CVE-2026-41282 is a code injection vulnerability in ProjectDiscovery Nuclei versions prior to 3.8.0. It arises from improper control over the generation of code via DSL expression injection when using the -env-vars option in multi-step templates against untrusted targets. This vulnerability requires specific non-default configurations to be exploitable and has a CVSS v3.1 base score of 4.0, reflecting medium severity. No official fix or patch is currently documented, and the product is not a cloud service, so remediation depends on vendor updates.

The vulnerability allows injection of DSL expressions, potentially leading to unintended code execution within the Nuclei scanning environment. The impact is limited to confidentiality loss (partial) without integrity or availability impacts, as indicated by the CVSS vector. Exploitation requires network access with high attack complexity and no privileges or user interaction, but the vulnerability is conditional on non-default usage of -env-vars with untrusted input. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, avoid using the -env-vars option in multi-step templates against untrusted targets. Restrict usage to trusted inputs only to mitigate the risk of DSL expression injection. Monitor ProjectDiscovery communications for updates regarding patches or official mitigations.