CVE-2026-41646

Name of the Vulnerable Software and Affected Versions Nuclei versions 3.0.0 through 3.7.9

Description A flaw in the JavaScript protocol runtime's module loading system allows JavaScript templates to read local .js and .json files from the host filesystem. This occurs because the require() function utilizes a default host filesystem loader that bypasses the allow-local-file-access check, which is intended to restrict file access outside the template directory. This can lead to the exposure of sensitive data stored in JSON configuration files, such as package.json, credential stores, or cloud configuration files. The issue specifically affects CLI users running untrusted third-party templates and SDK users who allow end-users to supply JavaScript templates.

Recommendations Update to version 3.8.0. Avoid running JavaScript templates from unverified or untrusted sources.