Skip to content

Nuclei Templates v10.4.5 - Release Notes

Latest
Latest

Choose a tag to compare

View all tags
@princechaddha princechaddha released this 23 Jun 19:17
· 1 commit to main since this release
v10.4.5
e5a0fba

New Templates Added: 86 | CVEs Added: 64 | First-time contributions: 22

🔥 Release Highlights 🔥

What's Changed

Bug Fixes

  • Fixed invalid double-port URL construction in hpe-autopass-panel where {{Hostname}} was used instead of {{Host}}, producing malformed URLs like hostname:6274:5814/autopass (PR #16316, Issue #16315).
  • Fixed incorrect CVE assignment in a contributed template, correcting the CVE ID to match the actual vulnerability (PR #16397, Issue #16388).
  • Fixed username variable syntax error in CVE-2026-44551.yaml causing broken authentication attempts (PR #16341).
  • Corrected broken reference links in CVE-2020-27361.yaml (PR #16403).
  • Fixed typo in tags field of wp-jetpack-ssrf.yaml (PR #16347).
  • Moved CVE-2020-14644.yaml to the correct folder in the repository structure (PR #16432).

False Negatives

  • Fixed a broken regex in the waf-detect BIG-IP ASM matcher that used start-of-response anchors (\A, ^) against a blob beginning with the HTTP status line — the Set-Cookie: TS… header could never match, causing BIG-IP hosts to be reported as "no WAF" (PR #16437).
  • Fixed exposed-dockerd.yaml which could never produce a result because it probed a non-existent endpoint; Docker's Server: header only appears on valid endpoint responses such as /_ping (PR #16332).
  • Added detection for CVE-2018-11776 (Apache Struts2 S2-057) configurations that respond with a 302 redirect and embed OGNL output in the Location header, which the template previously missed entirely (PR #16406).
  • Fixed false negative detection in CVE-2025-51586 template (PR #16264).

False Positives

  • Fixed false positives in CVE-2026-10795 (UpdraftPlus UpdraftCentral auth bypass) where the template incorrectly flagged non-WordPress hosts such as Zimbra webmail servers (PR #16418).
  • Fixed false positives in CVE-2020-5776 (Magnolia CMS) template (PR #16408, Issue #16323).
  • Fixed false positives in app-manager-default-login where the strings Super Administrator and Add Application appear on the unauthenticated login page, causing the template to fire even when default credentials fail (PR #16398, Issue #12959).
  • Fixed ikev2-transforms-enum matcher that always triggered regardless of target (PR #16352, Issue #16351).
  • Tightened janitza-umg-panel matcher that was matching on the generic string UMG alone, now requiring Janitza electronics in combination (PR #16344, Issue #16330).
  • Added negative matcher to trace-axd-expose.yaml to suppress false positives when ASP.NET returns a 403 (trace endpoint blocked, not exposed) (PR #16329).
  • Tightened matcher in aveva-intouch-access-anywhere-panel to eliminate false positives on unrelated hosts (PR #16295).
  • Tightened matcher in trendmicro-apexone-panel to prevent false positives on non-Apex One targets (PR #16265).
  • Replaced single-request time-based detection in CVE-2023-5652 (WP Hotel Booking) with differential timing to eliminate false positives on high-latency servers (PR #15954).

Enhancements

  • Converted the brightsign-dsdws-ssrf workflow template to a properly classified CVE-2020-36884 code template with complete CVE metadata, references, and classification tags while preserving existing detection logic (PR #16260).

