• [CVE-2022-31704] VMware vRealize Log Insight - Improper Access Control to RCE (@ritikchaddha) [critical] (vKEV) 🔥
• [CVE-2022-31181] Presta...

Nuclei Templates v10.3.0 - Release Notes

New Templates Added: 124 | CVEs Added: 90 | First-time contributions: 6

🔥 Release Highlights 🔥

• [CVE-2025-61882] Oracle E-Business Suite 12.2.3–12.2.14 – RCE (@dhiyaneshdk, @watchtowr) [critical] 🔥 (KEV) (vKEV)
• [CVE-2025-54251] Adobe Experience Manager ≤ 6.5.23.0 - XML Injection (@dhiyaneshdk, @assetnote) [medium] 🔥
• [CVE-2025-54249] Adobe Experience Manager ≤ 6.5.23.0 – SSRF (@dhiyaneshdk, @assetnote) [medium] 🔥
• [CVE-2025-49825] Teleport - Auth Bypass (@pdteam) [critical] 🔥
• [CVE-2025-36604] Dell UnityVSA < 5.5 - Remote Command Injection (@dhiyaneshdk, @watchtowr) [critical] 🔥
• [CVE-2025-20362] Cisco Secure Firewall ASA & FTD - Auth Bypass (@dhiyaneshdk, @attackerkb) [medium] 🔥 (KEV) (vKEV)
• [CVE-2025-10035] GoAnywhere - Auth Bypass (@dhiyaneshdk, @watchtowr) [critical] 🔥 (KEV) (vKEV)
• [CVE-2025-0282] Ivanti Connect Secure - Stack-based Buffer Overflow (@ritikchaddha) [critical] 🔥 (KEV) (vKEV)
• [CVE-2024-0593] WordPress Simple Job Board - Unauthorized Data Access (@zer0p0int) [medium] 🔥
• [CVE-2023-26258] Arcserve UDP <= 9.0.6034 - Auth Bypass (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2023-6933] Better Search Replace < 1.4.5 - PHP Object Injection (@pussycat0x) [critical] 🔥
• [CVE-2023-5559] 10Web Booster < 2.24.18 - Unauth Arbitrary Option Deletion (@daffainfo) [critical] 🔥
• [CVE-2023-4666] Form-Maker < 1.15.20 - Unauth Arbitrary File Upload (@pussycat0x) [critical] 🔥
• [CVE-2022-41352] Zimbra Collaboration - Unrestricted File Upload (@rxerium) [critical] 🔥 (KEV) (vKEV)
• [CVE-2022-38627] Nortek Linear eMerge E3-Series - SQL Injection (@daffainfo, @omarhashem666) [critical] 🔥 (vKEV)
• [CVE-2022-3590] WordPress <= 6.2 - Server Side Request Forgery (@riteshs4hu) [medium] 🔥 (vKEV)
• [CVE-2022-3481] NotificationX Dropshipping < 4.4 - SQL Injection (@ritikchaddha) [critical] 🔥 (vKEV)
• [CVE-2022-3477] WordPress tagDiv Composer < 3.5 - Auth Bypass (@melmathari) [critical] 🔥 (vKEV)
• [CVE-2021-42359] WP DSGVO Tools (GDPR) <= 3.1.23 - Unauth Arbitrary Post Deletion (@daffainfo) [high] 🔥
• [CVE-2021-34622] WordPress ProfilePress <= 3.1.3 - Privilege Escalation (@Sourabh-Sahu) [critical] 🔥 (vKEV)
• [CVE-2021-24295] Spam protection, AntiSpam, FireWall by CleanTalk < 5.153.4 - Unauth Blind SQLi (@dhiyaneshdk) [high] 🔥
• [CVE-2021-24175] The Plus Addons for Elementor Page Builder < 4.1.7 - Auth Bypass (@pussycat0x) [critical] 🔥
• [CVE-2021-20021] SonicWall Email Security <= 10.0.9.x - Unauth Admin Account Creation (@pussycat0x) [critical] 🔥 (KEV) (vKEV)
• [CVE-2021-4380] Pinterest Automatic < 4.14.4 - Unauth Arbitrary Options Update (@s4e-io) [critical] 🔥
• [CVE-2020-36731] Flexible Checkout Fields for WooCommerce <= 2.3.1 - Unauth Arbitrary Plugin Settings Update (@popcorn94) [high] 🔥
• [CVE-2020-36719] ListingPro < 2.6.1 - Arbitrary Plugin Installation/Activation/Deactivation (@ritikchaddha) [critical] 🔥 (vKEV)
• [CVE-2020-36705] Adning Advertising <= 1.5.5 - Arbitrary File Upload (@dhiyaneshdk) [critical] 🔥
• [CVE-2020-13640] wpDiscuz <= 5.3.5 - SQL Injection (@Sourabh-Sahu) [critical] 🔥
• [CVE-2020-9480] Apache Spark - Auth Bypass (@riteshs4hu) [critical] 🔥 (vKEV)
• [CVE-2020-8657] EyesOfNetwork - Hardcoded API Key (@daffainfo) [critical] 🔥
• [CVE-2020-8656] EyesOfNetwork - Hardcoded API Key & SQL Injection (@ritikchaddha) [critical] 🔥
• [CVE-2019-25152] Abandoned Cart Lite for WooCommerce < 5.2.0 - Cross-Site Scripting (@dhiyaneshdk) [high] 🔥
• [CVE-2019-17232] WordPress Ultimate FAQs <= 1.8.24 – Unauth Options Import and Export (@daffainfo) [high] 🔥
• [CVE-2019-11886] Yellow Pencil Visual Theme Customizer < 7.2.1 - Privilege Escalation (@daffainfo) [high] 🔥
• [CVE-2019-9621] Zimbra Collaboration Suite - SSRF (@riteshs4hu) [high] 🔥 (KEV) (vKEV)
• [CVE-2019-7276] Optergy Proton/Enterprise - Unauth RCE via Backdoor Console (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2019-6703] Total Donations Plugin for WordPress < 2.0.6 - Arbitrary Options Update (@dhiyaneshdk) [critical] 🔥
• [CVE-2018-1217] Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager - Invalid Access Control (@daffainfo) [critical] 🔥
• [CVE-2016-10972] Newspaper Theme 6.4–6.7.1 - Privilege Escalation (@pussycat0x) [critical] 🔥

