Executive Summary

This vulnerability exists in ProjectDiscovery Nuclei versions before 3.8.0 and involves DSL expression injection. It occurs when using the -env-vars option for multi-step templates against untrusted targets, which is not the default configuration.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to injection of malicious DSL expressions when interacting with untrusted targets, potentially allowing an attacker to influence the behavior of the Nuclei scanning process. The CVSS score indicates a low to medium impact with a base score of 4.0, affecting confidentiality but not integrity or availability.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-41282 allows environment variable disclosure via injected DSL expressions when the -env-vars option is enabled against untrusted targets. This can lead to exposure of sensitive information such as API keys, credentials, and tokens from the host environment.

Such exposure of sensitive data can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information. Unauthorized disclosure of environment variables containing secrets or credentials could lead to data breaches or unauthorized access, violating confidentiality requirements.

Therefore, if an organization uses affected versions of Nuclei with the vulnerable configuration (multi-step templates with -env-vars enabled against untrusted targets), it risks non-compliance with data protection regulations due to potential leakage of sensitive environment variables.

Mitigation includes upgrading to Nuclei version 3.8.0 or later, which fixes the issue by preventing execution of response-derived expressions, or disabling the -env-vars option when scanning untrusted targets.

Useful 0 Not Useful 0

Detection Guidance

Detection of CVE-2026-41282 involves identifying whether the Nuclei tool is running a vulnerable version (before 3.8.0) with the `-env-vars` option enabled against untrusted or attacker-controlled targets. Since the vulnerability arises from expression injection via response-derived DSL expressions, monitoring for suspicious template processing or unexpected environment variable disclosures in scan results can be indicative.

Specifically, detection can focus on observing if multi-step templates are used with the `-env-vars` flag enabled, which is off by default. Network or system logs showing unexpected environment variable values or helper function executions (e.g., `{{env_var_name}}` or `{{md5("test")}}`) in responses or template outputs may signal exploitation attempts.

While no explicit commands are provided in the resources, a practical approach includes running Nuclei scans with verbose logging enabled and inspecting logs for evidence of DSL expression injection or environment variable leakage. Additionally, checking the Nuclei version with a command like `nuclei -version` can help confirm if the tool is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the Nuclei tool to version 3.8.0 or later, where the vulnerability has been fixed by changing the expression evaluation logic to prevent execution of response-derived expressions.

If immediate upgrade is not possible, users should disable the `-env-vars` (or `-ev`) option when scanning untrusted or attacker-controlled targets, as this option enables environment variable merging that leads to the vulnerability.

These steps prevent the injection and execution of malicious DSL expressions derived from untrusted response data, thereby protecting environment variables and sensitive host information from disclosure.

Useful 0 Not Useful 0