CVE-2026-41282

Medium

Published: 20 April 2026

Published

20 April 2026

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 4.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

EPSS Score 0.0006 18.8th percentile

Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41282 is a medium-severity Code Injection (CWE-94) vulnerability in Projectdiscovery Nuclei. Its CVSS base score is 4.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 18.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the DSL expression injection by requiring timely remediation of the known flaw through patching to Nuclei 3.8.0 or later.

SI-10 Information Input Validation good match

prevent

Prevents code injection attacks like this DSL expression vulnerability by enforcing validation of untrusted inputs from scanned targets.

CM-7 Least Functionality good match

prevent

Mitigates risk by restricting or prohibiting the use of the vulnerable -env-vars option for multi-step templates against untrusted targets.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

DSL expression injection (CWE-94) in Nuclei client when scanning untrusted targets with -env-vars enables code injection leading to execution on the host system, directly mapping to client-side exploitation and command/script interpreter usage.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

ProjectDiscovery Nuclei 3 before 3.8.0 allows DSL expression injection. This affects use of -env-vars for multi-step templates against untrusted targets (not the default configuration).

Deeper analysisAI

CVE-2026-41282 is a DSL expression injection vulnerability (CWE-94) in ProjectDiscovery Nuclei versions 3 before 3.8.0. The issue arises in configurations using the -env-vars option for multi-step templates when scanning untrusted targets, which is not the default setup. Published on 2026-04-20, it carries a CVSS v3.1 base score of 4.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N), indicating medium severity with network accessibility, high attack complexity, no privileges or user interaction required, changed scope, and low confidentiality impact.

Attackers can exploit this over the network without authentication by targeting Nuclei instances configured with -env-vars for multi-step templates against untrusted endpoints. Exploitation enables code injection via malicious DSL expressions, potentially leading to limited disclosure of confidential information within the scoped impact.

ProjectDiscovery has addressed the vulnerability in Nuclei 3.8.0 through patches in GitHub commits 6c803c74d193f85f8a6d9803ce493fd302cad0eb and d2217320162d5782ca7cb95bef9dda17063818f3, as well as pull requests 7221 and 7321. Security practitioners should upgrade to version 3.8.0 or later and avoid using -env-vars against untrusted targets. Additional details are in the advisory at https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-jm34-66cf-qpvr.