What's Changed

💰 Bounties Rewarded 💰

• CVE-2024-28000 LiteSpeed Technologies LiteSpeed Cache privilege escalation 💰 (Issue #13222)
• CVE-2024-23660 Binance Trust Wallet insecure mnemonic generation 💰 (Issue #13315)
• CVE-2022-3477 tagDiv Composer broken authentication 💰 (Issue #12752, PR #13194)
• CVE-2023-23063 vKEV template 💰 (PR #13396)
• CVE-2022-38840 vKEV template 💰 (PR #13382)
• CVE-2022-38627 vKEV template 💰 (PR #13372)
• CVE-2022-3805 vKEV template 💰 (PR #13403)
• CVE-2021-3122 vKEV template 💰 (PR #13412)
• CVE-2019-18952 vKEV template 💰 (PR #13425)
• CVE-2019-9621 KEV & vKEV template 💰 (PR #13409)
• CVE-2018-1217 vKEV template 💰 (PR #13418)
• CVE-2015-9415 vKEV template 💰 (PR #13419)

Bug Fixes

• Fixed false positives in CVE-2024-43441.yaml template (Issue #13317)
• Fixed CVE-2021-30175 template (PR #13375)
• Corrected CVSS score for CVE-2025-49825 (PR #13446)
• Fixed false positives in CVE-2022-37932 by updating flow (PR #13427)
• Resolved wix-takeover false positive issues (PR #13477)
• Fixed addeventlistener-detect template (PR #13462)

False Negatives

• Addressed CORS detection for OWASP JuiceShop Access-Control-Allow-Origin: * (Issue #13402)

False Positives

• Reduced false positives in CVE-2024-43441.yaml template (Issue #13317)
• Fixed false positives in wix-takeover template (PR #13477)
• Corrected false positives in CVE-2022-37932 template (PR #13427)

Enhancements

• Enhanced Google CSP bypass detection vector (PR #13500)
• Added user and password fields to config-json.yaml for better extraction (PR #13445)
• Improved vKEV workflow and updated missing tags (PR #13374)
• Added credentialed CORS with reflected Origin detection (PR #13441)
• Added blind SSRF (OAST) multiparam fuzzing template (PR #13440)
• Added Swagger/OpenAPI/GraphQL API inventory template (PR #13442)

Templates Added

• [CVE-2025-61882] Oracle E-Business Suite 12.2.3–12.2.14 – RCE (@dhiyaneshdk, @watchtowr) [critical] 🔥 (KEV) (vKEV)
• [CVE-2025-59474] Jenkins Sidepanel - Unauthorized Agent/Queue Exposure (@ivaldivieso) [medium]
• [CVE-2025-54251] Adobe Experience Manager ≤ 6.5.23.0 - XML Injection (@dhiyaneshdk, @assetnote) [medium] 🔥
• [CVE-2025-54249] Adobe Experience Manager ≤ 6.5.23.0 – SSRF (@dhiyaneshdk, @assetnote) [medium] 🔥
• [CVE-2025-49825] Teleport - Authentication Bypass (@pdteam) [critical] 🔥
• [CVE-2025-36604] Dell UnityVSA < 5.5 - Remote Command Injection (@dhiyaneshdk, @watchtowr) [critical] 🔥
• [CVE-2025-27225] TRUfusion Enterprise <= 7.10.4.0 - Admin Contact Portal (@dhiyaneshdk, @rcesecurity) [high]
• [CVE-2025-27223] TRUfusion Enterprise <= 7.10.4.0 - Authentication Bypass (@dhiyaneshdk, @rcesecurity) [critical]
• [CVE-2025-27222] TRUfusion Enterprise <= 7.10.4.0 - Path Traversal (@dhiyaneshdk, @rcesecurity) [critical]
• [CVE-2025-20362] Cisco Secure Firewall ASA & FTD - Authentication Bypass (@dhiyaneshdk, @attackerkb) [medium] 🔥 (KEV) (vKEV)
• [CVE-2025-10035] GoAnywhere - Authentication Bypass (@dhiyaneshdk, @watchtowr) [critical] 🔥 (KEV) (vKEV)
• [CVE-2025-8868] Chef Automate < 4.13.295 — SQL Injection (@3th1c_yuk1, @xbow) [critical]
• [CVE-2025-6205] DELMIA Apriso - Broken Access Control (@iamnoooob, @rootxharsh, @parthmalhotra, @pdresearch) [high]
• [CVE-2025-6204] DELMIA Apriso - Command Injection (@iamnoooob, @rootxharsh, @parthmalhotra, @pdresearch) [critical]
• [CVE-2025-0282] Ivanti Connect Secure - Stack-based Buffer Overflow (@ritikchaddha) [critical] 🔥 (KEV) (vKEV)
• [CVE-2024-48651] ProFTPD ≤ 1.3.8b - Privilege Escalation via mod_sql (@pussycat0x) [high]
• [CVE-2024-48208] Pure-FTPd < 1.0.52 - Buffer Overflow (@pussycat0x) [high]
• [CVE-2024-31839] CHAOS 5.0.1 'sendCommandHandler' - Cross-Site Scripting (@riteshs4hu) [medium]
• [CVE-2024-0593] WordPress Simple Job Board - Unauthorized Data Access (@zer0p0int) [medium] 🔥
• [CVE-2023-51713] ProFTPD < 1.3.8a - DoS via Out-of-Bounds Read (@pussycat0x) [high]
• [CVE-2023-26258] Arcserve UDP <= 9.0.6034 - Authentication Bypass (@daffainfo) [critical] 🔥 (vKEV)
• [CVE-2023-23063] Cellinx NVT Web Server - Local File Disclosure (@daffainfo) [high]
• [CVE-2023-22629] TitanFTP move-file Function ≤ 1.94.1205 - Path Traversal (@pussycat0x) [high]
• [CVE-2023-6933] Better Search Replace < 1.4.5 - PHP Object Injection (@pussycat0x) [critical] 🔥
• [CVE-2023-5559] 10Web Booster < 2.24.18 - Unauthenticated Arbitrary Option Deletion (@daffainfo) [critical] 🔥
• [CVE-2023-4666] Form-Maker < 1.15.20 - Unauthenticated Arbitrary File Upload (@pussycat0x) [critical] 🔥
• [CVE-2023-3169] tagDiv Composer < 4.2 - Stored Cross-Site Scripting (@ritikchaddha) [high]
• [CVE-2022-41352] Zimbra Collaboration - Unrestricted File Upload (@rxerium) [critical] 🔥 (KEV) (vKEV)
• [CVE-2022-38840] Güralp MAN-EAM-0003 3.2.4 - XML External Entity (XXE) (@daffainfo) [high]
• [CVE-2022-38627] Nortek Linear eMerge E3-Series - SQL Injection (@daffainfo, @omarhashem666) [critical] 🔥 (vKEV)
• [CVE-2022-25322] ZEROF Web Server 2.0 - SQL Injection (@daffainfo) [critical]
• [CVE-2022-3805] Jeg Elementor Kit < 2.5.7 - Unauthenticated Settings Update (@dhiyaneshdk, @popcorn94) [high]
• [CVE-2022-3590] WordPress <= 6.2 - Server Side Request Forgery (@riteshs4hu) [medium] 🔥 (vKEV)
• [CVE-2022-3481] NotificationX Dropshipping < 4.4 - SQL Injection (@ritikchaddha) [critical] 🔥 (vKEV)
• [CVE-2022-3477] WordPress tagDiv Composer < 3.5 - Authentication Bypass (@melmathari) [critical] 🔥 (vKEV)
• [CVE-2021-42359] WP DSGVO Tools (GDPR) <= 3.1.23 - Unauthenticated Arbitrary Post Deletion (@daffainfo) [high] 🔥
• [CVE-2021-40524] Pure-FTPd 1.0.23 < 1.0.50 - Arbitrary File Upload (@pussycat0x) [high]
• [CVE-2021-34622] WordPress ProfilePre...

