Blog
-

4 min read

Nuclei Templates Monthly - May 2025

Nuclei & Templates
Nuclei Templates Monthly - May 2025

Share

Summary of Releases v10.2.1 & v10.2.2

This month, we've released two new versions of Nuclei Templates, which introduce numerous improvements and new templates for Nuclei users.

Here are some highlighted stats from the combined releases:

🎉 106 new templates added
🔥 57 new CVEs covered
🛡️ 10 actively exploited KEVs included
🚀 11 first-time contributions
💰 Template Reward program launched

Introduction

The Nuclei Templates v10.2.1 and v10.2.2 were released earlier this Month, introducing some useful updates for the community. These releases prioritize checks for vulnerabilities flagged as actively exploited in the wild (KEVs), as listed in CISA’s Known Exploited Vulnerabilities, enabling users to address the most urgent security risks promptly.

We’ve also rolled out Template Bounty Program💰, offering community members the opportunity to earn rewards 💸 for contributing impactful templates to the project. It’s a great way to support open-source security and earn recognition for your work.

To help you stay updated on new additions, we’ve launched a Twitter bot: @pdnuclei_bot. It provides real-time notifications for every new template added. You’ll also receive these updates in this Discord channel.

New Templates Added

A total of 106 new templates were added in these two releases, thanks to the efforts of our community and team. These additions help users catch critical weaknesses before attackers can exploit them in the wild. This means faster response times and improved protection for your systems.

New CVEs Added

Out of the new templates added, 57 were new CVEs, ensuring you remain current with the latest security vulnerabilities.
Notably, the release includes coverage for CVE-2025-4427, a remote code execution flaw in Ivanti EPMM, which has been added to CISA’s Known Exploited Vulnerabilities (KEV) list. We’ve also added templates for CVE-2025-34026 and CVE-2025-34027, two authentication bypass issues affecting Versa Concerto, a platform widely deployed in enterprise networks. These CVE templates target vulnerabilities found in popular software products and services, helping users to identify and resolve issues before attackers can exploit them.

Highlighted CVE Templates

Templates marked with 🔥 highlight high-risk vulnerabilities with active exploitation (KEVs). ✅ Templates indicate other critical CVEs added in this release.

KEVs in This Release (🔥)

Other CVEs from v10.2.1 & v10.2.2 (✅)

  • CVE-2025-32432 – CraftCMS - Remote Code Execution
  • CVE-2025-2777 – SysAid On-Prem <= 23.3.40 - XML External Entity
  • CVE-2024-21136 – Oracle Retail Xstore Suite - Pre-auth Path Traversal
  • CVE-2024-7591 – Kemp Load Balancer - Unauth Command Injection
  • CVE-2023-45878 – Gibbon LMS <= v25.0.01 - File Upload to RCE
  • CVE-2022-1711 – draw.io < 18.0.5 - Server Side Request Forgery (SSRF)
  • CVE-2025-47916 – Invision Community <=5.0.6 RCE via Template Injection
  • CVE-2025-34027 – Versa Concerto API Path Based - Authentication Bypass
  • CVE-2025-34026 – Versa Concerto Actuator Endpoint - Authentication Bypass
  • CVE-2025-27007 – OttoKit < 1.0.83 - SureTriggers allows Privilege Escalation
  • CVE-2025-24016 – Wazuh - Unsafe Deserialization Remote Code Execution
  • CVE-2025-4123 – Grafana - XSS / Open Redirect / SSRF via Client Path Traversal
  • CVE-2025-3102 – SureTriggers – All-in-One Automation Platform ≤ 1.0.78 - Authentication Bypass
  • CVE-2025-2011 – Slider & Popup Builder by Depicter <= 3.6.1 - Unauthenticated SQL Injection
  • CVE-2024-11320 – Pandora v7.0NG.777.3 - Remote Code Execution

Bug Fixes and Enhancements

We’ve made several improvements in these releases to ensure templates are accurate, easy to use, and reliable during scans. This includes updating metadata, cleaning up tags, and fixing issues that could cause false positives or negatives.

Bug Fixes

  • Updated affected vBulletin versions in vbulletin-replacead-rce.yaml (Issue #12150)
  • Renamed CVE-2022-31126 to CVE-2022-31137 (Issue #12103)
  • Updated and renamed thinkphp-5022-rce.yaml to CVE-2018-20062.yaml (Issue #12096)
  • Fixed payload for CVE-2019-17444 to avoid false positives (Issue #12050)
  • Fixed template for CVE-2025-32101 (Issue #11933)
  • Corrected false negative in CVE-2020-26948 (Issue #12056)
  • Fixed broken path to reference file causing 404 errors (Issue #11987)
  • Modified regex to accept IPs in location header (Issue #12026)
  • Updated Huawei WAF detection rule for accurate server header (Issue #12022)

False Negatives

  • Addressed pre-authentication RCE vulnerability in CraftCMS 4.x and 5.x (Issue #12020)

False Positives

  • Reduced false positives in Next.js cache poisoning headers (Issue #12000)
  • Fixed false positives in s3-bucket-policy-public-access.yaml (Issue #12085)
  • Reduced false positives in Azure Cloud Templates (Issue #12047)
  • Fixed false positive in CVE-2022-21587 PoC affecting system (Issue #11702)

Enhancements

  • Updated tags for multiple templates (Issue #12157)
  • Updated tags for CVE-2025-34028.yaml (Issue #12156)
  • Moved templates for assigned CVEs (CVE-2025-34026, CVE-2025-34027) (Issue #12138)
  • Added Amazon Elastic Kubernetes Service (EKS) templates (PR #12069)
  • Removed CVE-2022-46463 template (PR #12029)

Community Spotlight

We’d like to give a special thanks to all the first-time contributors for their contributions to the Nuclei Templates project :

Your contributions are greatly appreciated and help strengthen the Nuclei.

Stay Connected

Stay in the loop with the latest Nuclei developments:

Let’s keep pushing the boundaries of open-source security together!