Release CSP Bypass Templates - Nuclei Templates v10.1.5 🎉 · projectdiscovery/nuclei-templates

🔥 Release Highlights 🔥

With this release, we are adding new CSP Bypass (DAST) Nuclei Templates to help security teams and bug hunters efficiently identify Content Security Policy (CSP) misconfigurations. These templates automate the detection of CSP bypass techniques, allowing testers to analyze real-world attack scenarios where CSP restrictions can be circumvented in the presence of existing XSS vulnerabilities.

We encourage contributors and reviewers to provide their valuable feedback and suggestions to help enhance and update these CSP Bypass templates further. For more details, please visit our latest blog post.

Other Highlights

[CVE-2025-27218] Sitecore Experience Manager (XM)/Experience Platform (XP) 10.4 - Insecure Deserialization (@iamnoooob, @rootxharsh, @pdresearch) [medium] 🔥
[CVE-2025-26793] FREEDOM Administration - Default Login (@eric Daigle, @dhiyaneshdk) [critical] 🔥
[CVE-2025-24893] XWiki Platform - Remote Code Execution (@iamnoooob, @rootxharsh, @pdresearch) [critical] 🔥
[CVE-2025-24752] Essential Addons for Elementor < 6.0.15 - Cross-Site Scripting (@dhiyaneshdk) [medium] 🔥
[CVE-2024-48248] NAKIVO Backup and Replication Solution - Unauthenticated Arbitrary File Read (@dhiyaneshdk) [high] 🔥
[CVE-2024-13161] Ivanti EPM - Credential Coercion Vulnerability in GetHashForSingleFile (@ritikchaddha) [critical] 🔥
[CVE-2024-13160] Ivanti EPM - Credential Coercion Vulnerability in GetHashForWildcard (@ritikchaddha) [critical] 🔥
[CVE-2024-13159] Ivanti EPM - Credential Coercion Vulnerability in GetHashForWildcardRecursive (@ritikchaddha) [critical] 🔥
[CVE-2024-12356] Privileged Remote Access & Remote - Command Injection (@iamnoooob, @rootxharsh, @pdresearch) [critical] 🔥
[CVE-2023-47248] PyArrow Flight RPC - Remote Code Execution (@smolse) [critical] 🔥
[CVE-2022-29455] WordPress Elementor Website Builder <= 3.5.5 - DOM Cross-Site Scripting (@RotemBar, @daffainfo) [medium] 🔥

What's Changed

New Templates Added: `281` | CVEs Added: `23` | First-time contributions: `4`

[CVE-2025-27218] Sitecore Experience Manager (XM)/Experience Platform (XP) 10.4 - Insecure Deserialization (@iamnoooob, @rootxharsh, @pdresearch) [medium] 🔥
[CVE-2025-27112] Navidrome <=0.54.5 - Auth Bypass in Subsonic API (@iamnoooob, @rootxharsh, @pdresearch) [medium]
[CVE-2025-26793] FREEDOM Administration - Default Login (@eric Daigle, @dhiyaneshdk) [critical] 🔥
[CVE-2025-25062] Backdrop CMS - Cross-Site Scripting (@soonghee2) [medium]
[CVE-2025-24893] XWiki Platform - Remote Code Execution (@iamnoooob, @rootxharsh, @pdresearch) [critical] 🔥
[CVE-2025-24752] Essential Addons for Elementor < 6.0.15 - Cross-Site Scripting (@dhiyaneshdk) [medium] 🔥
[CVE-2025-22952] Elestio Memos <= v0.24.0 - Server-Side Request Forgery (@iamnoooob, @rootxharsh, @pdresearch) [critical]
[CVE-2025-1025] Cockpit < 2.4.1 - Arbitrary File Upload (@iamnoooob, @rootxharsh, @pdresearch) [high]
[CVE-2025-0868] DocsGPT - Unauthenticated Remote Code Execution (@iamnoooob, @rootxharsh, @pdresearch) [critical]
[CVE-2024-56331] Uptime-Kuma - Local File Inclusion (LFI) (@hyni03) [critical]
[CVE-2024-51228] TOTOLINK CX-A3002RU - Remote Code Execution (@dhiyaneshdk) [medium]
