CVE-2026-41645

Name of the Vulnerable Software and Affected Versions Nuclei versions 3.0.0 through 3.7.9

Description A flaw in the expression evaluation engine allows a malicious target server to inject and execute supported Domain Specific Language (DSL) expressions. This occurs when HTTP response data containing helper or function syntax is reused by multi-step templates. The expressions.Evaluate() function replaces placeholders first and then scans the output for expressions; this two-pass process allows response-derived values to be reinterpreted as DSL syntax. Additionally, the hasLiteralsOnly() function evaluated helper expressions during unresolved-variable validation, causing side-effectful helpers to run. If the -env-vars or -ev option is enabled, an attacker can return response data containing expressions like {{env var name}} to expose sensitive host environment variables such as API keys, credentials, and tokens.

Recommendations Update to version 3.8.0. Disable the -env-vars or -ev option when scanning untrusted targets.