CVE-2026-41646

EPSS 0.11%
Veröffentlicht 08.05.2026 03:14:49
Zuletzt bearbeitet 08.05.2026 19:42:59
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Nuclei: Local File Read via require() Module Loader Bypass

Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require() function, bypassing the default local file access restriction. This issue has been patched in version 3.8.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Projectdiscovery ≫ Nuclei SwPlatformgo Version >= 3.0.0 < 3.8.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.018

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-29rg-wmcw-hpf4

Patch

Vendor Advisory

Mitigation

https://github.com/projectdiscovery/nuclei/pull/7332

Patch

Issue Tracking

https://github.com/projectdiscovery/nuclei/commit/6f2ade6a9b427c284c15a43445f9c7f055e60e5d

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-41646

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-41646

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-41646

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-41646