Blog
-

6 min read

Hacktober 2025 - Nuclei Templates

Hacktober 2025 - Nuclei Templates

Share

Summary of Releases v10.3.0 & v10.3.1

This month, we had two major releases of Nuclei Templates, introducing numerous improvements and new templates for Nuclei users.

🚀 Hacktober Stats

Release New Templates Added CVEs Added First-time Contributors Bounties Awarded
v10.3.0 124 90 6 12
v10.3.1 119 88 10 12
Total 243 178 16 24

Introduction

October was huge for Nuclei Templates, two releases (v10.3.0 & v10.3.1) dropped during Hacktoberfest, adding coverage for 44 actively exploited KEVs from CISA’s list, enabling users to address the most urgent security risks promptly.

We also added templates for trending 2025 CVEs, including CVE-2025-61882 (Oracle E-Business Suite RCE) and CVE-2025-49844 (Redis Lua sandbox escape), fresh threats, ready to scan.

The community stepped up big time: 287 pull requests so far in Hacktoberfest, 16 first-time contributors, and 24 bounties rewarded through the Template Bounty Program. Huge thanks to everyone who contributed. Open source security just got stronger.

New Templates Added

Across both releases, 243 new templates were added, thanks to relentless contributions from the global community. These additions focus on accurate detection of critical weaknesses, enabling proactive defense before exploitation occurs.

Trending CVEs Added

Among the new templates, 178 CVEs were added, keeping you up to date with the latest security vulnerabilities.
Notably, the release includes coverage of trending ones like CVE-2025-61882 (Oracle E-Business Suite RCE, in CISA KEV), CVE-2025-49844 (Redis Lua sandbox escape), CVE-2025-46817, CVE-2025-46818, CVE-2025-46819 (Redis Lua engine vulnerabilities), CVE-2025-54253 (Adobe Experience Manager Forms), CVE-2025-54251, CVE-2025-54249 (Adobe Experience Manager), and CVE-2025-10035 (GoAnywhere - Auth Bypass), all targeting platforms widely deployed in enterprise networks. These CVE templates help users identify and resolve critical issues before attackers can exploit them.

Highlighted CVE Templates

Templates marked with 🔥 highlight high-risk vulnerabilities that are actively exploited.

Highlighted CVE Templates from v10.3.0 & v10.3.1 (🔥)