Nuclei Templates v10.2.9 - Release Notes

New Templates Added: 182 | CVEs Added: 66 | First-time contributions: 18

🔥 Release Highlights 🔥

• [CVE-2025-57819] FreePBX - Remote Code Execution (@watchtowr, @pussycat0x, @dhiyaneshdk) [critical] 🔥 (kev) (vKEV)
• [CVE-2024-51568] CyberPanel - Command Injection (@s4e-io) [critical] 🔥 (kev) (vKEV)
• [CVE-2024-46506] NetAlertX 23.01.14–24.x < 24.10.12 - Remote Code Execution (@s4e-io) [critical] 🔥 (kev) (vKEV)
• [CVE-2024-28000] WordPress LiteSpeed Cache - Unauthenticated Privilege Escalation to Admin (@melmathari) [critical] 🔥 (kev) (vKEV)
• [CVE-2024-8425] WooCommerce Ultimate Gift Card ≤ 2.6.0 - Arbitrary File Upload (@jsnv-dev) [critical] 🔥
• [CVE-2023-45249] Acronis Cyber Infrastructure - Default Password (@darses) [critical] 🔥 (kev) (vKEV)
• [CVE-2020-36155] Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Meta (@riteshs4hu) [critical] 🔥 (kev) (vKEV)
• [CVE-2020-11514] Rank Math SEO <= 1.0.40.2 - Privilege Escalation via Unprotected REST API Endpoint (@s4e-io) [critical] 🔥
• [CVE-2019-7195] QNAP Photo Station - Path Traversal (@s4e-io) [critical] 🔥 (kev) (vKEV)

What's Changed

💰 Bounties Rewarded 💰

• CVE-2023-45249 Acronis Cyber Infrastructure authentication bypass 💰 (Issue #13248).
• CVE-2024-28000 LiteSpeed Cache privilege escalation 💰 (Issue #13222).
• CVE-2024-8353 GiveWP insecure deserialization 💰 (Issue #13130).
• CVE-2020-36836 WP Fastest Cache access control bypass 💰 (Issue #13098).
• CVE-2025-3515 Contact Form 7 file upload vulnerability 💰 (Issue #13029).
• CVE-2024-8425 WooCommerce Ultimate Gift Card file upload 💰 (Issue #12994).
• CVE-2024-4898 InstaWP Connect authorization bypass 💰 (Issue #13271).
• CVE-2024-36857 Jan path traversal vulnerability 💰 (Issue #13290).
• CVE-2024-23660 Binance Trust Wallet mnemonic generation 💰 (Issue #13315).
• CVE-2014-8739 jQuery File Upload unrestricted upload 💰 (Issue #12734).

Bug Fixes

• Fixed false positives in CVE-2024-43441.yaml template (Issue #13317).
• Resolved false positives in CVE-2023-3139.yaml template (Issue #13277).
• Corrected false positive redirect from Cloudflare for CVE-2022-40022 (Issue #13239).

False Negatives

• Enhanced FTP detection template to improve coverage (PR #13102).
• Enhanced Zendesk takeover detection template (Issue #13193).

False Positives

• Reduced false positives and improved accuracy in CVE-2024-43441.yaml (Issue #13317).
• Fixed false positives in CVE-2023-3139.yaml template (Issue #13277).
• Corrected false positive redirect handling in CVE-2022-40022 (Issue #13239).