[CVE-2024-48248] NAKIVO Backup and Replication Solution - Unauthenticated Arbitrary File Read (@dhiyaneshdk) [high] 🔥
[CVE-2024-13888] WPMobile.App <= 11.56 - Open Redirect (@s4e-io) [high]
[CVE-2024-13161] Ivanti EPM - Credential Coercion Vulnerability in GetHashForSingleFile (@ritikchaddha) [critical] 🔥
[CVE-2024-13160] Ivanti EPM - Credential Coercion Vulnerability in GetHashForWildcard (@ritikchaddha) [critical] 🔥
[CVE-2024-13159] Ivanti EPM - Credential Coercion Vulnerability in GetHashForWildcardRecursive (@ritikchaddha) [critical] 🔥
[CVE-2024-12824] Nokri – Job Board <= 1.6.2 - Unauth Password Change (@iamnoooob, @rootxharsh, @pdresearch) [critical]
[CVE-2024-12356] Privileged Remote Access & Remote - Command Injection (@iamnoooob, @rootxharsh, @pdresearch) [critical] 🔥
[CVE-2024-11396] Event Monster <= 1.4.3 - Information Exposure Via Visitors List Export (@s4e-io) [medium]
[CVE-2024-9193] WHMpress <= 6.3 - Unauth LFI to Arbitrary Options Update (@iamnoooob, @rootxharsh, @pdresearch) [critical]
[CVE-2023-47248] PyArrow Flight RPC - Remote Code Execution (@smolse) [critical] 🔥
[CVE-2023-45826] Leantime < 2.4 - Authenticated SQL Injection (@iamnoooob, @rootxharsh, @pdresearch) [medium]
[CVE-2022-29455] WordPress Elementor Website Builder <= 3.5.5 - DOM Cross-Site Scripting (@RotemBar, @daffainfo) [medium] 🔥
[remote-desktop-default-port] Remote Desktop Listening Default Port - Detect (@asteria121) [info]
[python-code-injection] Python Code Injection (@ritikchaddha) [high]
[open-redirect-bypass] Open Redirect Bypass (@ritikchaddha) [medium]
[freemarker-sandbox-bypass-ssti] Freemarker < 2.3.30 Sandbox Bypass - Server Side Template Injection (@ritikchaddha) [high]
[codepen-oob] Codepen - Out of Band Template Injection (@ritikchaddha) [high]
[jinjava-ssti] Jinjava - Server Side Template Injection (@ritikchaddha) [high]
[pebble-oob] Pebble - Out of Band Template Injection (@ritikchaddha) [high]
[spring-expression-oob] Spring Expression Language - Out of Band Template Injection (@ritikchaddha) [high]
[thymeleaf-oob] Thymeleaf - Out of Band Template Injection (@ritikchaddha) [high]
[razor-ssti] Razor - Server Side Template Injection (@ritikchaddha) [high]
[smarty-ssti] Smarty - Server Side Template Injection (@ritikchaddha) [high]
[twig-ssti] Twig - Server Side Template Injection (@ritikchaddha) [high]
[adnxs-ib-csp-bypass] Content-Security-Policy Bypass - Adnxs IB (@renniepak, @dhiyaneshdk) [medium]
[adnxs-secure-csp-bypass] Content-Security-Policy Bypass - Adnxs Secure (@renniepak, @dhiyaneshdk) [medium]
[adobe-campaign-csp-bypass] Content-Security-Policy Bypass - Adobe Campaign (@renniepak, @dhiyaneshdk) [medium]
[adroll-csp-bypass] Content-Security-Policy Bypass - AdRoll (@renniepak, @dhiyaneshdk) [medium]
[afterpay-help-csp-bypass] Content-Security-Policy Bypass - Afterpay Help (@renniepak, @dhiyaneshdk) [medium]
[akamai-content-csp-bypass] Content-Security-Policy Bypass - Akamai Content (@renniepak, @dhiyaneshdk) [medium]
[alibaba-ug-csp-bypass] Content-Security-Policy Bypass - Alibaba UG (@renniepak, @dhiyaneshdk) [medium]
[aliexpress-acs-csp-bypass] Content-Security-Policy Bypass - AliExpress ACS (@renniepak, @dhiyaneshdk) [medium]
[amap-wb-csp-bypass] Content-Security-Policy Bypass - AMap WB (@renniepak, @dhiyaneshdk) [medium]
[amazon-aax-eu-csp-bypass] Content-Security-Policy Bypass - Amazon AAX EU (@renniepak, @dhiyaneshdk) [medium]
