Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
6DescriptionCVE.org
ProjectDiscovery Nuclei 3 before 3.8.0 allows DSL expression injection. This affects use of -env-vars for multi-step templates against untrusted targets (not the default configuration).
AnalysisAI
DSL expression injection in ProjectDiscovery Nuclei before 3.8.0 allows remote code execution when using the -env-vars flag with multi-step templates against untrusted targets. An attacker can inject malicious expressions into environment variables that are evaluated as Nuclei DSL code, achieving arbitrary code execution with the privileges of the Nuclei process. This vulnerability requires non-default configuration (explicit -env-vars usage) and high attack complexity, limiting real-world impact despite the RCE tag.
Technical ContextAI
Nuclei is a template-based vulnerability scanning framework written in Go that uses a custom domain-specific language (DSL) for expressing multi-step exploitation logic. The vulnerability resides in the DSL expression parser (CWE-94: Improper Control of Generation of Code), which evaluates environment variables passed via the -env-vars flag without sufficient sanitization. When these variables are interpolated into multi-step template expressions, an attacker controlling the target's responses can craft payloads that break out of the intended variable context and inject arbitrary DSL expressions. The affected CPE range is cpe:2.3:a:projectdiscovery:nuclei:*:*:*:*:*:*:*:* (all versions before 3.8.0). The root cause is unsafe string interpolation of untrusted data (target responses) combined with dynamic code evaluation, a classic code injection pattern.
RemediationAI
Upgrade ProjectDiscovery Nuclei to version 3.8.0 or later, which includes fixes for DSL expression injection applied via commits d2217320162d5782ca7cb95bef9dda17063818f3 and 6c803c74d193f85f8a6d9803ce493fd302cad0eb referenced in GitHub pull requests #7221 and #7321. The vendor-released patch address the root cause by implementing proper input validation and expression sanitization. As an interim mitigation for organizations unable to immediately upgrade, restrict use of the -env-vars flag to trusted scanning contexts and avoid running multi-step templates against untrusted or potentially compromised targets. If -env-vars must be used, implement input validation at the template level to reject or sanitize suspicious variable values. Additionally, run Nuclei with minimal required privileges and isolate the scanning process in a restricted environment (container, VM, or dedicated low-privilege account) to limit impact of code execution. Monitor Nuclei process execution for unexpected system calls or network activity. These mitigations reduce blast radius but do not eliminate risk - upgrading to 3.8.0+ is the primary fix.
Nuclei is a vulnerability scanner powered by YAML based templates. Rated high severity (CVSS 7.8), this vulnerability is
Nuclei is a vulnerability scanner. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authen
projectdiscovery/nuclei is a fast and customisable vulnerability scanner based on simple YAML based DSL. Rated high seve
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23795