Enhancements

• Added condition to CVE-2024-43441.yaml for improved accuracy (PR #13318).
• Improved Dell laser printer unauthorized access detection (PR #13303).
• Enhanced HTTP Response Splitting and Polyglot SSTI fuzzing templates (PR #13300).
• Enhanced Hikvision camera information exposure detection (PR #13293).
• Updated CVE-2020-27615.yaml with new HTTP flow and matchers (PR #13281).
• Enhanced Flowise installer detection (PR #13265).
• Added FTP services detection template (PR #13254).
• Updated Korean README documentation (PR #13249).
• Added various vulnerability detection templates including CVE-2025-58434, CVE-2025-54123, CVE-2025-52970, CVE-2025-7775.

Templates Added

• [CVE-2025-58434] Flowise <= 3.0.5 - Account Takeover (@nukunga[seunghyeonJeon]) [critical]
• [CVE-2025-58179] Astro Cloudflare Adapter - Server Side Request Forgery (@hoanganhthai) [high]
• [CVE-2025-57822] Next.js Middleware - Server-Side Request Forgery (@prdngr, @nicolas-latacora) [medium]
• [CVE-2025-57819] FreePBX - Remote Code Execution (@watchtowr, @pussycat0x, @dhiyaneshdk) [critical] 🔥 (kev) (vKEV)
• [CVE-2025-55161] Stirling-PDF SSRF via Markdown (@Beginee) [high]
• [CVE-2025-54123] Hoverfly <= 1.11.3 - Remote Code Execution (@nukunga[seonghyeonJeon]) [critical]
• [CVE-2025-53118] Securden Unified PAM - Authentication Bypass (@dhiyaneshdk, @pussycat0x, @iamnoooob, @pdresearch) [critical]
• [CVE-2025-52207] MikoPBX - Unrestricted File Upload (@darses) [critical]
• [CVE-2025-50738] Memos < 0.25.0 - Stored Cross-Site Scripting (@seonghyeonjeon[nukunga]) [medium]
• [CVE-2025-49596] MCP Inspector < 0.14.0 UnauthenticatedRemote Code Execution (@ye11oc4t) [critical]
• [CVE-2025-23061] Mongoose - NoSQL Injection (@namhyunko) [critical]
• [CVE-2025-8085] Ditty < 3.1.58 - Server-Side Request Forgery (@s4e-io) [high]
• [CVE-2025-3605] WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation (@Beginee) [critical]
• [CVE-2025-3515] Contact Form 7 Drag and Drop Multiple File Upload - Arbitrary File Upload (@hnd3884) [high]
• [CVE-2024-51568] CyberPanel - Command Injection (@s4e-io) [critical] 🔥 (kev) (vKEV)
• [CVE-2024-47533] Cobbler 'XML-RPC' - Authentication Bypass (@songyaeji) [critical]
• [CVE-2024-46506] NetAlertX 23.01.14–24.x < 24.10.12 - Remote Code Execution (@s4e-io) [critical] 🔥 (kev) (vKEV)
• [CVE-2024-43441] Apache HugeGraph-Server <1.5.0 - Authentication Bypass (@wn147) [critical]
• [CVE-2024-36857] Jan v0.4.12 'readFileSync' - Path Traversal (@yusuf Amr) [high]
• [CVE-2024-33326] LumisXP - Cross-site Scripting (@0xr2r) [medium]
• [CVE-2024-29030] Memos 0.13.2 - Server-Side Request Forgery (@ritikchaddha) [medium]
• [CVE-2024-29029] Memos 0.13.2 - Cross-Site Scripting & SSRF (@ritikchaddha) [medium]
• [CVE-2024-29028] Memos 0.13.2 - Server-Side Request Forgery (@ritikchaddha) [medium]
• [CVE-2024-28000] WordPress LiteSpeed Cache - Unauthenticated Privilege Escalation to Admin (@melmathari) [critical] 🔥 (kev) (vKEV)
• [CVE-2024-11972] Hunk Companion < 1.9.0 - Unauthenticated Plugin Installation (@s4e-io) [critical]
• [CVE-2024-9772] WordPress UIX Shortcodes <= 1.9.7 - Unauthenticated Shortcode Execution (@kankburhan) [high]
• [CVE-2024-8425] WooCommerce Ultimate Gift Card ≤ 2.6.0 - Arbitrary File Upload (@jsnv-dev) [critical] 🔥
• [CVE-2024-8353] GiveWP Donation Plugin <= 3.16.1 - Unauthenticated PHP Object Injection (@hnd3884) [critical]
• [CVE-2024-4898] WordPress InstaWP Connect <= 0.1.0.38 - Unauthenticated User Creation (@Sourabh-Sahu) [critical]
• [CVE-2024-3378] iboss Secure Web Gateway - Stored Cross-Site Scripting (@s4e-io) [medium]
• [CVE-2024-2782] WordPress FluentForms <= 5.1.16 - Broken Access Control (@riteshs4hu) [high]
• [CVE-2024-2771] Contact Form Plugin by Fluent Forms < 5.1.17 - Unauthenticated Limited Privilege Escalation (@Sourabh-Sahu) [critical]
• [CVE-2023-47873] WordPress WP Child Theme Generator < 1.1.3 - Arbitrary File Upload (@cysamu, @crux) [critical]
• [CVE-2023-45249] Acronis Cyber Infrastructure - Default Password (@darses) [critical] 🔥 (kev) (vKEV)
• [CVE-2023-40000] LiteSpeed Cache <= 5.7 - Unauthenticated Stored XSS (@0x_Akoko) [high]
• [CVE-2023-6000] WordPress Popup Builder <= 4.2.3 - Unauthenticated Stored XSS (@riteshs4hu) [medium]
• [CVE-2023-3139] Protect WP Admin < 4.0 - Unauthenticated Protection Bypass (@popcorn94) [medium]
• [CVE-2023-0876] WordPress Meta SEO <= 4.5.2 - Open Redirect (@Khalid6468) [medium]
• [CVE-2023-0037] WordPress 10Web Map Builder < 1.0.73 - Unauthenticated SQL Injection (@riteshs4hu) [critical]
• [CVE-2022-37932] HP Switch - Authentication Bypass (@phulelouch) [high]
• [CVE-2022-4971] Sassy Social Share <= 3.3.3 - Cross-Site Scripting (@popcorn94) [medium]
• [CVE-2022-3124] Frontend File Manager < 21.3 - Unauthenticated File Renaming (@riteshs4hu) [medium]
• [CVE-2022-2461] Transposh WordPress Translation <= 1.0.8 - Unauthenticated Settings Change (@riteshs4hu) [medium]
• [CVE-2022-0429] WP Cerber Security, Anti-spam & Malware Scan < 8.9.6 - Cross-Site Scripting (@s4e-io) [medium]
• [CVE-2021-34624] WordPress ProfilePress 3.0-3.1.3 - Arbitrary File Upload (@Sourabh-Sahu) [critical]
• [CVE-2021-24878] SupportCandy < 2.2.7 - Reflected Cross-Site Scripting (@popcorn94) [medium]
• [CVE-2021-24876] Registrations for The Events Calendar < 2.7.5 - Authenticated Reflected Cross-Site Scripting (@popcorn94) [medium]
• [CVE-2021-24644] Images to WebP < 1.9 - Authenticated Local File Inclusion (@Sourabh-Sahu) [high]
• [CVE-2021-24527] Profile Builder < 3.4.9 - Improper Authentication (@Sourabh-Sahu) [critical]
• [CVE-2021-24170] User Profile Picture < 2.5.0 - Sensitive Information Disclosure (@s4e-io) [high]
• [CVE-2020-36836] WordPress WP Fastest Cache <= 0.9.0.2 - Authenticated Arbitrary File Deletion (@melmathari) [high]
• [CVE-2020-36155] Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Meta (@riteshs4hu) [critical] 🔥 (kev) (vKEV)
• [CVE-2020-27615] WordPress Loginizer < 1.6.4 – Unauthenticated SQL Injection via log Parameter (@intelligent-ears) [critical]
• [CVE-2020-23814] XXL-JOB v2.2.0 — Stored Cross Site Scripting (@Sourabh-Sahu) [medium]
• [CVE-2020-11515] Rank Math SEO <= 1.0.40.2 - Redirect Creation via Unprotected REST API Endpoint (@s4e-io) [medium]
• [CVE-2020-11514] Rank Math SEO <= 1.0.40.2 - Privilege Escalation via Unprotected REST API Endpoint (@s4e-io) [critical] 🔥
• [CVE-2019-17233] WordPress Ultimate FAQs <= 1.8.24 – Unauthenticated HTML Content Injection (@daffainfo) [medium]
• [CVE-2019-17231] WordPress OneTone theme <= 3.0.6 – Unauthenticated Stored XSS (@daffainfo) [medium]
• [CVE-2019-17230] WordPress OneTone theme <= 3.0.6 – Unauthenticated Options Changes (@daffainfo) [medium]
• [CVE-2019-17228] Motors Car Dealer & Classified Ads <= 1.4.0 - Unauthenticated settings import/export (@daffainfo) [medium]
• [CVE-2019-15774] ND Booking < 2.5 - Unauthenticated Options Change (@popcorn94) [medium]
• [CVE-2019-9881] WPEngine WPGraphQL 0.2.3 - Unauthenticated Comment Posting (@intelligent-ears) [medium]
• [CVE-2019-9880] WPEngine WPGraphQL 0.2.3 - Unauthenticated User Information Disclosure (@intelligent-ears) [critical]
• [CVE-2019-7195] QNAP Photo Station - Path Traversal (@s4e-io) [critical] 🔥 (kev) (vKEV)
• [CVE-2016-15042] WordPress Frontend Fi...