[amazon-media-csp-bypass] Content-Security-Policy Bypass - Amazon Media (@renniepak, @dhiyaneshdk) [medium]
[amazon-romania-csp-bypass] Content-Security-Policy Bypass - Amazon Romania (@renniepak, @dhiyaneshdk) [medium]
[amazon-s3-elysium-csp-bypass] Content-Security-Policy Bypass - Amazon S3 Elysium (@renniepak, @dhiyaneshdk) [medium]
[ancestrycdn-angular-csp-bypass] Content-Security-Policy Bypass - AncestryCDN Angular (@renniepak, @dhiyaneshdk) [medium]
[angularjs-code-csp-bypass] Content-Security-Policy Bypass - AngularJS Code (@renniepak, @dhiyaneshdk) [medium]
[app-link-csp-bypass] Content-Security-Policy Bypass - App Link (@renniepak, @dhiyaneshdk) [medium]
[apple-developer-csp-bypass] Content-Security-Policy Bypass - Apple Developer (@renniepak, @dhiyaneshdk) [medium]
[arkoselabs-cdn-csp-bypass] Content-Security-Policy Bypass - Arkose Labs CDN (@renniepak, @dhiyaneshdk) [medium]
[arkoselabs-client-api-csp-bypass] Content-Security-Policy Bypass - Arkose Labs Client API (@renniepak, @dhiyaneshdk) [medium]
[ayco-portal-csp-bypass] Content-Security-Policy Bypass - Ayco Portal (@renniepak, @dhiyaneshdk) [medium]
[azure-inno-csp-bypass] Content-Security-Policy Bypass - Azure Inno (@renniepak, @dhiyaneshdk) [medium]
[baidu-map-api-csp-bypass] Content-Security-Policy Bypass - Baidu Map API (@renniepak, @dhiyaneshdk) [medium]
[baidu-passport-csp-bypass] Content-Security-Policy Bypass - Baidu Passport (@renniepak, @dhiyaneshdk) [medium]
[battlenet-eu-csp-bypass] Content-Security-Policy Bypass - Battle.net EU (@renniepak, @dhiyaneshdk) [medium]
[bazaarvoice-api-csp-bypass] Content-Security-Policy Bypass - Bazaarvoice API (@renniepak, @dhiyaneshdk) [medium]
[bdimg-apps-csp-bypass] Content-Security-Policy Bypass - BDImg Apps (@renniepak, @dhiyaneshdk) [medium]
[bebezoo-1688-csp-bypass] Content-Security-Policy Bypass - Bebezoo 1688 (@renniepak, @dhiyaneshdk) [medium]
[bild-don-csp-bypass] Content-Security-Policy Bypass - Bild Don (@renniepak, @dhiyaneshdk) [medium]
[bing-api-csp-bypass] Content-Security-Policy Bypass - Bing API (@renniepak, @dhiyaneshdk) [medium]
[bing-csp-bypass] Content-Security-Policy Bypass - Bing (@renniepak, @dhiyaneshdk) [medium]
[blogger-api-csp-bypass] Content-Security-Policy Bypass - Blogger API (@renniepak, @dhiyaneshdk) [medium]
[buzzfeed-mango-csp-bypass] Content-Security-Policy Bypass - BuzzFeed Mango (@renniepak, @dhiyaneshdk) [medium]
[bytedance-sso-csp-bypass] Content-Security-Policy Bypass - ByteDance SSO (@renniepak, @dhiyaneshdk) [medium]
[carbonads-srv-csp-bypass] Content-Security-Policy Bypass - CarbonAds SRV (@renniepak, @dhiyaneshdk) [medium]
[chartbeat-api-csp-bypass] Content-Security-Policy Bypass - Chartbeat API (@renniepak, @dhiyaneshdk) [medium]
[clearbit-reveal-csp-bypass] Content-Security-Policy Bypass - Clearbit Reveal (@renniepak, @dhiyaneshdk) [medium]
[cloudflare-cdn-csp-bypass] Content-Security-Policy Bypass - Cloudflare CDN (@renniepak, @dhiyaneshdk) [medium]
[cloudflare-challenges-csp-bypass] Content-Security-Policy Bypass - Cloudflare Challenges (@renniepak, @dhiyaneshdk) [medium]
[cloudflare-info-csp-bypass] Content-Security-Policy Bypass - Cloudflare Info (@renniepak, @dhiyaneshdk) [medium]
[cloudfront-csp-bypass] Content-Security-Policy Bypass - CloudFront (@renniepak, @dhiyaneshdk) [medium]
