File Access Vulnerability in Nuclei Vulnerability Scanner by Project Discovery
CVE-2026-41646

5.5MEDIUM

Key Information:

Vendor

Projectdiscovery
Status
Nuclei
Vendor
CVE Published:
8 May 2026

What is CVE-2026-41646?

A local file access bypass vulnerability exists in the Nuclei scanner's JavaScript protocol runtime, allowing malicious JavaScript templates to access local .js and .json files via the require() function. This defect impacts versions ranging from 3.0.0 through 3.7.0, compromising the intended security restrictions for local file access. Users are encouraged to upgrade to version 3.8.0 where the issue has been successfully patched.

Affected Version(s)

nuclei >= 3.0.0, < 3.8.0

References

https://github.com/projectdiscovery/nuclei/security/advis...
x_refsource_CONFIRM
https://github.com/projectdiscovery/nuclei/pull/7332
x_refsource_MISC
https://github.com/projectdiscovery/nuclei/commit/6f2ade6...
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.