High severity7.4NVD Advisory· Published Jul 17, 2024· Updated Apr 15, 2026

CVE-2024-40641

Description

Nuclei is a fast and customizable vulnerability scanner based on simple YAML based DSL. In affected versions it a way to execute code template without -code option and signature has been discovered. Some web applications inherit from Nuclei and allow users to edit and execute workflow files. In this case, users can execute arbitrary commands. (Although, as far as I know, most web applications use -t to execute). This issue has been addressed in version 3.3.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/projectdiscovery/nuclei/v3Go	< 3.3.0	3.3.0

Patches

bac917428bcc

https://github.com/projectdiscovery/nucleivia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-c3q9-c27p-cw9hghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-40641ghsaADVISORY
github.com/projectdiscovery/nuclei/security/advisories/GHSA-c3q9-c27p-cw9hnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.481
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000