[coinbase-commerce-csp-bypass] Content-Security-Policy Bypass - Coinbase Commerce (@renniepak, @dhiyaneshdk) [medium]
[coinbase-investor-csp-bypass] Content-Security-Policy Bypass - Coinbase Investor (@renniepak, @dhiyaneshdk) [medium]
[crisp-client-csp-bypass] Content-Security-Policy Bypass - Crisp Client (@renniepak, @dhiyaneshdk) [medium]
[criteo-cas-csp-bypass] Content-Security-Policy Bypass - Criteo CAS (@renniepak, @dhiyaneshdk) [medium]
[criteo-dynamic-csp-bypass] Content-Security-Policy Bypass - Criteo Dynamic (@renniepak, @dhiyaneshdk) [medium]
[criteo-gum-csp-bypass] Content-Security-Policy Bypass - Criteo Gum (@renniepak, @dhiyaneshdk) [medium]
[cxense-api-csp-bypass] Content-Security-Policy Bypass - Cxense API (@renniepak, @dhiyaneshdk) [medium]
[dailymotion-api-csp-bypass] Content-Security-Policy Bypass - Dailymotion API (@renniepak, @dhiyaneshdk) [medium]
[dblp-csp-bypass] Content-Security-Policy Bypass - DBLP (@renniepak, @dhiyaneshdk) [medium]
[demdex-dpm-csp-bypass] Content-Security-Policy Bypass - Demdex DPM (@renniepak, @dhiyaneshdk) [medium]
[digitalocean-anchor-csp-bypass] Content-Security-Policy Bypass - DigitalOcean Anchor (@renniepak, @dhiyaneshdk) [medium]
[disqus-links-csp-bypass] Content-Security-Policy Bypass - Disqus Links (@renniepak, @dhiyaneshdk) [medium]
[doubleclick-pubads-csp-bypass] Content-Security-Policy Bypass - DoubleClick PubAds (@renniepak, @dhiyaneshdk) [medium]
[doubleclick-securepubads-csp-bypass] CSP Bypass - DoubleClick SecurePubAds (@renniepak, @dhiyaneshdk) [medium]
[duckduckgo-api-csp-bypass] Content-Security-Policy Bypass - DuckDuckGo API (@renniepak, @dhiyaneshdk) [medium]
[elastic-info-csp-bypass] Content-Security-Policy Bypass - Elastic Info (@renniepak, @dhiyaneshdk) [medium]
[ethicalads-server-csp-bypass] Content-Security-Policy Bypass - EthicalAds Server (@renniepak, @dhiyaneshdk) [medium]
[facebook-api-csp-bypass] Content-Security-Policy Bypass - Facebook API (@renniepak, @dhiyaneshdk) [medium]
[facebook-graph-csp-bypass] Content-Security-Policy Bypass - Facebook Graph (@renniepak, @dhiyaneshdk) [medium]
[fastly-storemapper-csp-bypass] Content-Security-Policy Bypass - Fastly StoreMapper (@renniepak, @dhiyaneshdk) [medium]
[firebaseio-rentokil-csp-bypass] Content-Security-Policy Bypass - Firebaseio Rentokil (@renniepak, @dhiyaneshdk) [medium]
[flickr-api-csp-bypass] Content-Security-Policy Bypass - Flickr API (@renniepak, @dhiyaneshdk) [medium]
[forismatic-api-csp-bypass] Content-Security-Policy Bypass - Forismatic API (@renniepak, @dhiyaneshdk) [medium]
[fqtag-query-csp-bypass] Content-Security-Policy Bypass - FQTag Query (@renniepak, @dhiyaneshdk) [medium]
[fqtag-s-csp-bypass] Content-Security-Policy Bypass - FQTag S (@renniepak, @dhiyaneshdk) [medium]
[fwmrm-csp-bypass] Content-Security-Policy Bypass - FWM RM (@renniepak, @dhiyaneshdk) [medium]
[getdrip-api-csp-bypass] Content-Security-Policy Bypass - GetDrip API (@renniepak, @dhiyaneshdk) [medium]
[github-api-csp-bypass] Content-Security-Policy Bypass - GitHub API (@renniepak, @dhiyaneshdk) [medium]
[github-gist-csp-bypass] Content-Security-Policy Bypass - GitHub Gist (@renniepak, @dhiyaneshdk) [medium]
[gitlab-page-csp-bypass] Content-Security-Policy Bypass - GitLab Page (@renniepak, @dhiyaneshdk) [medium]
