Nuclei & Templates

Nuclei Templates - April 2026

By Dhiyaneshwaran

6 min read

Nuclei Templates - April 2026

Share

Two releases shipped this cycle - v10.4.2 (April 15) and v10.4.3 (May 5) - delivering deep KEV coverage, a major push into AI/LLM attack surface, fresh Perforce visibility, and broad quality improvements across the template library.

๐Ÿš€ April Stats

Release New Templates CVEs Added First-time Contributors
v10.4.2 121 61 15
v10.4.3 105 62 12
Total 226 123 27
  • 226 new templates shipped across both releases
  • 123 CVEs covered, including ~10 actively exploited vulnerabilities from CISA's KEV catalog
  • 27 first-time contributors joined the community
  • 32 critical/high vulnerabilities flagged as ๐Ÿ”ฅ release highlights

๐Ÿ”ฅ Highlighted CVE Templates from v10.4.2 & v10.4.3

KEV-listed / actively exploited:

  • ๐Ÿ”ฅ [CVE-2026-41940] - cPanel & WHM Auth Bypass via Session-File CRLF Injection (vKEV)
  • ๐Ÿ”ฅ [CVE-2026-33017] - Langflow < 1.9.0 Remote Code Execution (vKEV)
  • ๐Ÿ”ฅ [CVE-2026-27174] - MajorDoMo Unauthenticated RCE (vKEV)
  • ๐Ÿ”ฅ [CVE-2026-24423] - SmarterMail Remote Code Execution (vKEV)
  • ๐Ÿ”ฅ [CVE-2026-33032] - Nginx UI Broken Access Control (vKEV)
  • ๐Ÿ”ฅ [CVE-2026-33626] - LMDeploy Server-Side Request Forgery (vKEV)
  • ๐Ÿ”ฅ [CVE-2026-3844] - Breeze <= 2.4.4 Arbitrary File Upload (vKEV)
  • ๐Ÿ”ฅ [CVE-2025-13390] - WP Directory Kit <= 1.4.4 Authentication Bypass (vKEV)
  • ๐Ÿ”ฅ [CVE-2026-21643] - Fortinet FortiClientEMS 7.4.4 SQL Injection (vKEV)
  • ๐Ÿ”ฅ [CVE-2026-35616] - FortiClient EMS Authentication Bypass (vKEV)

Critical RCEs, auth bypasses, and high-impact bugs:

  • ๐Ÿ”ฅ [CVE-2026-39808] - Fortinet FortiSandbox Command Injection
  • ๐Ÿ”ฅ [CVE-2026-33439] - OpenAM <= 16.0.5 Pre-Auth RCE via jato.clientSession Deserialization
  • ๐Ÿ”ฅ [CVE-2026-41179] - Rclone RC Command Injection
  • ๐Ÿ”ฅ [CVE-2026-41176] - Rclone RC Broken Access Control
  • ๐Ÿ”ฅ [CVE-2026-40466] - Apache ActiveMQ RCE via HTTP Discovery Transport Bypass
  • ๐Ÿ”ฅ [CVE-2026-34197] - Apache ActiveMQ Remote Code Execution
  • ๐Ÿ”ฅ [CVE-2026-34156] - NocoBase VM Sandbox Escape to RCE
  • ๐Ÿ”ฅ [CVE-2026-39987] - Marimo <= 0.20.4 Pre-Auth Terminal WebSocket RCE
  • ๐Ÿ”ฅ [CVE-2026-20079] - Cisco Secure Firewall Management Center Authentication Bypass
  • ๐Ÿ”ฅ [CVE-2026-2699] - Progress ShareFile Storage Zones Authentication Bypass
  • ๐Ÿ”ฅ [CVE-2026-4631] - Cockpit Web Console < 360 Remote Code Execution
  • ๐Ÿ”ฅ [CVE-2025-59528] - Flowise Remote Code Execution
  • ๐Ÿ”ฅ [CVE-2026-26980] - Ghost CMS Content API SQL Injection
  • ๐Ÿ”ฅ [CVE-2026-4257] - WordPress Contact Form by Supsystic SSTI
  • ๐Ÿ”ฅ [CVE-2026-33340] - LoLLMs WEBUI Server-Side Request Forgery
  • ๐Ÿ”ฅ [CVE-2025-67303] - ComfyUI-Manager < 3.38 Configuration Overwrite
  • ๐Ÿ”ฅ [CVE-2024-38819] - Spring Framework Path Traversal in Functional Web Frameworks
  • ๐Ÿ”ฅ [CVE-2025-64500] - Symfony HttpFoundation Access Control Bypass via PATH_INFO
  • ๐Ÿ”ฅ [CVE-2026-35029] - LiteLLM Arbitrary File Read
  • ๐Ÿ”ฅ [CVE-2026-39363] - Vite Dev Server Arbitrary File Read
  • ๐Ÿ”ฅ [CVE-2026-39364] - Vite Dev Server Directory Traversal
  • ๐Ÿ”ฅ [CVE-2026-30824] - Flowise NVIDIA NIM Endpoints Missing Authentication
  • ๐Ÿ”ฅ [CVE-2026-28414] - Gradio Absolute Path Traversal
  • ๐Ÿ”ฅ [CVE-2026-4020] - Gravity SMTP WordPress Plugin Sensitive Information Exposure (vKEV)
  • ๐Ÿ”ฅ [CVE-2026-3584] - WordPress Kali Forms <= 2.4.9 Remote Code Execution (vKEV)

