CVE-2026-41646

Published: May 8, 2026Modified: May 8, 2026

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: security-advisories@github.com (Secondary)

Description

Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require() function, bypassing the default local file access restriction. This issue has been patched in version 3.8.0.

Affected (1)

Products: Projectdiscovery: Nuclei

Projectdiscovery

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Projectdiscovery Nuclei	From 3.0.0 to 3.8.0

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (4)

https://github.com/projectdiscovery/nuclei/commit/6f2ade6a9b427c284c15a43445f9c7f055e60e5d

Source: security-advisories@github.com

Patch

https://github.com/projectdiscovery/nuclei/pull/7332

Source: security-advisories@github.com

Issue TrackingPatch

https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-29rg-wmcw-hpf4

Source: security-advisories@github.com

MitigationPatchVendor Advisory

https://github.com/projectdiscovery/nuclei/pull/7332

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Issue TrackingPatch

Timeline

No history available yet.