Templates Added

  • [CVE-2026-55592] Dashy <= 4.3.6 - Reflected XSS via Workspace (@0x_Akoko) [medium]
  • [CVE-2026-54236] vLLM <= 0.23.0 - Anthropic Router Heap Address Information Leak (@kenlacroix) [medium]
  • [CVE-2026-54157] LobeHub LobeChat <= 2.1.56 - Server-Side Request Forgery (@0xj3st3r) [medium]
  • [CVE-2026-54069] SiYuan Note <= 3.6.5 - Auth Bypass (@0x_Akoko) [high]
  • [CVE-2026-54066] SiYuan <= 3.6.5 - Unauth Path Traversal (@0x_Akoko) [high]
  • [CVE-2026-53787] Magento 2 Amasty Order Attributes < 4.0.0 - Unauth Arbitrary File Upload (@0x_Akoko) [critical] 🔥
  • [CVE-2026-50751] Check Point IKEv1 Remote-Access VPN - Certificate Auth Bypass (@watchtowr, @dhiyaneshdk) [critical] (vKEV) 🔥
  • [CVE-2026-50230] Lyrion Music Server <= 9.2.0 - Cross-Site Scripting (@0x_Akoko) [medium]
  • [CVE-2026-49777] WordPress Product Slider Pro for WooCommerce < 3.5.4 - Supply Chain Backdoor RCE (@dhiyaneshdk) [critical] (vKEV) 🔥
  • [CVE-2026-48907] Joomla! JCE extension < 2.9.99.5 Unauth RCE (@ywh-jfellus) [critical] (vKEV) 🔥
  • [CVE-2026-48710] Starlette - Improper Validation of Unsafe Equivalence in Input (@ritikchaddha) [critical] 🔥
  • [CVE-2026-47717] FUXA 1.3.0 - Unauth ICS/SCADA Project Data Disclosure (@pussycat0x) [high]
  • [CVE-2026-47670] DbGate - Remote Code Execution via Dynamic Import Bypass (@theamanrawat) [critical]
  • [CVE-2026-46364] phpMyFAQ <= 4.1.1 - SQL Injection (@dhiyaneshdk) [critical]
  • [CVE-2026-45397] Open WebUI < 0.9.5 - Information Disclosure (@0x_Akoko) [medium]
  • [CVE-2026-45298] Dozzle - Server Side Request Forgery (@theamanrawat) [high]
  • [CVE-2026-44551] Open WebUI 'LDAP Empty Password' - Auth Bypass (@dhiyaneshdk) [critical] 🔥
  • [CVE-2026-44338] PraisonAI - Auth Bypass (@jnoza) [high] (vKEV) 🔥
  • [CVE-2026-44262] Scramble Laravel - Remote Code Execution (@joshuavanderpoll) [critical] 🔥
  • [CVE-2026-42647] JoomSport <= 5.7.7 - SQL Injection (@theamanrawat) [critical] (vKEV) 🔥
  • [CVE-2026-42589] Gotenberg - Command Injection (@fineman999) [critical] (vKEV) 🔥
  • [CVE-2026-42271] LiteLLM - Command Injection (@ritikchaddha) [critical] (vKEV) 🔥
  • [CVE-2026-42208] LiteLLM - SQL Injection (@HAERIN-L) [critical] (vKEV) 🔥
  • [CVE-2026-41492] Dgraph <= 25.3.2 - Admin Token Disclosure (@divine Balija) [critical]
  • [CVE-2026-40151] PraisonAI AgentOS - Information Disclosure (@Aryu-RU) [medium]
  • [CVE-2026-35273] Oracle PeopleSoft PeopleTools PSEMHUB - Pre-Auth Java Deserialization RCE (@dhiyaneshdk) [critical] (vKEV) 🔥
  • [CVE-2026-34910] UniFi OS Server - Command Injection (@Kazgangap) [critical] (vKEV) 🔥
  • [CVE-2026-33476] SiYuan <= v3.6.1 - Path Traversal (@WRG-11) [high]
  • [CVE-2026-31431] Copy Fail - Linux Kernel Local Privilege Escalation via AF_ALG (@ritikchaddha) [high] (vKEV) 🔥
  • [CVE-2026-29059] Windmill/Nextcloud Flow < 1.603.3 - Unauth Path Traversal (@0x_Akoko) [critical] 🔥
  • [CVE-2026-27833] Piwigo < 16.3.0 - Unauth Information Disclosure via History API (@0x_Akoko) [high]
  • [CVE-2026-27826] mcp-atlassian < 0.17.0 - Server-Side Request Forgery (@eyangfeng88-arch) [high]
  • [CVE-2026-27771] Gitea Container Registry - Unauthorized Private Image Access (@dhiyaneshdk) [high]
  • [CVE-2026-27760] OpenCATS - Command Injection (@theamanrawat) [high] (vKEV) 🔥
  • [CVE-2026-26190] Milvus - Unauth Metrics API Access (@WRG-11) [critical] 🔥
  • [CVE-2026-25555] OpenBullet2 <= 0.3.2 - Auth Bypass (@0x_Akoko) [critical]
  • [CVE-2026-25527] changedetection.io <= 0.52.9 - Unauth Path Traversal (@WRG-11) [medium]
  • [CVE-2026-22557] UniFi Network Application - Path Traversal (@Aryu-RU) [critical] 🔥
  • [CVE-2026-20253] Splunk Enterprise & Cloud Platform - Unrestricted File Upload (@watchtowrlabs, @dhiyaneshdk) [critical] (vKEV) 🔥
  • [CVE-2026-10795] UpdraftPlus WP Backup & Migration Plugin - Auth Bypass (@theamanrawat, @s4e-io) [high] (vKEV) 🔥
  • [CVE-2026-10580] Hippoo Mobile App for WooCommerce <= 1.9.4 - Auth Bypass to Admin Account Takeover (@pussycat0x) [critical]
  • [CVE-2026-10520] Ivanti Sentry - OS Command Injection (@dhiyaneshdk) [critical] (vKEV) 🔥