๐Ÿค– AI/LLM Attack Surface Expansion

April leaned hard into modern ML/agentic infrastructure. New coverage includes:

  • Vulnerability templates - Marimo (RCE, proxy abuse), Flowise (RCE + missing auth on NVIDIA NIM endpoints), NocoBase (sandbox escape, SQLi), LoLLMs WEBUI (SSRF), ComfyUI-Manager (config overwrite), Langflow (RCE), LiteLLM (file read), LMDeploy (SSRF), Mesop AI Sandbox (RCE), AstrBot (command injection), Gradio (path traversal), AnythingLLM (username enumeration)
  • Panel detection - AgentGPT, AnythingLLM, AstrBot, ClearML, CVAT, Easy Diffusion, Flowise, H2O Wave, KoboldAI, OpenHands, SillyTavern, SuperAGI, Langflow, llama.cpp, Marqo, Stable Diffusion WebUI, Weights & Biases, Xinference, ChromaDB, Chainlit
  • Configuration & exposure - ChromaDB unauthenticated API exposure, Browserless API Swagger detection, Apache Casbin MCP Gateway default login

๐Ÿ” Other Coverage Expansions

  • Default-login templates - Apache Sling, AstrBot, Checkmk, FreePBX, Graylog, Grocy, Mirth Connect, NetBox, Owncast, Apache Superset, RabbitMQ AMQP, Apache Casbin MCP Gateway, Avaya phones
  • Installer exposure - 3CX, AzuraCast, FreeScout, Icinga Web 2, Leantime, ModX, Revive Adserver, Chatwoot, Krayin CMS, Filestash, ChromaDB
  • Unauthenticated access - Argo Workflows, Node-RED, PhotoPrism, Piwik/Matomo, SABnzbd, DbGate, Heimdall, Download Monitor log export, Apache SkyWalking dashboard
  • Blockchain RPC exposure - debug trace methods and txpool_content exposure detection
  • Perforce coverage - detection, info disclosure, user enumeration, passwordless accounts, unauthenticated remote depot access
  • Misconfiguration & exposure - default admin account detection, Office macros not restricted, Windows auto-updates disabled, weak HSTS, Prisma database schema exposure, Weglot API key exposure, Supabase Studio exposure

๐Ÿ› ๏ธ Bug Fixes and Enhancements

Across both releases, the team tightened detection logic, eliminated noisy templates, and fixed a long list of metadata issues. Every change below is sourced directly from the v10.4.2 and v10.4.3 release notes.

