CVE-2026-41646
Last modified
CVE-2026-41646 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require() function, bypassing the default local file access restriction. EPSS estimates a 0.11% chance of exploitation in the next 30 days.
Description
Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require() function, bypassing the default local file access restriction. This issue has been patched in version 3.8.0.
Metrics
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Projectdiscovery | Nuclei | >= 3.0.0, < 3.8.0 |
References
- https://github.com/projectdiscovery/nuclei/pull/7332Issue Tracking, Patch
- https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-29rg-wmcw-hpf4Mitigation, Patch, Vendor Advisory
- https://github.com/projectdiscovery/nuclei/pull/7332Issue Tracking, Patch
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-41646?
How severe is CVE-2026-41646?
How do I fix CVE-2026-41646?
Are you affected by CVE-2026-41646?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST