Description
Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require() function, bypassing the default local file access restriction. This issue has been patched in version 3.8.0.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the JavaScript protocol runtime of the Nuclei vulnerability scanner allows JavaScript templates to read local .js and .json files via the require() function, bypassing its intended file access restrictions. This local file read can expose sensitive configuration, credential, or source code files that are available on the host where Nuclei runs, potentially leaking confidential information to an attacker who can influence template execution.

Affected Systems

The vulnerability affects projectdiscovery's Nuclei scanner versions from 3.0.0 up to, but not including, 3.8.0. All installations of those releases that rely on the JavaScript protocol runtime are susceptible when templates use require() to load local data files.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate risk, and the vulnerability is not listed in the CISA KEV catalog. The EPSS metric is not available, so the current probability of exploitation cannot be quantified. Based on the description, the attack vector is likely local; an attacker would need to supply or modify a template that runs under the scanner to trigger the file read. While the impact is limited to the scanner's host, exposure of local files can still be significant if the scanner operates in a privileged or otherwise sensitive environment.

Generated by OpenCVE AI on May 8, 2026 at 05:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nuclei to version 3.8.0 or later, which contains the patch for this issue.
  • Review and audit any custom templates for local require() calls that could unintentionally expose files, and remove or refactor them to prevent local file access.
  • Restrict the filesystem permissions of the directory from which templates are loaded, ensuring the scanner process cannot read sensitive files outside its designated template space.

Generated by OpenCVE AI on May 8, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-29rg-wmcw-hpf4 Nuclei: Local File Read via require() Module Loader Bypass
History

Fri, 08 May 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Projectdiscovery
Projectdiscovery nuclei
Vendors & Products Projectdiscovery
Projectdiscovery nuclei

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require() function, bypassing the default local file access restriction. This issue has been patched in version 3.8.0.
Title Nuclei: Local File Read via require() Module Loader Bypass
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Projectdiscovery Nuclei
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T03:14:49.908Z

Reserved: 2026-04-21T23:58:43.802Z

Link: CVE-2026-41646

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T04:16:18.383

Modified: 2026-05-08T04:16:18.383

Link: CVE-2026-41646

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T07:30:02Z

Weaknesses