[go-dev-csp-bypass] Content-Security-Policy Bypass - Go Dev (@renniepak, @dhiyaneshdk) [medium]
[google-accounts-csp-bypass] Content-Security-Policy Bypass - Google Accounts (@renniepak, @dhiyaneshdk) [medium]
[google-ajax-csp-bypass] Content-Security-Policy Bypass - Google AJAX (@renniepak, @dhiyaneshdk) [medium]
[google-analytics-csp-bypass] Content-Security-Policy Bypass - Google Analytics (@renniepak, @dhiyaneshdk) [medium]
[google-apis-csp-bypass] Content-Security-Policy Bypass - Google APIs (@renniepak, @dhiyaneshdk) [medium]
[google-clients1-csp-bypass] Content-Security-Policy Bypass - Google Clients1 (@renniepak, @dhiyaneshdk) [medium]
[google-complete-csp-bypass] Content-Security-Policy Bypass - Google Complete (@renniepak, @dhiyaneshdk) [medium]
[google-cse-csp-bypass] Content-Security-Policy Bypass - Google CSE (@renniepak, @dhiyaneshdk) [medium]
[google-maps-api-ssl-csp-bypass] Content-Security-Policy Bypass - Google Maps API SSL (@renniepak, @dhiyaneshdk) [medium]
[google-maps-apis-csp-bypass] Content-Security-Policy Bypass - Google Maps APIs (@renniepak, @dhiyaneshdk) [medium]
[google-maps-csp-bypass] Content-Security-Policy Bypass - Google Maps (@renniepak, @dhiyaneshdk) [medium]
[google-maps-de-csp-bypass] Content-Security-Policy Bypass - Google Maps DE (@renniepak, @dhiyaneshdk) [medium]
[google-maps-lv-csp-bypass] Content-Security-Policy Bypass - Google Maps LV (@renniepak, @dhiyaneshdk) [medium]
[google-maps-ru-csp-bypass] Content-Security-Policy Bypass - Google Maps RU (@renniepak, @dhiyaneshdk) [medium]
[google-recaptcha-csp-bypass] Content-Security-Policy Bypass - Google reCAPTCHA (@renniepak, @dhiyaneshdk) [medium]
[google-tagmanager-csp-bypass] Content-Security-Policy Bypass - Google Tag Manager (@renniepak, @dhiyaneshdk) [medium]
[google-translate-csp-bypass] Content-Security-Policy Bypass - Google Translate (@renniepak, @dhiyaneshdk) [medium]
[googleadservices-partner-csp-bypass] CSP Bypass - Google Ad Services Partner (@renniepak, @dhiyaneshdk) [medium]
[googleapis-blogger-csp-bypass] Content-Security-Policy Bypass - Google APIs Blogger (@renniepak, @dhiyaneshdk) [medium]
[googleapis-customsearch-csp-bypass] CSP Bypass - Google APIs Custom Search (@renniepak, @dhiyaneshdk) [medium]
[googleapis-storage-csp-bypass] Content-Security-Policy Bypass - Google APIs Storage (@renniepak, @dhiyaneshdk) [medium]
[googleapis-translate-csp-bypass] Content-Security-Policy Bypass - Google APIs Translate (@renniepak, @dhiyaneshdk) [medium]
[googletagmanager-csp-bypass] Content-Security-Policy Bypass - Google Tag Manager (@renniepak, @dhiyaneshdk) [medium]
[gravatar-secure-csp-bypass] Content-Security-Policy Bypass - Gravatar Secure (@renniepak, @dhiyaneshdk) [medium]
[grubhub-assets-csp-bypass] Content-Security-Policy Bypass - Grubhub Assets (@renniepak, @dhiyaneshdk) [medium]
[gstatic-angular-csp-bypass] Content-Security-Policy Bypass - GStatic Angular (@renniepak, @dhiyaneshdk) [medium]
[gstatic-recaptcha-csp-bypass] Content-Security-Policy Bypass - GStatic reCAPTCHA (@renniepak, @dhiyaneshdk) [medium]
[gstatic-ssl-csp-bypass] Content-Security-Policy Bypass - GStatic SSL (@renniepak, @dhiyaneshdk) [medium]
[hatenaapis-bookmark-csp-bypass] CSP Bypass - Hatena APIs Bookmark (@renniepak, @dhiyaneshdk) [medium]
[hcaptcha-csp-bypass] Content-Security-Policy Bypass - hCaptcha (@renniepak, @dhiyaneshdk) [medium]
