ProjectDiscovery Reviews New Nuclei Checks for Odoo Disclosure and CVE-2026-3055
ProjectDiscovery's nuclei-templates repository received two new vulnerability detection submissions: one for an Odoo website information disclosure issue and another for CVE-2026-3055. The Odoo template, submitted in pull request #15693 by aushack, adds a check intended to identify exposed information on Odoo websites. The contributor said the template was validated against both a vulnerable target and a patched or non-vulnerable target to confirm detection accuracy and reduce false positives.
A separate pull request, #15721, submitted by shaikhyaser, proposes a Nuclei template for CVE-2026-3055, a flaw discussed as potentially requiring a SAML-enabled environment and possibly involving memory leakage. Review comments in the repository show maintainers questioned whether the memory leak had been successfully reproduced, indicating the template's effectiveness and exploitability were still being evaluated and that the submission had not yet been merged at the time of review.
Timeline
Mar 29, 2026
Template for CVE-2026-3055 submitted for review
A separate GitHub pull request (#15721) was opened in the projectdiscovery/nuclei-templates repository for a Nuclei template labeled CVE-2026-3055. Discussion on the pull request indicated the issue may require a SAML-enabled environment and involve a memory leak, with maintainers questioning whether the contributor had successfully reproduced the behavior.
Mar 26, 2026
Nuclei template proposed for Odoo website information disclosure
A GitHub pull request (#15693) was opened in the projectdiscovery/nuclei-templates repository to add a Nuclei template for detecting an Odoo website information disclosure issue. The contributor said the template was validated against both vulnerable and patched or non-vulnerable targets to confirm accurate detection.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
ProjectDiscovery Adds Nuclei Checks for WordPress, Synway, and XSS Flaws
ProjectDiscovery's `nuclei-templates` repository received several pull requests adding or refining detection logic for newly disclosed web vulnerabilities. Proposed templates covered **CVE-2026-0561** for cross-site scripting, **CVE-2025-69411** for a high-severity path traversal/local file read in the WordPress plugin `ioncube-tester-plus`, **CVE-2026-1405** for a critical SSRF issue in a WordPress REST API endpoint, and an unauthenticated remote command execution flaw in **Synway SMG Gateway** via `9-2radius.php`. The submissions generally reported validation against vulnerable and patched targets to reduce false positives, with several marked ready for merge pending maintainer review. The WordPress `ioncube-tester-plus` template demonstrated file disclosure through `loader-wizard.php` by abusing the `ininame` parameter to retrieve `/etc/passwd`, while the `slider-future` WordPress template showed SSRF by sending an external `image_url` to `/wp-json/slider-future/v1/upload-image/` and confirming outbound DNS interaction through OAST. The Synway SMG Gateway submission described command injection through the `radius_address` parameter reaching a `system()` call, but automated review flagged template quality problems including weak matching logic and missing metadata. Separately, a fix was proposed for the **CVE-2025-71243** template after reports of frequent false positives, replacing reflection-based checks with `md5`-based proof of code execution to improve accuracy.
3 weeks ago
Nuclei Templates Added for WordPress SSTI and Nginx UI Access Control Flaws
ProjectDiscovery contributors opened and advanced Nuclei template pull requests for two newly tracked vulnerabilities: **`CVE-2026-4257`**, a **server-side template injection** issue in the **WordPress Contact Form by Supsystic** plugin, and **`CVE-2026-33032`**, a **broken access control** flaw in **Nginx UI**. The GitHub activity shows template development intended to support detection of both issues, with one pull request referencing a new `CVE-2026-4257.yaml` file and another marked ready to merge for the Nginx UI vulnerability. The available records are limited to repository metadata and do not include technical write-ups, affected version ranges, exploitation details, or vendor remediation guidance. Even so, the publication of detection content for these CVEs indicates that security researchers are operationalizing checks for exposed systems, and defenders using Nuclei should watch for template releases covering both the WordPress plugin SSTI and the Nginx UI authorization weakness.
3 weeks ago
Nuclei Templates Added for MITRE Caldera RCE and GitLab SAML Auth Bypass
ProjectDiscovery contributors submitted new Nuclei detection templates for two newly tracked vulnerabilities: **`CVE-2025-27364`**, described as an **unauthenticated remote code execution** flaw in **MITRE Caldera**, and **`CVE-2025-25291`**, an **authentication bypass** issue in **`ruby-saml`** affecting **GitLab SAML SSO** deployments. The references indicate both issues were significant enough to prompt rapid addition of scanning coverage in the public `nuclei-templates` repository. Available details remain limited because the source material is drawn from GitHub pull request metadata rather than full advisories, but the vulnerability labels point to potentially high-impact exposure in identity and adversary-emulation infrastructure. Security teams using **GitLab SAML single sign-on** or **MITRE Caldera** should track vendor guidance, validate exposure to **`CVE-2025-25291`** and **`CVE-2025-27364`**, and prepare to use updated detection content as part of vulnerability assessment workflows.
1 months ago