Bug Fixes

  • Moved CVE-2026-23829 template from incorrect http folder to the network folder (Issue #15633, PR #15738)
  • Fixed CVE-ID mismatches in template metadata (PR #15850)
  • Fixed invalid CPE formats across multiple HTTP templates (PR #15751)
  • Fixed tag formatting in CVE-2023-38875, CVE-2025-11307, CVE-2023-24322, and CVE-2025-4210 templates (PRs #15897, #15898, #15899, #15900)
  • Updated CVE-2023-6825 template to correct detection logic (PR #15877)
  • Corrected template author attribution from PentesterTN to 0xBassia (PR #15827)
  • CI: migrated Nuclei GitHub Action to native Node.js runtime (PR #16061, PR #16049)
  • Removed duplicate template for BeyondTrust (PR #16024)
  • Removed duplicate matcher line in roundcube-log-disclosure.yaml (PR #16042)
  • Corrected invalid cve-id classification field values across templates (PR #16023)
  • Fixed invalid CPE format strings across templates (PR #15991, PR #15828)
  • Fixed tag formatting in CVE-2024-57727, CVE-2023-38875, CVE-2023-24322 (PR #15989, PR #15897, PR #15899)
  • Corrected YAML formatting in Retool postMessage XSS template (PR #15952)
  • Fixed file path for CVE-2026-2262 (PR #15998)
  • Renamed joomla-htaccess.yaml โ†’ joomla-htaccess-file.yaml for clarity (PR #15987)
  • Renamed contrastapi-domain-recon.yaml to correct directory (PR #16025)
  • Renamed and updated superset-default-login.yaml (PR #15822)
  • Release preparation for Nuclei Templates v10.4.2 (PR #15920)

False Negatives Fixed

  • CVE-2024-8529 (LearnPress SQLi) - body matchers were unreliable for blind SQLi responses; a randstr bypass was added to defeat DB query cache (Issue #15768, PR #15844)
  • tomcat-default-login - fixed FN by ordering payloads to avoid LockOutRealm shunning (PR #16053, Issue #15382)

False Positives Reduced

  • credentials-disclosure - reduced extremely high false positives caused by over-permissive [\w-]+ value regex with no minimum length enforcement, which was flagging short UI strings like "ClientSecret":"Client" as credential leaks (Issue #15563, PR #15845)
  • Apache ActiveMQ Artemis Console Default Login - tightened matcher to require a valid JSON login response with the expected artemis username (Issue #15762, PR #15861)
  • molgenis-default-login - resolved false positives triggered by JSESSIONID cookies on custom 404 pages (Issue #12603)
  • Subdomain takeover templates - removed false-positive detection templates for Netlify, Shopify, Azure Azurewebsites, Cloudapp, and Trafficmanager (no longer vulnerable due to enforced TXT verification, deprecation, or namespace claim blocking) (PR #15724)
  • webpack-config - fixed false positive triggered by SPA catch-all routing (PR #15869)
  • CVE-2022-3254 - improved matchers to reduce false positives on HTML error responses (PR #15840)
  • CVE-2024-52762 - fixed false positives (PR #15833)
  • CVE-2025-49113 - fixed false positives (PR #15777)
  • ingress-nginx-valid-admission.yaml - added 200-status guard for verbose-debug PHP frameworks (PR #16046, Issue #14248)
  • CVE-2024-2473 - verify hidden login URL disclosure to avoid FP on WPS Hide Login (PR #15985, Issue #15871)
  • CVE-2019-5544 - fixed FP triggered when port 427 is closed (PR #15979, Issue #15098)
  • CVE-2023-45648 - bound Tomcat version regex to reduce FPs (PR #15459, Issue #15566)
  • ldap-anonymous-login-detect.yaml - honors the Port parameter instead of forcing 389 (PR #15430, Issue #14736)
  • sentry-panel - added title check to prevent FPs (PR #15984)

Enhancements

  • Refactored matchers in CVE-2024-42009 for improved detection accuracy (PR #15835)
  • Added and normalized CWE metadata across HTTP templates (PR #15804)
  • Added additional EOL version entries to end-of-life detection templates (PR #15891)
  • Updated CVE-2025-30208 detection coverage (PR #15784)
  • Added Microsoft domain to mx-service-detector (PR #16030)
  • Added registrar extractors to rdap-whois template (PR #15908)
  • Added references to CVE-2020-15718 (PR #16058)
  • Updated mitel-version-detect.yaml (PR #15839)
  • Linked CVE-2021-31589 to existing beyond-trust-xss.yaml (Issue #15273)

๐ŸŽ‰ Community Spotlight

This cycle welcomed 27 first-time contributors representing diverse security researchers contributing detection improvements and new template coverage:

Your pull requests, bug reports, and fresh ideas are making open-source security stronger every single day. Thank you and keep them coming! ๐Ÿš€

Stay Connected

Stay in the loop with the latest Nuclei developments:

Let's keep pushing the boundaries of open-source security together!