Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-41646
5.5 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): None (N)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Local (L)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): None (N)
Activity log
- Created suggestion
Nuclei: Local File Read via require() Module Loader Bypass
Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require() function, bypassing the default local file access restriction. This issue has been patched in version 3.8.0.
References
Affected products
nuclei
- ==>= 3.0.0, < 3.8.0
Matching in nixpkgs
pkgs.nuclei
Tool for configurable targeted scanning
pkgs.nucleiparser
Nuclei output parser for CLI
Package maintainers
-
@Misaka13514 Rine Amakawa <Misaka13514@gmail.com>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>