  • 🔥 [CVE-2025-61882] Oracle E-Business Suite 12.2.3–12.2.14 – RCE
  • 🔥 [CVE-2025-54251] Adobe Experience Manager ≤ 6.5.23.0 - XML Injection
  • 🔥 [CVE-2025-54249] Adobe Experience Manager ≤ 6.5.23.0 – SSRF
  • 🔥 [CVE-2025-49844] Redis Lua Parser < 8.2.2 - Use After Free
  • 🔥 [CVE-2025-49825] Teleport - Auth Bypass
  • 🔥 [CVE-2025-46819] Redis < 8.2.1 Lua Long-String Delimiter - Out-of-Bounds Read
  • 🔥 [CVE-2025-46818] Redis Lua Sandbox < 8.2.2 - Cross-User Escape
  • 🔥 [CVE-2025-46817] Redis < 8.2.1 lua script - Integer Overflow
  • 🔥 [CVE-2025-36604] Dell UnityVSA < 5.5 - Remote Command Injection
  • 🔥 [CVE-2025-20362] Cisco Secure Firewall ASA & FTD - Auth Bypass
  • 🔥 [CVE-2025-20281] Cisco ISE - Remote Code Execution
  • 🔥 [CVE-2025-10035] GoAnywhere - Auth Bypass
  • 🔥 [CVE-2025-0282] Ivanti Connect Secure - Stack-based Buffer Overflow
  • 🔥 [CVE-2024-42009] Roundcube Webmail - Cross-Site Scripting
  • 🔥 [CVE-2024-0593] WordPress Simple Job Board - Unauthorized Data Access
  • 🔥 [CVE-2023-40044] WS_FTP Server - Insecure Deserialization
  • 🔥 [CVE-2023-37582] Apache RocketMQ - Remote Command Execution
  • 🔥 [CVE-2023-3519] Citrix NetScaler ADC and NetScaler Gateway - RCE
  • 🔥 [CVE-2023-26258] Arcserve UDP <= 9.0.6034 - Auth Bypass
  • 🔥 [CVE-2023-21839] Oracle WebLogic Server - Unauthorized Access
  • 🔥 [CVE-2023-6933] Better Search Replace < 1.4.5 - PHP Object Injection
  • 🔥 [CVE-2023-5559] 10Web Booster < 2.24.18 - Arbitrary Option Deletion
  • 🔥 [CVE-2023-4666] Form-Maker < 1.15.20 - Unauth Arbitrary File Upload
  • 🔥 [CVE-2022-41352] Zimbra Collaboration - Unrestricted File Upload
  • 🔥 [CVE-2022-38627] Nortek Linear eMerge E3-Series - SQL Injection
  • 🔥 [CVE-2022-3590] WordPress <= 6.2 - Server Side Request Forgery
  • 🔥 [CVE-2022-3481] NotificationX Dropshipping < 4.4 - SQL Injection
  • 🔥 [CVE-2022-3477] WordPress tagDiv Composer < 3.5 - Auth Bypass
  • 🔥 [CVE-2022-31711] VMware vRealize Log Insight < v8.10.2 - Information Disclosure
  • 🔥 [CVE-2022-31706] VMware vRealize Log Insight - Path Traversal
  • 🔥 [CVE-2022-31704] VMware vRealize Log Insight - Improper Access Control
  • 🔥 [CVE-2022-24682] Zimbra Collaboration Suite < 8.8.15 - Improper Encoding
  • 🔥 [CVE-2022-24086] Adobe Commerce (Magento) - Remote Code Execution
  • 🔥 [CVE-2022-22956] VMware Workspace ONE Access - Auth Bypass
  • 🔥 [CVE-2021-42359] WP DSGVO Tools <= 3.1.23 - Arbitrary Post Deletion
  • 🔥 [CVE-2021-34622] WordPress ProfilePress <= 3.1.3 - Privilege Escalation
  • 🔥 [CVE-2021-33766] Microsoft Exchange - Authentication Bypass
  • 🔥 [CVE-2021-32478] Moodle 3.8-3.10.3 - Reflected XSS & Open Redirect
  • 🔥 [CVE-2021-30118] Kaseya VSA < 9.5.7 - Arbitrary File Upload
  • 🔥 [CVE-2021-30116] Kaseya VSA < 9.5.7 - Credential Disclosure
  • 🔥 [CVE-2021-26072] Atlassian Confluence < 5.8.6 - Server-Side Request Forgery
  • 🔥 [CVE-2021-24220] Multiple Thrive Themes < 2.0.0 - Arbitrary File Upload
  • 🔥 [CVE-2021-24295] Spam protection, AntiSpam, FireWall by CleanTalk < 5.153.4 - Unauth Blind SQLi
  • 🔥 [CVE-2021-24175] The Plus Addons for Elementor Page Builder < 4.1.7 - Auth Bypass
  • 🔥 [CVE-2021-20021] SonicWall Email Security <= 10.0.9.x - Unauth Admin Account Creation
  • 🔥 [CVE-2021-4380] Pinterest Automatic < 4.14.4 - Arbitrary Options Update
  • 🔥 [CVE-2021-3287] Zoho ManageEngine OpManager < 12.5.329 - Remote Code Execution
  • 🔥 [CVE-2020-3952] VMware vCenter Server LDAP Broken Access Control
  • 🔥 [CVE-2020-36731] Flexible Checkout Fields for WooCommerce <= 2.3.1 - Unauth Arbitrary Plugin Settings Update
  • 🔥 [CVE-2020-36719] ListingPro < 2.6.1 - Arbitrary Plugin Installation/Activation/Deactivation
  • 🔥 [CVE-2020-36705] Adning Advertising <= 1.5.5 - Arbitrary File Upload
  • 🔥 [CVE-2020-2883] Oracle WebLogic Server - Remote Code Execution
  • 🔥 [CVE-2020-13640] wpDiscuz <= 5.3.5 - SQL Injection
  • 🔥 [CVE-2020-9480] Apache Spark - Auth Bypass
  • 🔥 [CVE-2020-8657] EyesOfNetwork - Hardcoded API Key
  • 🔥 [CVE-2020-8656] EyesOfNetwork - Hardcoded API Key & SQL Injection
  • 🔥 [CVE-2019-25152] Abandoned Cart Lite for WooCommerce < 5.2.0 - Cross-Site Scripting
  • 🔥 [CVE-2019-17232] WordPress Ultimate FAQs <= 1.8.24 – Unauth Options Import and Export
  • 🔥 [CVE-2019-16072] Enigma NMS < 65.0.0 - Authenticated OS Command Injection
  • 🔥 [CVE-2019-12989] Citrix SD-WAN and NetScaler SD-WAN - SQL Injection
  • 🔥 [CVE-2019-11886] Yellow Pencil Visual Theme Customizer < 7.2.1 - Privilege Escalation
  • 🔥 [CVE-2019-9621] Zimbra Collaboration Suite - SSRF
  • 🔥 [CVE-2019-7276] Optergy Proton/Enterprise - Unauth RCE via Backdoor Console
  • 🔥 [CVE-2019-6703] Total Donations Plugin for WordPress < 2.0.6 - Arbitrary Options Update
  • 🔥 [CVE-2018-18325] DotNetNuke 9.2 - 9.2.2 - Weak Encryption & Cookie Deserialization
  • 🔥 [CVE-2018-15811] DotNetNuke 9.2 - 9.2.1 - Weak Encryption & Cookie Deserialization
  • 🔥 [CVE-2018-1217] Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager - Invalid Access Control
  • 🔥 [CVE-2018-11138] Quest KACE System Management Appliance 8.0.318 - RCE
  • 🔥 [CVE-2017-18362] Kaseya VSA 2017 ConnectWise ManagedITSync - RCE
  • 🔥 [CVE-2016-10972] Newspaper Theme 6.4–6.7.1 - Privilege Escalation
  • 🔥 [CVE-2010-20103] ProFTPd-1.3.3c - Backdoor Command Execution

