Skip to main content

Nuclei EUVDEUVD-2026-23795

| CVE-2026-41282 MEDIUM
Code Injection (CWE-94)
2026-04-20 mitre
4.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.0 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

6
Patch released
Apr 23, 2026 - 15:25 nvd
Patch available
Patch available
Apr 20, 2026 - 09:01 EUVD
Analysis Generated
Apr 20, 2026 - 07:55 vuln.today
EUVD ID Assigned
Apr 20, 2026 - 07:45 euvd
EUVD-2026-23795
Analysis Generated
Apr 20, 2026 - 07:45 vuln.today
CVE Published
Apr 20, 2026 - 07:10 nvd
MEDIUM 4.0

DescriptionCVE.org

ProjectDiscovery Nuclei 3 before 3.8.0 allows DSL expression injection. This affects use of -env-vars for multi-step templates against untrusted targets (not the default configuration).

AnalysisAI

DSL expression injection in ProjectDiscovery Nuclei before 3.8.0 allows remote code execution when using the -env-vars flag with multi-step templates against untrusted targets. An attacker can inject malicious expressions into environment variables that are evaluated as Nuclei DSL code, achieving arbitrary code execution with the privileges of the Nuclei process. This vulnerability requires non-default configuration (explicit -env-vars usage) and high attack complexity, limiting real-world impact despite the RCE tag.

Technical ContextAI

Nuclei is a template-based vulnerability scanning framework written in Go that uses a custom domain-specific language (DSL) for expressing multi-step exploitation logic. The vulnerability resides in the DSL expression parser (CWE-94: Improper Control of Generation of Code), which evaluates environment variables passed via the -env-vars flag without sufficient sanitization. When these variables are interpolated into multi-step template expressions, an attacker controlling the target's responses can craft payloads that break out of the intended variable context and inject arbitrary DSL expressions. The affected CPE range is cpe:2.3:a:projectdiscovery:nuclei:*:*:*:*:*:*:*:* (all versions before 3.8.0). The root cause is unsafe string interpolation of untrusted data (target responses) combined with dynamic code evaluation, a classic code injection pattern.

RemediationAI

Upgrade ProjectDiscovery Nuclei to version 3.8.0 or later, which includes fixes for DSL expression injection applied via commits d2217320162d5782ca7cb95bef9dda17063818f3 and 6c803c74d193f85f8a6d9803ce493fd302cad0eb referenced in GitHub pull requests #7221 and #7321. The vendor-released patch address the root cause by implementing proper input validation and expression sanitization. As an interim mitigation for organizations unable to immediately upgrade, restrict use of the -env-vars flag to trusted scanning contexts and avoid running multi-step templates against untrusted or potentially compromised targets. If -env-vars must be used, implement input validation at the template level to reject or sanitize suspicious variable values. Additionally, run Nuclei with minimal required privileges and isolate the scanning process in a restricted environment (container, VM, or dedicated low-privilege account) to limit impact of code execution. Monitor Nuclei process execution for unexpected system calls or network activity. These mitigations reduce blast radius but do not eliminate risk - upgrading to 3.8.0+ is the primary fix.

Share

EUVD-2026-23795 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy