CVE-2026-41646
JavaScript Local File Read in Nuclei Scanner
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| projectdiscovery | nuclei | From 3.0.0 (inc) to 3.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41646 is a vulnerability in Nuclei's JavaScript protocol runtime that affects versions 3.0.0 to before 3.8.0. It allows JavaScript templates to bypass the default local file access restriction by using the require() function to read local .js and .json files.
The root cause is that the goja require() function uses a default host filesystem loader which ignores the allow-local-file-access (-lfa) option. This enables unauthorized access to sensitive local files such as package.json, credential stores, or cloud configuration files.
The vulnerability impacts users running untrusted JavaScript templates either via the CLI or SDK integrations where end-users can supply templates. It has been fixed in Nuclei version 3.8.0.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive local files with .js and .json extensions on systems running affected Nuclei versions.
Attackers or untrusted JavaScript templates can read files like package.json, credential stores, or cloud configuration files, potentially exposing confidential information.
The CVSS v3 base score is 5.5 (Medium), indicating a moderate severity with a high confidentiality impact but no impact on integrity or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects Nuclei versions 3.0.0 to 3.7.9 and involves JavaScript templates using the require() function to read local .js and .json files, bypassing local file access restrictions.
To detect if your system is vulnerable, check the version of Nuclei installed. If it is between 3.0.0 and 3.7.9, it is potentially affected.
You can run the following command to check the installed Nuclei version:
- nuclei -version
Additionally, review any JavaScript templates in use to see if they utilize the require() function to load local .js or .json files, especially if these templates are untrusted.
There are no specific network detection commands provided in the resources, but monitoring for unexpected file access attempts to .js or .json files by Nuclei processes could help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Nuclei to version 3.8.0 or later, where this vulnerability has been fixed.
If upgrading immediately is not possible, avoid running untrusted JavaScript templates that could exploit the require() function to read local files.
Ensure that the allow-local-file-access (-lfa) option is properly configured and that no untrusted templates are allowed to bypass this restriction.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized JavaScript templates to read local .js and .json files, potentially exposing sensitive information such as credential stores or cloud configuration files.
Exposure of sensitive files due to improper access control (CWE-284) can lead to confidentiality breaches, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding sensitive data.
Users running untrusted JavaScript templates or integrating Nuclei SDK where end-users supply templates are at risk, making it critical to upgrade to version 3.8.0 or avoid untrusted templates to maintain compliance.