[hcaptcha-js-csp-bypass] Content-Security-Policy Bypass - hCaptcha JS (@renniepak, @dhiyaneshdk) [medium]
[here-api-csp-bypass] Content-Security-Policy Bypass - HERE API (@renniepak, @dhiyaneshdk) [medium]
[hsforms-csp-bypass] Content-Security-Policy Bypass - HSForms (@renniepak, @dhiyaneshdk) [medium]
[hubspot-forms-csp-bypass] Content-Security-Policy Bypass - HubSpot Forms (@renniepak, @dhiyaneshdk) [medium]
[ibm-api-csp-bypass] Content-Security-Policy Bypass - IBM API (@renniepak, @dhiyaneshdk) [medium]
[ieee-oamssoqae-csp-bypass] Content-Security-Policy Bypass - IEEE OAMSsoQAE (@renniepak, @dhiyaneshdk) [medium]
[im-apps-sync-csp-bypass] Content-Security-Policy Bypass - IM Apps Sync (@renniepak, @dhiyaneshdk) [medium]
[indeed-tr-csp-bypass] Content-Security-Policy Bypass - Indeed TR (@renniepak, @dhiyaneshdk) [medium]
[indeed-uk-csp-bypass] Content-Security-Policy Bypass - Indeed UK (@renniepak, @dhiyaneshdk) [medium]
[ip-api-edns-csp-bypass] Content-Security-Policy Bypass - IP-API EDNS (@renniepak, @dhiyaneshdk) [medium]
[ipify-api-csp-bypass] Content-Security-Policy Bypass - Ipify API (@renniepak, @dhiyaneshdk) [medium]
[ipinfo-csp-bypass] Content-Security-Policy Bypass - IPInfo (@renniepak, @dhiyaneshdk) [medium]
[itunes-csp-bypass] Content-Security-Policy Bypass - iTunes (@renniepak, @dhiyaneshdk) [medium]
[jd-api-csp-bypass] Content-Security-Policy Bypass - JD API (@renniepak, @dhiyaneshdk) [medium]
[jsdelivr-csp-bypass] Content-Security-Policy Bypass - jsDelivr (@renniepak, @dhiyaneshdk) [medium]
[lijit-ap-csp-bypass] Content-Security-Policy Bypass - Lijit AP (@renniepak, @dhiyaneshdk) [medium]
[livechatinc-api-csp-bypass] Content-Security-Policy Bypass - LiveChatInc API (@renniepak, @dhiyaneshdk) [medium]
[liveperson-lptag-csp-bypass] Content-Security-Policy Bypass - LivePerson LPTAG (@renniepak, @dhiyaneshdk) [medium]
[lpsnmedia-accdn-csp-bypass] Content-Security-Policy Bypass - LPSN Media (@renniepak, @dhiyaneshdk) [medium]
[mailru-connect-csp-bypass] Content-Security-Policy Bypass - Mail.ru Connect (@renniepak, @dhiyaneshdk) [medium]
[marketo-app-csp-bypass] Content-Security-Policy Bypass - Marketo App (@renniepak, @dhiyaneshdk) [medium]
[mathtag-pixel-csp-bypass] Content-Security-Policy Bypass - Mathtag Pixel (@renniepak, @dhiyaneshdk) [medium]
[matomo-demo-csp-bypass] Content-Security-Policy Bypass - Matomo Demo (@renniepak, @dhiyaneshdk) [medium]
[meetup-api-csp-bypass] Content-Security-Policy Bypass - Meetup API (@renniepak, @dhiyaneshdk) [medium]
[meteoprog-csp-bypass] Content-Security-Policy Bypass - Meteoprog (@renniepak, @dhiyaneshdk) [medium]
[mi-huodong-csp-bypass] Content-Security-Policy Bypass - Mi Huodong (@renniepak, @dhiyaneshdk) [medium]
[microsoft-api-csp-bypass] Content-Security-Policy Bypass - Microsoft API (@renniepak, @dhiyaneshdk) [medium]
[microsofttranslator-api-csp-bypass] CSP Bypass - Microsoft Translator API (@renniepak, @dhiyaneshdk) [medium]
[mixpanel-api-csp-bypass] Content-Security-Policy Bypass - Mixpanel API (@renniepak, @dhiyaneshdk) [medium]
[moatads-geo-csp-bypass] Content-Security-Policy Bypass - MoatAds Geo (@renniepak, @dhiyaneshdk) [medium]
[naver-global-apis-csp-bypass] Content-Security-Policy Bypass - Naver Global APIs (@renniepak, @dhiyaneshdk) [medium]