🛠️ Bug Fixes and Enhancements

We’ve made several improvements in v10.3.0 and v10.3.1 to ensure templates are accurate, easy to use, and reliable during scans. This includes updating metadata, cleaning up tags, and fixing issues that could cause false positives or negatives.

False Negatives

  • Addressed CORS detection for OWASP JuiceShop Access-Control-Allow-Origin: * (Issue #13402)
  • Addressed false negative in CVE-2025-61882 template (Issue #13540)
  • Addressed false negative in generic-linux-lfi.yaml (Issue #12864)
  • Addressed false negative in CVE-2023-20198 Cisco IOS XE RCE (Issue #12324)

False Positives

Reduced false positives and improved accuracy in the following templates:

Enhancements

  • Enhanced Google CSP bypass detection vector (PR #13500)
  • Added user and password fields to config-json.yaml for better extraction (PR #13445)
  • Improved vKEV workflow and updated missing tags (PR #13374)
  • Added credentialed CORS with reflected Origin detection (PR #13441)
  • Added blind SSRF (OAST) multiparam fuzzing template (PR #13440)
  • Added Swagger/OpenAPI/GraphQL API inventory template (PR #13442)
  • Implemented asset-discovery vs. vulnerability-detection distinction across templates (PR #13648)
  • Enhanced HashiCorp Vault detection by removing vault-unsealed-unauth and improving hashicorp-vault-detect (PR #13660)
  • Enhanced XWiki RCE detection capabilities (PR #13684)
  • Added new POC for yonyou-nc-arbitrary-file-read (PR #13624)
  • Improved Moodle changelog file detection for newer versions (PR #13654)
  • Removed cloudapp.net from takeover templates as no longer exploitable (PR #13679)
  • Enhanced SNMPv3 fingerprint detection (PR #13661)

Community Spotlight

A huge shoutout to our 16 first-time contributors this Hacktoberfest:

Your contributions are greatly appreciated and help strengthen the Nuclei.

Stay Connected

Stay in the loop with the latest Nuclei developments:

Let’s keep pushing the boundaries of open-source security together!