Nuclei Templates v10.2.8 - Release Notes

New Templates Added: 114 | CVEs Added: 33 | First-time contributions: 17

🔥 Release Highlights 🔥

• [CVE-2025-54309] CrushFTP - Auth Bypass Race Condition (@pussycat0x, @watchtowr, @dhiyaneshdk) [critical] 🔥 (kev) (vKEV)
• [CVE-2025-54125] XWiki XML View - Sensitive Information Exposure (@ritikchaddha) [high] 🔥
• [CVE-2025-53364] Parse Server - GraphQL Schema Information Disclosure (@securitytaters) [medium] 🔥
• [CVE-2025-51502] Microweber CMS 2.0 - Reflected XSS in Admin Page Creation (@nukunga) [medium] 🔥
• [CVE-2025-51501] Microweber CMS2.0 - Cross-Site Scripting (@nukunga) [medium] 🔥
• [CVE-2025-46554] XWiki REST API - Attachments Disclosure (@ritikchaddha) [high] 🔥
• [CVE-2025-34073] Maltrail <=0.54 Username Parameter - RCE (@SeungAh-Hong) [critical] 🔥
• [CVE-2025-32970] XWiki WYSIWYG API - Open Redirect (@ritikchaddha) [medium] 🔥
• [CVE-2025-32969] XWiki REST API Query - SQL Injection (@ritikchaddha) [critical] 🔥
• [CVE-2025-32430] XWiki Platform - Cross-Site Scripting (@ritikchaddha) [medium] 🔥
• [CVE-2025-29925] XWiki REST API - Private Pages Disclosure (@ritikchaddha) [high] 🔥
• [CVE-2025-27888] Apache Druid - Server-Side Request Forgery (@xbow, @dhiyaneshdk) [high] 🔥
• [CVE-2025-25256] Fortinet FortiSIEM - OS Command Injection (@watchtowr, @darses) [critical] 🔥 (kev) (vKEV)
• [CVE-2025-22457] Ivanti Connect Secure - Stack-based Buffer Overflow (@s4e-io) [critical] 🔥 (kev) (vKEV)
• [CVE-2025-4632] Samsung MagicINFO 9 Server - File Upload & Remote Code Execution (@s4e-io) [critical] 🔥 (kev) (vKEV)
• [CVE-2023-37988] Contact Form Generator <= 2.5.5 - Cross-Site Scripting (@0xr2r, @vats147) [medium] 🔥
• [CVE-2020-36708] WordPress Epsilon Framework Themes <=2.4.8 - RCE (@madrobot) [critical] 🔥 (kev) (vKEV)
• [CVE-2020-11975] Apache Unomi - Remote Code Execution (@Sourabh-Sahu) [critical] 🔥 (kev) (vKEV)
• [CVE-2018-0171] Cisco Smart Install - Configuration Download (@ritikchaddha) [critical] 🔥 (kev) (vKEV)