[naver-like-csp-bypass] Content-Security-Policy Bypass - Naver Like (@renniepak, @dhiyaneshdk) [medium]
[olark-api-csp-bypass] Content-Security-Policy Bypass - Olark API (@renniepak, @dhiyaneshdk) [medium]
[onetrust-geolocation-csp-bypass] Content-Security-Policy Bypass - OneTrust Geolocation (@renniepak, @dhiyaneshdk) [medium]
[openai-tcr9i-csp-bypass] Content-Security-Policy Bypass - OpenAI TCR9I (@renniepak, @dhiyaneshdk) [medium]
[opendatasoft-docs-csp-bypass] Content-Security-Policy Bypass - Opendatasoft Docs (@renniepak, @dhiyaneshdk) [medium]
[openexchangerates-csp-bypass] Content-Security-Policy Bypass - OpenExchangeRates (@renniepak, @dhiyaneshdk) [medium]
[openstreetmap-nominatim-csp-bypass] CSP Bypass - OpenStreetMap Nominatim (@renniepak, @dhiyaneshdk) [medium]
[ovoenergy-js-smb-csp-bypass] Content-Security-Policy Bypass - OVO Energy JS SMB (@renniepak, @dhiyaneshdk) [medium]
[parastorage-static-csp-bypass] Content-Security-Policy Bypass - Parastorage Static (@renniepak, @dhiyaneshdk) [medium]
[paypal-api-csp-bypass] Content-Security-Policy Bypass - PayPal API (@renniepak, @dhiyaneshdk) [medium]
[pbs-urs-csp-bypass] Content-Security-Policy Bypass - PBS URS (@renniepak, @dhiyaneshdk) [medium]
[pinterest-api-csp-bypass] Content-Security-Policy Bypass - Pinterest API (@renniepak, @dhiyaneshdk) [medium]
[pinterest-widgets-csp-bypass] Content-Security-Policy Bypass - Pinterest Widgets (@renniepak, @dhiyaneshdk) [medium]
[pixplug-visitor-csp-bypass] Content-Security-Policy Bypass - PixPlug Visitor (@renniepak, @dhiyaneshdk) [medium]
[qq-csp-bypass] Content-Security-Policy Bypass - QQ (@renniepak, @dhiyaneshdk) [medium]
[quantserve-pixel-csp-bypass] Content-Security-Policy Bypass - Quantserve Pixel (@renniepak, @dhiyaneshdk) [medium]
[quantserve-secure-csp-bypass] Content-Security-Policy Bypass - Quantserve Secure (@renniepak, @dhiyaneshdk) [medium]
[quantserve-segapi-csp-bypass] Content-Security-Policy Bypass - Quantserve SegAPI (@renniepak, @dhiyaneshdk) [medium]
[recaptcha-net-csp-bypass] Content-Security-Policy Bypass - reCAPTCHA Net (@renniepak, @dhiyaneshdk) [medium]
[reddit-api-csp-bypass] Content-Security-Policy Bypass - Reddit API (@renniepak, @dhiyaneshdk) [medium]
[ring-csp-bypass] Content-Security-Policy Bypass - Ring (@renniepak, @dhiyaneshdk) [medium]
[roblox-api-csp-bypass] Content-Security-Policy Bypass - Roblox API (@renniepak, @dhiyaneshdk) [medium]
[samsung-shop-csp-bypass] Content-Security-Policy Bypass - Samsung Shop (@renniepak, @dhiyaneshdk) [medium]
[servicenow-kbcprod-csp-bypass] Content-Security-Policy Bypass - ServiceNow KBCProd (@renniepak, @dhiyaneshdk) [medium]
[shopify-cdn-csp-bypass] Content-Security-Policy Bypass - Shopify CDN (@renniepak, @dhiyaneshdk) [medium]
[shopify-thehive-csp-bypass] Content-Security-Policy Bypass - Shopify TheHive (@renniepak, @dhiyaneshdk) [medium]
[skimresources-r-csp-bypass] Content-Security-Policy Bypass - SkimResources R (@renniepak, @dhiyaneshdk) [medium]
[skype-config-csp-bypass] Content-Security-Policy Bypass - Skype Config (@renniepak, @dhiyaneshdk) [medium]
[snyk-go-csp-bypass] Content-Security-Policy Bypass - Snyk Go (@renniepak, @dhiyaneshdk) [medium]
[soundcloud-csp-bypass] Content-Security-Policy Bypass - SoundCloud (@renniepak, @dhiyaneshdk) [medium]
[st-angular-csp-bypass] Content-Security-Policy Bypass - ST Angular (@renniepak, @dhiyaneshdk) [medium]
