Description
Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's expression evaluation engine makes it possible for a malicious target server to inject and execute supported DSL expressions. This happens when HTTP response data containing helper/function syntax gets reused by multi-step templates. If the -env-vars / -ev option is explicitly enabled, this can expose host environment variables. That option is off by default, so standard configurations are not affected by the information disclosure risk. This issue has been patched in version 3.8.0.
Published: 2026-05-08
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in Nuclei’s expression evaluation engine, which processes HTTP response data containing helper function syntax when multi‑step templates are used. A malicious server can embed a supported DSL expression within the response, causing the scanner to evaluate and execute that expression. This can lead to runtime code execution inside Nuclei and, if the -env-vars (-ev) option is enabled, the disclosure of the host machine’s environment variables. The impact is therefore both information disclosure and potential manipulation of the scanning environment.

Affected Systems

ProjectDiscovery Nuclei vulnerability scanner, versions 3.0.0 through 3.7.x. The issue is fixed in 3.8.0. The vulnerability occurs only when the –env‑vars or –ev option is enabled, which is off by default; however, the code execution path exists regardless of that flag.

Risk and Exploitability

CVSS score 5.3 indicates moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no current widespread exploitation. The attack vector requires an attacker to control the target server and craft a response that includes a malicious DSL expression that Nuclei will process while scanning. Because the attack depends on a specific scanning configuration and a controlled response, the likelihood of exploitation is moderate but not negligible.

Generated by OpenCVE AI on May 8, 2026 at 05:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nuclei to version 3.8.0 or later where the expression engine is fixed.
  • If an upgrade is not possible, run scans with the –env‑vars/–ev option disabled or remove it from the configuration, preventing environment variable disclosure and reducing execution risk.
  • Isolate the scanning tool from untrusted network segments or run it inside a sandboxed environment to limit the impact of any accidental expression execution.

Generated by OpenCVE AI on May 8, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jm34-66cf-qpvr Nuclei: Environment variable disclosure via Response-Derived DSL Expressions
History

Fri, 08 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Projectdiscovery
Projectdiscovery nuclei
Vendors & Products Projectdiscovery
Projectdiscovery nuclei

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's expression evaluation engine makes it possible for a malicious target server to inject and execute supported DSL expressions. This happens when HTTP response data containing helper/function syntax gets reused by multi-step templates. If the -env-vars / -ev option is explicitly enabled, this can expose host environment variables. That option is off by default, so standard configurations are not affected by the information disclosure risk. This issue has been patched in version 3.8.0.
Title Nuclei: Environment variable disclosure via Response-Derived DSL Expressions
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Projectdiscovery Nuclei
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T03:17:19.302Z

Reserved: 2026-04-21T23:58:43.802Z

Link: CVE-2026-41645

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T04:16:18.177

Modified: 2026-05-08T04:16:18.177

Link: CVE-2026-41645

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T05:30:46Z

Weaknesses