What's Changed

💰 Bounties Rewarded 💰

• CVE-2025-4632 - Samsung MagicINFO - Path Traversal 💰 (Issue #12946).
• CVE-2025-34035 - EnGenius EnShare Cloud Service - Command Injection 💰 (Issue #12920).
• CVE-2018-7841 - U.motion Builder - SQL Injection 💰 (Issue #12851).
• CVE-2018-19127 - PHPCMS 2008 - Remote Code Execution 💰 (Issue #12722).
• CVE-2020-11975 - Apache Unomi - Expression Language Injection 💰 (Issue #12668).
• CVE-2022-25237 - Bonita Web - Authorization Bypass 💰 (Issue #12656).

Bug Fixes

• Fixed matchers words in CVE-2000-0114.yaml (PR #13026).
• Fixed apache-rocketmq-broker-unauth.yaml false positive (PR #12942).
• Fixed false positive in composer-config.yaml (PR #12900).
• Fixed typo in CVE-2024-36104.yaml (PR #12898).
• Removed name bit in extractor section for grafana-detect template (PR #12911).

False Negatives

• Fixed swagger-api.yaml to reduce underreporting (Issue #12764).

False Positives

• Reduced false positives in composer-config.yaml (Issue #12863).
• Fixed false positives in CVE-2022-24493 template (PR #12966).
• Fixed false positives in wordpress-vulnerability-assessment (PR #12954).
• Multiple false positives reported and addressed (Issue #12956).

Enhancements

• Added Nuclei Templates v10.2.8 Release Prep (PR #13046).
• Updated KEV Tags (PR #12999).
• Added comprehensive template creation and review guides (PR #12935).
• Enhanced detection capabilities in multiple CVE templates.
• Added new detection templates for various services including MESHERY, Bugzilla, AEM Forms, and others.
• Created multiple CVE templates for new vulnerabilities (CVE-2025-53677, CVE-2025-3515, CVE-2025-25231, etc.).
• Updated protocol syntax and deprecated templates.
• Added Linux Audit Templates directory changes.
• Enhanced TFTP detection with additional matchers.

