{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-41282", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-20T07:10:29.549Z", "datePublished": "2026-04-20T07:10:30.246Z", "dateUpdated": "2026-04-21T00:59:19.998Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Nuclei", "vendor": "ProjectDiscovery", "versions": [{"lessThan": "3.8.0", "status": "affected", "version": "3.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "ProjectDiscovery Nuclei 3 before 3.8.0 allows DSL expression injection. This affects use of -env-vars for multi-step templates against untrusted targets (not the default configuration)."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-21T00:59:19.998Z"}, "references": [{"url": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-jm34-66cf-qpvr"}, {"url": "https://github.com/projectdiscovery/nuclei/pull/7221"}, {"url": "https://github.com/projectdiscovery/nuclei/pull/7321"}, {"url": "https://github.com/projectdiscovery/nuclei/commit/d2217320162d5782ca7cb95bef9dda17063818f3"}, {"url": "https://github.com/projectdiscovery/nuclei/commit/6c803c74d193f85f8a6d9803ce493fd302cad0eb"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"references": [{"url": "https://github.com/projectdiscovery/nuclei/pull/7221", "tags": ["exploit"]}, {"url": "https://github.com/projectdiscovery/nuclei/pull/7321", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:47:04.424961Z", "id": "CVE-2026-41282", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:47:11.102Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41282", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T14:47:04.424961Z"}}}], "references": [{"url": "https://github.com/projectdiscovery/nuclei/pull/7221", "tags": ["exploit"]}, {"url": "https://github.com/projectdiscovery/nuclei/pull/7321", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:46:59.795Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ProjectDiscovery", "product": "Nuclei", "versions": [{"status": "affected", "version": "3.0.0", "lessThan": "3.8.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-jm34-66cf-qpvr"}, {"url": "https://github.com/projectdiscovery/nuclei/pull/7221"}, {"url": "https://github.com/projectdiscovery/nuclei/pull/7321"}, {"url": "https://github.com/projectdiscovery/nuclei/commit/d2217320162d5782ca7cb95bef9dda17063818f3"}, {"url": "https://github.com/projectdiscovery/nuclei/commit/6c803c74d193f85f8a6d9803ce493fd302cad0eb"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "ProjectDiscovery Nuclei 3 before 3.8.0 allows DSL expression injection. This affects use of -env-vars for multi-step templates against untrusted targets (not the default configuration)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-21T00:59:19.998Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41282", "state": "PUBLISHED", "dateUpdated": "2026-04-21T00:59:19.998Z", "dateReserved": "2026-04-20T07:10:29.549Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-20T07:10:30.246Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:projectdiscovery:nuclei:*:*:*:*:*:go:*:*", "matchCriteriaId": "9E442141-1965-481A-BE82-B6DC11B58EAC", "versionEndExcluding": "3.8.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ProjectDiscovery Nuclei 3 before 3.8.0 allows DSL expression injection. This affects use of -env-vars for multi-step templates against untrusted targets (not the default configuration)."}], "id": "CVE-2026-41282", "lastModified": "2026-04-23T15:25:04.777", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-20T08:16:10.140", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/projectdiscovery/nuclei/commit/6c803c74d193f85f8a6d9803ce493fd302cad0eb"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/projectdiscovery/nuclei/commit/d2217320162d5782ca7cb95bef9dda17063818f3"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://github.com/projectdiscovery/nuclei/pull/7221"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://github.com/projectdiscovery/nuclei/pull/7321"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-jm34-66cf-qpvr"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Issue Tracking"], "url": "https://github.com/projectdiscovery/nuclei/pull/7221"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Issue Tracking"], "url": "https://github.com/projectdiscovery/nuclei/pull/7321"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.8.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Nuclei", "source": "cna", "vendor": "ProjectDiscovery"}, "product": "nuclei", "vendor": "projectdiscovery"}], "analysis": {"en": {"generated_at": "2026-04-20T08:50:44.410584+00:00", "value": {"mitigation_remediation": ["Upgrade ProjectDiscovery Nuclei to version 3.8.0 or later", "Disable the -env-vars flag when executing multi\u2011step templates unless it is absolutely required", "Validate that all templates and any untrusted input used with -env-vars come from trusted sources and have been reviewed for malicious payloads"], "summary": {"action": "Apply Patch", "impact": "Expression Injection Allows Unintended Execution"}, "threat_synthesis": {"affected_systems": "The flaw impacts all deployments of ProjectDiscovery Nuclei initialized with the -env-vars flag for any multi\u2011step template. Versions 3.0 through 3.7.9 are affected, while 3.8.0 and later contain a fix. The issue is not limited by default configuration and arises only when templates target untrusted services.", "description_and_impact": "The vulnerability in ProjectDiscovery Nuclei 3 versions before 3.8.0 permits an attacker to inject arbitrary expressions into the tool\u2019s Domain Specific Language (DSL). When the -env-vars option is used with multi\u2011step templates that reference untrusted targets, the injected expression can be evaluated, potentially leading to unintended execution of code or other malicious effects. This flaw is classified as a CWE\u201194 expression injection.", "risk_and_exploitability": "The CVSS score of 4 indicates a low to moderate severity, and the lack of an EPSS listing suggests a low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply a malicious template and configure the -env-vars setting against an untrusted target; therefore the risk is most relevant to users who run custom Nuclei jobs from untrusted sources. Prompt patching reduces the risk surface significantly."}}}}, "created": "2026-04-20T09:00:03.006585+00:00", "title": "Nuclei 3 Expression Injection via -env-vars", "updated": "2026-04-20T09:30:03.176456+00:00", "vendors": ["projectdiscovery", "projectdiscovery$PRODUCT$nuclei"]}