CVE-2026-41646: CWE-284: Improper Access Control in projectdiscovery nuclei
Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require() function, bypassing the default local file access restriction. This issue has been patched in version 3.8.0.
AI Analysis
Technical Summary
Nuclei, a vulnerability scanner using a YAML-based DSL, has an access control vulnerability (CWE-284) in its JavaScript protocol runtime in versions 3.0.0 to before 3.8.0. This vulnerability permits JavaScript templates to read local JavaScript and JSON files by circumventing the intended local file access restrictions through the require() function. This could lead to unauthorized disclosure of local files. The issue is fixed in version 3.8.0.
Potential Impact
An attacker able to execute JavaScript templates in vulnerable Nuclei versions can read local .js and .json files that should be restricted, potentially exposing sensitive information. The vulnerability does not allow code execution or integrity impact but can lead to confidentiality breaches. Exploitation requires local access and user interaction, limiting the attack scope.
Mitigation Recommendations
Upgrade Nuclei to version 3.8.0 or later, where this vulnerability is patched. Since the vendor advisory confirms the fix in 3.8.0, applying this update fully mitigates the issue. No additional mitigation steps are indicated.
CVE-2026-41646: CWE-284: Improper Access Control in projectdiscovery nuclei
Description
Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require() function, bypassing the default local file access restriction. This issue has been patched in version 3.8.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Nuclei, a vulnerability scanner using a YAML-based DSL, has an access control vulnerability (CWE-284) in its JavaScript protocol runtime in versions 3.0.0 to before 3.8.0. This vulnerability permits JavaScript templates to read local JavaScript and JSON files by circumventing the intended local file access restrictions through the require() function. This could lead to unauthorized disclosure of local files. The issue is fixed in version 3.8.0.
Potential Impact
An attacker able to execute JavaScript templates in vulnerable Nuclei versions can read local .js and .json files that should be restricted, potentially exposing sensitive information. The vulnerability does not allow code execution or integrity impact but can lead to confidentiality breaches. Exploitation requires local access and user interaction, limiting the attack scope.
Mitigation Recommendations
Upgrade Nuclei to version 3.8.0 or later, where this vulnerability is patched. Since the vendor advisory confirms the fix in 3.8.0, applying this update fully mitigates the issue. No additional mitigation steps are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-21T23:58:43.802Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fd5dbdcbff5d86108b6447
Added to database: 5/8/2026, 3:51:25 AM
Last enriched: 5/8/2026, 4:07:48 AM
Last updated: 5/9/2026, 3:50:58 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.