What is CVE-2026-41645?

CVE-2026-41645 is a medium-severity vulnerability in Projectdiscovery Nuclei, classified under Code Injection. CVSS score: 5.3/10. Published 2026-05-08.

How severe is CVE-2026-41645?

Medium severity. CVSS v3 base score is 5.3 out of 10.

RCE in Projectdiscovery Nuclei

CVE-2026-41645

Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's expression evaluation engine makes it possible for a malicious target server to inject and execute…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.000 (12.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N.

Affected products

Projectdiscovery Nuclei — versions >= 3.0.0, < 3.8.0

Weakness classification (CWE)

CWE-94 — Code Injection

References

https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-jm34-66cf-qpvr (x_refsource_CONFIRM, Patch, Mitigation, Vendor Advisory)
https://github.com/projectdiscovery/nuclei/pull/7221 (Patch, x_refsource_MISC, Issue Tracking)
https://github.com/projectdiscovery/nuclei/pull/7321 (Patch, x_refsource_MISC, Issue Tracking)
https://github.com/projectdiscovery/nuclei/commit/6c803c74d193f85f8a6d9803ce493fd302cad0eb (Patch, x_refsource_MISC)
https://github.com/projectdiscovery/nuclei/commit/d2217320162d5782ca7cb95bef9dda17063818f3 (Patch, x_refsource_MISC)
https://github.com/projectdiscovery/nuclei/releases/tag/v3.8.0 (Product, x_refsource_MISC, Release Notes)

Frequently asked questions

What is CVE-2026-41645?: CVE-2026-41645 is a medium-severity vulnerability in Projectdiscovery Nuclei, classified under Code Injection. CVSS score: 5.3/10. Published 2026-05-08.
How severe is CVE-2026-41645?: Medium severity. CVSS v3 base score is 5.3 out of 10.