Templates Added

• [CVE-2025-57789] Commvault Initial Administrator Login Process Vulnerability (@dhiyaneshdk, @watchtowr) [medium]
• [CVE-2025-57788] Commvault Unauthenticated Password Disclosure (WT-2025-0047) (@dhiyaneshdk, @iamnoooob, @pdresearch, @watchtowr) [medium]
• [CVE-2025-55169] WeGIA - Directory Traversal (@praivesi) [critical]
• [CVE-2025-54589] Copyparty <=1.18.6 - Cross-Site Scripting (@s-cu-bot) [medium]
• [CVE-2025-54309] CrushFTP - Authentication Bypass Race Condition (@pussycat0x, @watchtowr, @dhiyaneshdk) [critical] 🔥 (kev) (vKEV)
• [CVE-2025-54125] XWiki XML View - Sensitive Information Exposure (@ritikchaddha) [high] 🔥
• [CVE-2025-53364] Parse Server - GraphQL Schema Information Disclosure (@securitytaters) [medium] 🔥
• [CVE-2025-51502] Microweber CMS 2.0 - Reflected XSS in Admin Page Creation (@nukunga) [medium] 🔥
• [CVE-2025-51501] Microweber CMS2.0 - Cross-Site Scripting (@nukunga) [medium] 🔥
• [CVE-2025-46554] XWiki REST API - Attachments Disclosure (@ritikchaddha) [high] 🔥
• [CVE-2025-34152] Shenzhen Aitemi M300 Wi-Fi Repeater – Unauthenticated Remote Command Execution via time Parameter (@Chocapikk, @dhiyaneshdk) [critical]
• [CVE-2025-34073] Maltrail <=0.54 Username Parameter - Remote Command Execution (@SeungAh-Hong) [critical] 🔥
• [CVE-2025-34035] EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution (@intelligent-ears) [critical]
• [CVE-2025-32970] XWiki WYSIWYG API - Open Redirect (@ritikchaddha) [medium] 🔥
• [CVE-2025-32969] XWiki REST API Query - SQL Injection (@ritikchaddha) [critical] 🔥
• [CVE-2025-32430] XWiki Platform - Cross-Site Scripting (@ritikchaddha) [medium] 🔥
• [CVE-2025-29925] XWiki REST API - Private Pages Disclosure (@ritikchaddha) [high] 🔥
• [CVE-2025-28906] Skitter Slideshow <= 2.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting (@nblirwn) [medium]
• [CVE-2025-27888] Apache Druid - Server-Side Request Forgery (@xbow, @dhiyaneshdk) [high] 🔥
• [CVE-2025-25256] Fortinet FortiSIEM - OS Command Injection (@watchtowr, @darses) [critical] 🔥 (kev) (vKEV)
• [CVE-2025-25231] Omnissa Workspace ONE UEM - Path Traversal (@dhiyaneshdk, @slcyber) [high]
• [CVE-2025-22457] Ivanti Connect Secure - Stack-based Buffer Overflow (@s4e-io) [critical] 🔥 (kev) (vKEV)
• [CVE-2025-6934] The Opal Estate Pro – Property Management <= 1.7.5 - Unauthenticated Privilege Escalation (@pussycat0x) [critical]
• [CVE-2025-4632] Samsung MagicINFO 9 Server - File Upload & Remote Code Execution (@s4e-io) [critical] 🔥 (kev) (vKEV)
• [CVE-2025-1562] Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit - Broken Access Control (@s4e-io) [critical]
• [CVE-2023-37988] Contact Form Generator <= 2.5.5 - Cross-Site Scripting (@0xr2r, @vats147) [medium] 🔥
• [CVE-2023-27163] Request-Baskets <= 1.2.1 - Server Side Request Forgery (@Jaenact) [medium]
• [CVE-2023-1893] Login Configurator <=2.1 - Cross-Site Scripting (@0xr2r) [medium]
• [CVE-2020-36708] WordPress Epsilon Framework Themes <=2.4.8 - Remote Code Execution (@madrobot) [critical] 🔥 (kev) (vKEV)
• [CVE-2020-11975] Apache Unomi - Remote Code Execution (@Sourabh-Sahu) [critical] 🔥 (kev) (vKEV)
• [CVE-2018-19127] PHPCMS 2008 - Remote Code Execution via Template Injection (@tomaquet18) [critical]
• [CVE-2018-7841] Schneider Electric U.motion Builder - Remote Code Execution (@darses, @rcesecurity) [critical]
• [CVE-2018-0171] Cisco Smart Install - Configuration Download (@ritikchaddha) [critical] 🔥 (kev) (vKEV)
• [autofs-service] Ensure autofs Service is Not Installed (@Th3l0newolf) [info]
• [avahi-daemon] Ensure Avahi Daemon Service is Not Installed (@Th3l0newolf) [info]
• [dhcp-server] Ensure DHCP Server Service is Not Installed (@Th3l0newolf) [info]
• [dns-server] Ensure DNS Server Service is Not Installed (@Th3l0newolf) [info]
• [dns-zone-transfer-any] DNS Zone Transfer Allowed to Any Host (@songyaeji) [high]
• [dnsmasq-service] Ensure dnsmasq Service is Not Installed (@Th3l0newolf) [info]
• [etc-services-permission-check] /etc/services Permission Check (@songyaeji) [high]
• [finger-service-enabled] Linux Finger Should Be Disabled (@songyaeji) [high]
• [ftp-client] Ensure FTP Client is Not Installed (@Th3l0newolf) [info]
• [ftp-server] Ensure FTP Server Service is Not Installed (@Th3l0newolf) [info]
• [home-env-permission] User Home Directory and Shell Environment File Ownership & Permission (@songyaeji) [medium]
• [inactive-password-lock-default] Ensure Inactive Password Lock is Configured (Default Setting) (@Th3l0newolf) [high]
• [ldap-client] Ensure LDAP Client is Not Installed (@Th3l0newolf) [info]
• [ldap-server] Ensure LDAP Server Service is Not Installed (@Th3l0newolf) [info]
• [linux-account-lockout-threshold] Linux Account Lockout Threshold Check (@songyaeji) [high]
• [linux-anonymous-ftp-enabled] Linux Anonymous FTP Access Enabled (@songyaeji) [high]
• [linux-automountd-enabled] Automountd Service Enabled (@songyaeji) [medium]
• [linux-cron-permissions-check] Cron Access File Ownership & Permissions (@songyaeji) [high]
• [linux-legacy-services-enabled] DoS Vulnerable Service Enabled (@songyaeji) [high]
• [linux-nis-service] NIS Service Should Be Disabled (@songyaeji) [high]
• [linux-nisplus-service] NIS+ Service Should Be Disabled (@songyaeji) [high]
• [linux-rexec-service] rexec Service Should Be Disabled (@songyaeji) [high]
• [linux-rhosts-hostsequiv-misconfig] Rhosts and Hosts.equiv Misconfiguration Check (@songyaeji) [high]
• [linux-rlogin-service] rlogin Service Should Be Disabled (@songyaeji) [high]
• [linux-root-remote-login] Linux Root Remote Login Enabled - Misconfig (@songyaeji) [high]
• [linux-rsh-service] rsh Service Should Be Disabled (@songyaeji) [high]
• [linux-world-writable-file] Linux World-Writable File Permission (@songyaeji) [high]
• [message-access-server] Ensure Message Access Server Service is Not Installed (@Th3l0newolf) [info]
• [nfs-daemon-service] NFS Service Daemon Should Be Disabled (@songyaeji) [high]
• [nfs-insecure-exports] NFS I...

Nuclei Templates v10.2.7 - Release Notes

New Templates Added: 50 | CVEs Added: 08 | First-time contributions: 3

🔥 Release Highlights 🔥

• [CVE-2025-54782] NestJS DevTools Integration - Remote Code Execution (@nukunga) [critical] 🔥
• [CVE-2025-25257] Fortinet FortiWeb - SQL Injection (@watchtowr, @johnk3r) [critical] 🔥 (KEV)
• [CVE-2025-8286] Güralp Systems FMUS Series - Unauthenticated Access (@darses) [critical] 🔥
• [CVE-2025-8191] Swagger UI >=3.14.1 < 3.38.0 - DOM Based Cross-Site Scripting (@dhiyaneshdk) [medium] 🔥
• [CVE-2025-5394] Unauthenticated Arbitrary Plugin Upload in Alone Theme (@Nxploited, @dhiyaneshdk) [critical] 🔥 (KEV)
• [CVE-2025-4334] Simple User Registration <= 6.3 - Unauthenticated Privilege Escalation (@pussycat0x) [critical] 🔥
• [CVE-2024-2053] Artica Proxy - Unauthenticated LFI (@pussycat0x) [high] 🔥
• [CVE-2022-25237] Bonita Web 2021.2 - Authentication/Authorization Bypass (@Sourabh-Sahu) [critical] 🔥 (KEV)

