Compliance Impact

This vulnerability allows unauthorized JavaScript templates to read local .js and .json files, potentially exposing sensitive information such as credential stores or cloud configuration files.

Exposure of sensitive files due to improper access control (CWE-284) can lead to confidentiality breaches, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding sensitive data.

Users running untrusted JavaScript templates or integrating Nuclei SDK where end-users supply templates are at risk, making it critical to upgrade to version 3.8.0 or avoid untrusted templates to maintain compliance.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-41646 is a vulnerability in Nuclei's JavaScript protocol runtime that affects versions 3.0.0 to before 3.8.0. It allows JavaScript templates to bypass the default local file access restriction by using the require() function to read local .js and .json files.

The root cause is that the goja require() function uses a default host filesystem loader which ignores the allow-local-file-access (-lfa) option. This enables unauthorized access to sensitive local files such as package.json, credential stores, or cloud configuration files.

The vulnerability impacts users running untrusted JavaScript templates either via the CLI or SDK integrations where end-users can supply templates. It has been fixed in Nuclei version 3.8.0.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive local files with .js and .json extensions on systems running affected Nuclei versions.

Attackers or untrusted JavaScript templates can read files like package.json, credential stores, or cloud configuration files, potentially exposing confidential information.

The CVSS v3 base score is 5.5 (Medium), indicating a moderate severity with a high confidentiality impact but no impact on integrity or availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability affects Nuclei versions 3.0.0 to 3.7.9 and involves JavaScript templates using the require() function to read local .js and .json files, bypassing local file access restrictions.

To detect if your system is vulnerable, check the version of Nuclei installed. If it is between 3.0.0 and 3.7.9, it is potentially affected.

You can run the following command to check the installed Nuclei version:

• nuclei -version

Additionally, review any JavaScript templates in use to see if they utilize the require() function to load local .js or .json files, especially if these templates are untrusted.

There are no specific network detection commands provided in the resources, but monitoring for unexpected file access attempts to .js or .json files by Nuclei processes could help identify exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Nuclei to version 3.8.0 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, avoid running untrusted JavaScript templates that could exploit the require() function to read local files.

Ensure that the allow-local-file-access (-lfa) option is properly configured and that no untrusted templates are allowed to bypass this restriction.

Useful 0 Not Useful 0