CVE-2026-41282 Overview
CVE-2026-41282 is a DSL expression injection vulnerability affecting ProjectDiscovery Nuclei 3 before version 3.8.0. This Code Injection flaw allows attackers to inject malicious DSL expressions when the -env-vars flag is used with multi-step templates targeting untrusted hosts. While this is not the default configuration, organizations using Nuclei for security scanning against potentially malicious targets could be at risk of information disclosure.
Critical Impact
Attackers can exploit this vulnerability to inject DSL expressions that may lead to unauthorized disclosure of sensitive information from the scanning environment, including environment variables and system data.
Affected Products
- ProjectDiscovery Nuclei versions prior to 3.8.0
- Nuclei installations using -env-vars flag with multi-step templates
- Go-based Nuclei deployments (as identified by CPE: cpe:2.3:a:projectdiscovery:nuclei:*:*:*:*:*:go:*:*)
Discovery Timeline
- April 20, 2026 - CVE-2026-41282 published to NVD
- April 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-41282
Vulnerability Analysis
This vulnerability stems from insufficient input validation in Nuclei's DSL (Domain Specific Language) expression handling. When users enable the -env-vars flag to expose environment variables within templates, the DSL expression parser fails to properly sanitize or restrict expressions derived from untrusted target responses. This creates an injection vector where a malicious target can craft responses that, when processed by Nuclei's template engine, execute arbitrary DSL expressions.
The vulnerability is classified as CWE-94 (Improper Control of Generation of Code), indicating that the application does not properly neutralize or incorrectly neutralizes code syntax in user-controllable input before executing it as part of dynamically generated code.
Root Cause
The root cause lies in the DSL expression evaluation logic within Nuclei's multi-step template processing. When environment variables are exposed via the -env-vars flag, the template engine processes response data that may contain attacker-controlled content. The DSL parser does not adequately validate or escape this content before evaluation, allowing malicious expressions to be interpreted and executed within the scanning context.
Attack Vector
The attack requires a specific configuration where the victim is running Nuclei with the -env-vars flag enabled and using multi-step templates against untrusted targets. An attacker controlling a malicious target can craft HTTP responses containing DSL expression payloads. When Nuclei processes these responses through its template engine, the injected expressions are evaluated, potentially exposing environment variables or other sensitive data from the scanning system.
The network-based attack vector requires no authentication or user interaction, making it particularly concerning for automated scanning pipelines that may inadvertently scan malicious infrastructure.
Detection Methods for CVE-2026-41282
Indicators of Compromise
- Unexpected or anomalous data in Nuclei scan output suggesting environment variable leakage
- HTTP responses from scanned targets containing DSL expression syntax (e.g., {{, }}, DSL function calls)
- Unusual outbound network connections from systems running Nuclei scans
- Log entries indicating errors or unexpected behavior in DSL expression evaluation
Detection Strategies
- Review Nuclei scan configurations for use of the -env-vars flag, especially when scanning untrusted targets
- Implement network monitoring to detect anomalous data exfiltration from scanning infrastructure
- Audit Nuclei template files for multi-step templates that may be vulnerable to response injection
- Deploy endpoint detection to monitor for unusual process behavior during Nuclei execution
Monitoring Recommendations
- Enable verbose logging for Nuclei operations to capture template processing details
- Monitor environment variable access patterns on systems running vulnerability scans
- Implement alerting for Nuclei processes making unexpected network connections
- Review scan results for signs of data injection or manipulation
How to Mitigate CVE-2026-41282
Immediate Actions Required
- Upgrade ProjectDiscovery Nuclei to version 3.8.0 or later immediately
- Audit current Nuclei configurations and disable the -env-vars flag when scanning untrusted targets
- Review and restrict environment variables accessible to Nuclei scanning processes
- Implement network segmentation to isolate scanning infrastructure from sensitive systems
Patch Information
ProjectDiscovery has addressed this vulnerability in Nuclei version 3.8.0. The fix is documented in the following commits and pull requests:
For complete details, refer to the GitHub Security Advisory GHSA-jm34-66cf-qpvr.
Workarounds
- Avoid using the -env-vars flag when scanning untrusted or unknown targets
- Run Nuclei in isolated environments with minimal environment variables configured
- Use container-based deployment with restricted environment variable exposure
- Implement strict input validation on any data processed from scan targets before template evaluation
# Verify Nuclei version and upgrade if necessary
nuclei -version
# Upgrade to patched version
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@v3.8.0
# Alternative: Run Nuclei without env-vars flag for untrusted targets
nuclei -t templates/ -u https://target.com
# Avoid: nuclei -env-vars -t multi-step-template.yaml -u https://untrusted-target.com
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