What's Changed

• [CVE-2025-54782] NestJS DevTools Integration - Remote Code Execution (@nukunga) [critical] 🔥
• [CVE-2025-53558] ZTE ZXHN-F660T/F660A - Default Credentials (@dhiyaneshdk) [high]
• [CVE-2025-48954] Discourse OAuth Social Login - Cross-site Scripting (@ferreiraklet, @dhiyaneshdk, @pdresearch) [high]
• [CVE-2025-44177] White Star Software ProTop - Directory Traversal (@s-cu-bot) [high]
• [CVE-2025-25257] Fortinet FortiWeb - SQL Injection (@watchtowr, @johnk3r) [critical] 🔥 (KEV)
• [CVE-2025-8286] Güralp Systems FMUS Series - Unauthenticated Access (@darses) [critical] 🔥
• [CVE-2025-8191] Swagger UI >=3.14.1 < 3.38.0 - DOM Based Cross-Site Scripting (@dhiyaneshdk) [medium] 🔥
• [CVE-2025-6197] Open Redirect via Organization Switching (@iamnoooob, @pdresearch) [medium]
• [CVE-2025-5394] Unauthenticated Arbitrary Plugin Upload in Alone Theme (@Nxploited, @dhiyaneshdk) [critical] 🔥 (KEV)
• [CVE-2025-4334] Simple User Registration <= 6.3 - Unauthenticated Privilege Escalation (@pussycat0x) [critical] 🔥
• [CVE-2025-1595] EasyCVR <=2.1.2 - Information Disclosure (@ritikchaddha) [medium]
• [CVE-2024-2053] Artica Proxy - Unauthenticated LFI (@pussycat0x) [high] 🔥
• [CVE-2022-25237] Bonita Web 2021.2 - Authentication/Authorization Bypass (@Sourabh-Sahu) [critical] 🔥 (KEV)
• [apache-inlong-default-login] Apache InLong - Default Login (@icarot) [high]
• [openmetadata-default-login] OpenMetadata - Default Login (@icarot) [high]
• [meddream-dicom-viewer-panel] MedDream DICOM Viewer - Panel (@darses) [info]
• [opensign-panel] OpenSign Login Panel - Detect (@righettod) [info]
• [scalar-detection] Scalar API Documentation - Detect (@recepgunes) [info]
• [suse-manager-panel] SUSE Manager Server - Panel (@darses) [info]
• [dnt-policy-detect] DNT Policy Declaration (@rxerium) [info]
• [zipline-installer] Zipline - Installer (@pussycat0x) [critical]
• [titiler-ssrf] TiTiler - Blind Server Side Request Forgery (@xbow, @dhiyaneshdk) [high]
• [tomcat-directory-listing] Apache Tomcat - Directory Listing Enabled (@oleveloper) [medium]
• [9gag] 9GAG User Name Information - Detect (@princechaddha, @rxerium) [info]
• [apple-developer] Apple Developer User Name Information - Detect (@princechaddha, @rxerium) [info]
• [apple-discussions] Apple Discussions User Name Information - Detect (@princechaddha, @rxerium) [info]
• [atcoder] AtCoder User Name Information - Detect (@princechaddha, @rxerium) [info]
• [bluesky] Bluesky User Name Information - Detect (@princechaddha, @rxerium) [info]
• [cgtrader] CGTrader User Name Information - Detect (@princechaddha, @rxerium) [info]
• [codechef] CodeChef User Name Information - Detect (@princechaddha, @rxerium) [info]
• [geeksforgeeks] GeeksforGeeks User Name Information - Detect (@princechaddha, @rxerium) [info]
• [genius-users] Genius Users User Name Information - Detect (@princechaddha, @rxerium) [info]
• [giant-bomb] Giant Bomb User Name Information - Detect (@princechaddha, @rxerium) [info]
• [hudsonrock] HudsonRock User Name Information - Detect (@princechaddha, @rxerium) [info]
• [kaskus] Kaskus User Name Information - Detect (@princechaddha, @rxerium) [info]
• [lastfm] Last.fm User Name Information - Detect (@princechaddha, @rxerium) [info]
• [letterboxd] Letterboxd User Name Information - Detect (@princechaddha, @rxerium) [info]
• [mixcloud] Mixcloud User Name Information - Detect (@princechaddha, @rxerium) [info]
• [monkeytype] Monkeytype User Name Information - Detect (@princechaddha, @rxerium) [info]
• [mydramalist] MyDramaList User Name Information - Detect (@princechaddha, @rxerium) [info]
• [nationstates-nation] NationStates Nation User Name Information - Detect (@princechaddha, @rxerium) [info]
• [replit] Replit User Name Information - Detect (@princechaddha, @rxerium) [info]
• [reverbnation] ReverbNation User Name Information - Detect (@princechaddha, @rxerium) [info]
• [runescape] RuneScape User Name Information - Detect (@princechaddha, @rxerium) [info]
• [scribd] Scribd User Name Information - Detect (@princechaddha, @rxerium) [info]
• [sketchfab] Sketchfab User Name Information - Detect (@princechaddha, @rxerium) [info]
• [slack] Slack User Name Information - Detect (@princechaddha, @rxerium) [info]
• [strava] Strava User Name Information - Detect (@princechaddha) [info]
• [topcoder] Topcoder User Name Information - Detect (@princechaddha, @rxerium) [info]
• [weblate] Weblate User Name Information - Detect (@princechaddha, @rxerium) [info]
• [younow] YouNow User Name Information - Detect (@princechaddha, @rxerium) [info]
• [apache-inlong-detect] Apache InLong - Detect (@icarot) [info]
• [nocobase-detect] NocoBase - Detect (@fur1na) [info]
• [openmetadata-detect] OpenMetadata - Detect (@icarot) [info]
• [easycvr-user-info-disclosure] EasyCVR User - Information Disclosure (@dostghost) [medium]

New Contributors

• @Sourabh-Sahu made their first contribution in #12657
• @s-cu-bot made their first contribution in #12749
• @oleveloper made their first contribution in #12761

Full Changelog: v10.2.6...v10.2.7