Description
ProjectDiscovery Nuclei 3 before 3.8.0 allows DSL expression injection. This affects use of -env-vars for multi-step templates against untrusted targets (not the default configuration).
Published: 2026-04-20
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Expression Injection Allows Unintended Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability in ProjectDiscovery Nuclei 3 versions before 3.8.0 permits an attacker to inject arbitrary expressions into the tool’s Domain Specific Language (DSL). When the -env-vars option is used with multi‑step templates that reference untrusted targets, the injected expression can be evaluated, potentially leading to unintended execution of code or other malicious effects. This flaw is classified as a CWE‑94 expression injection.

Affected Systems

The flaw impacts all deployments of ProjectDiscovery Nuclei initialized with the -env-vars flag for any multi‑step template. Versions 3.0 through 3.7.9 are affected, while 3.8.0 and later contain a fix. The issue is not limited by default configuration and arises only when templates target untrusted services.

Risk and Exploitability

The CVSS score of 4 indicates a low to moderate severity, and the lack of an EPSS listing suggests a low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply a malicious template and configure the -env-vars setting against an untrusted target; therefore the risk is most relevant to users who run custom Nuclei jobs from untrusted sources. Prompt patching reduces the risk surface significantly.

Generated by OpenCVE AI on April 20, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ProjectDiscovery Nuclei to version 3.8.0 or later
  • Disable the -env-vars flag when executing multi‑step templates unless it is absolutely required
  • Validate that all templates and any untrusted input used with -env-vars come from trusted sources and have been reviewed for malicious payloads

Generated by OpenCVE AI on April 20, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Projectdiscovery
Projectdiscovery nuclei
Vendors & Products Projectdiscovery
Projectdiscovery nuclei

Mon, 20 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Title Nuclei 3 Expression Injection via -env-vars

Mon, 20 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Description ProjectDiscovery Nuclei 3 before 3.8.0 allows DSL expression injection. This affects use of -env-vars for multi-step templates against untrusted targets (not the default configuration).
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Projectdiscovery Nuclei
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-20T14:47:11.102Z

Reserved: 2026-04-20T07:10:29.549Z

Link: CVE-2026-41282

cve-icon Vulnrichment

Updated: 2026-04-20T14:46:59.795Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T08:16:10.140

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-41282

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T09:30:03Z

Weaknesses