  • [CVE-2026-9290] WP User Manager – User Profile Builder & Membership - Local File Inclusion (@theamanrawat) [high]
  • [CVE-2026-8839] WordPress MapPress Maps <= 2.96.6 - Unauth IDOR (@0x_Akoko) [medium]
  • [CVE-2026-8054] dotCMS Core Publish Audit API - Unauth SQL Injection (@dhiyaneshdk) [critical]
  • [CVE-2026-7798] WordPress FluentCRM <= 2.9.87 - Unauth Blind SSRF (@0x_Akoko) [medium]
  • [CVE-2026-5073] WordPress ARMember Premium <= 7.3.1 - Unauth SQL Injection (@dhiyaneshdk) [critical] (vKEV) 🔥
  • [CVE-2026-5027] Langflow <= 1.8.4 - Path Traversal to RCE via File Upload (@pussycat0x) [high] (vKEV) 🔥
  • [CVE-2026-4480] Samba Printing Subsystem - Remote Code Execution (@projectdiscovery) [critical] 🔥
  • [CVE-2026-3300] Everest Forms Pro <= 1.9.12 - Unauth RCE via Calculation Formula Injection (@dhiyaneshdk) [critical] (vKEV) 🔥
  • [CVE-2026-3018] WordPress Newsletters <= 4.13 - Unauth SQL Injection (@pussycat0x) [high] (vKEV) 🔥
  • [CVE-2026-2652] MLflow < 3.10.0 - Auth Bypass on FastAPI Routes (@dhiyaneshdk) [high]
  • [CVE-2026-0257] Palo Alto Networks PAN-OS - Auth Bypass (@dhiyaneshdk, @sfewer-r7) [critical] (vKEV) 🔥
  • [CVE-2025-61224] DokuWiki <= 2025-05-14a Librarian - Reflected Cross-Site Scripting (@lolkatz, @0x_Akoko) [medium]
  • [CVE-2025-49001] DataEase < 2.10.10 - JWT Auth Bypass (@YunSeoJo, @Aryu-RU) [critical] 🔥
  • [CVE-2025-47783] Label Studio < 1.18.0 - Reflected XSS (@0x_Akoko) [medium]
  • [CVE-2025-25296] Label Studio < 1.16.0 - Cross-Site Scripting (@0x_Akoko) [medium]
  • [CVE-2025-13773] WordPress Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Remote Code Execution (@PikaJuna-ops) [critical] (vKEV) 🔥
  • [CVE-2025-13339] Hippoo Mobile App for WooCommerce <= 1.7.1 - Unauth Arbitrary File Read (@pussycat0x) [high]
  • [CVE-2024-12008] W3 Total Cache < 2.8.2 - Log File Exposure (@ritikchaddha) [medium]
  • [CVE-2024-6569] Campaign Monitor for WordPress - Information Disclosure (@aushack) [medium]
  • [CVE-2022-44727] PrestaShop lgcookieslaw - SQL Injection (@mastercho) [critical]
  • [CVE-2021-3239] E-Learning System 1.0 - SQL Injection (@xuxeong) [critical]
  • [CVE-2020-36884] BrightSign Digital Signage 8.2.26 - Server-Side Request Forgery (@0x_Akoko) [medium]
  • [advantech-webaccess-panel] Advantech WebAccess/SCADA - Panel (@0x_Akoko) [info]
  • [baserow-login-panel] Baserow Login - Panel Detect (@Th3l0newolf) [info]
  • [bytebase-auth-panel] Bytebase Auth - Panel Detect (@Th3l0newolf) [info]
  • [homarr-panel] Homarr Dashboard - Detect (@potato-20) [info]
  • [ibm-webmethods-panel] IBM webMethods Integration Login Panel - Detect (@infosec.asish) [info]
  • [ivanti-sentry-panel] Ivanti Sentry Panel - Detect (@dhiyaneshdk) [info]
  • [kargo-login] Kargo Login Panel - Detect (@theamanrawat) [info]
  • [ligolo-ng-panel] Ligolo-ng Panel - Detect (@Kazgangap) [info]
  • [mixpost-auth-panel] Mixpost Auth Login - Panel Detect (@Th3l0newolf) [info]
  • [rallly-login-panel] Rallly Login - Panel Detect (@Th3l0newolf) [info]
  • [stackstorm-web-ui-panel] StackStorm Web UI - Panel Detect (@Th3l0newolf) [info]
  • [vikunja-panel] Vikunja Login Panel - Detect (@matheusalbarello) [info]
  • [google-service-info-plist] GoogleService-Info.plist - Detect (@cyberguy-somnath) [info]
  • [hexstrike-ai-config] HexStrike AI MCP Agents - Config (@icarot) [info]
  • [a2a-agent-card-enum] Google A2A Agent Card - Enumeration (@0x_Akoko) [info]
  • [dlink-dsl2600u-rom0-disclosure] D-Link DSL2600U - Unauth rom-0 Configuration Disclosure (@0x_Akoko) [high]
  • [budibase-admin-installer] Budibase - Admin Installer (@0x_Akoko) [high]
  • [postiz-registration-enabled] Postiz - User Registration Enabled (@Th3l0newolf) [info]
  • [unauth-mulesoft-dataweave] MuleSoft DataWeave Interactive Learning Environment - Unauth Access (@Th3l0newolf) [high]
  • [dify-ssrf-remote-upload] Dify < 1.13.0 - Unauth SSRF via Remote File Upload (@0x_Akoko) [high]
  • [yeswiki-reflected-xss] YesWiki - Cross-Site Scripting (@MuhammadWaseem) [high]
  • [phpldapadmin-workflow] phpLDAPadmin Secutiry Checks (@SadDrummer) []

New Contributors

Full Changelog: v10.4.4...v10.4.5

Contributors

aushack, neonbunny, and 38 other contributors
Assets 3
Loading