[stackexchange-api-csp-bypass] Content-Security-Policy Bypass - StackExchange API (@renniepak, @dhiyaneshdk) [medium]
[swiftype-api-csp-bypass] Content-Security-Policy Bypass - Swiftype API (@renniepak, @dhiyaneshdk) [medium]
[syncfusion-cdn-csp-bypass] Content-Security-Policy Bypass - Syncfusion CDN (@renniepak, @dhiyaneshdk) [medium]
[taobao-suggest-csp-bypass] Content-Security-Policy Bypass - Taobao Suggest (@renniepak, @dhiyaneshdk) [medium]
[tealiumiq-visitor-service-csp-bypass] CSP Bypass - TealiumIQ Visitor Service (@renniepak, @dhiyaneshdk) [medium]
[tiktok-analytics-csp-bypass] Content-Security-Policy Bypass - TikTok Analytics (@renniepak, @dhiyaneshdk) [medium]
[tumblr-api-csp-bypass] Content-Security-Policy Bypass - Tumblr API (@renniepak, @dhiyaneshdk) [medium]
[twitter-api-csp-bypass] Content-Security-Policy Bypass - Twitter API (@renniepak, @dhiyaneshdk) [medium]
[ulogin-csp-bypass] Content-Security-Policy Bypass - ULogin (@renniepak, @dhiyaneshdk) [medium]
[unpkg-angular-csp-bypass] Content-Security-Policy Bypass - Unpkg Angular (@renniepak, @dhiyaneshdk) [medium]
[unpkg-hyperscript-csp-bypass] Content-Security-Policy Bypass - Unpkg Hyperscript (@renniepak, @dhiyaneshdk) [medium]
[usersnap-widget-csp-bypass] Content-Security-Policy Bypass - Usersnap Widget (@renniepak, @dhiyaneshdk) [medium]
[vercel-storage-csp-bypass] Content-Security-Policy Bypass - Vercel Storage (@renniepak, @dhiyaneshdk) [medium]
[vimeo-csp-bypass] Content-Security-Policy Bypass - Vimeo (@renniepak, @dhiyaneshdk) [medium]
[virtualearth-dev-csp-bypass] Content-Security-Policy Bypass - Virtual Earth Dev (@renniepak, @dhiyaneshdk) [medium]
[vk-api-csp-bypass] Content-Security-Policy Bypass - VK API (@renniepak, @dhiyaneshdk) [medium]
[wikipedia-api-csp-bypass] Content-Security-Policy Bypass - Wikipedia API (@renniepak, @dhiyaneshdk) [medium]
[wistia-fast-csp-bypass] Content-Security-Policy Bypass - Wistia Fast (@renniepak, @dhiyaneshdk) [medium]
[wordpress-api-csp-bypass] Content-Security-Policy Bypass - WordPress API (@renniepak, @dhiyaneshdk) [medium]
[wordpress-csp-bypass] Content-Security-Policy Bypass - WordPress (@renniepak, @dhiyaneshdk) [medium]
[wordpress-public-api-csp-bypass] Content-Security-Policy Bypass - WordPress Public API (@renniepak, @dhiyaneshdk) [medium]
[x-api-csp-bypass] Content-Security-Policy Bypass - X API (@renniepak, @dhiyaneshdk) [medium]
[yahoo-ads-yap-csp-bypass] Content-Security-Policy Bypass - Yahoo Ads Yap (@renniepak, @dhiyaneshdk) [medium]
[yahoo-search-csp-bypass] Content-Security-Policy Bypass - Yahoo Search (@renniepak, @dhiyaneshdk) [medium]
[yandex-mc-csp-bypass] Content-Security-Policy Bypass - Yandex MC (@renniepak, @dhiyaneshdk) [medium]
[yandex-social-csp-bypass] Content-Security-Policy Bypass - Yandex Social (@renniepak, @dhiyaneshdk) [medium]
[yandex-st-csp-bypass] Content-Security-Policy Bypass - Yandex ST (@renniepak, @dhiyaneshdk) [medium]
[yandex-translate-csp-bypass] Content-Security-Policy Bypass - Yandex Translate (@renniepak, @dhiyaneshdk) [medium]
[yandexcloud-smartcaptcha-csp-bypass] CSP Bypass - YandexCloud SmartCaptcha (@renniepak, @dhiyaneshdk) [medium]
[yastat-angular-csp-bypass] Content-Security-Policy Bypass - Yastat Angular (@renniepak, @dhiyaneshdk) [medium]
[yastatic-angular-csp-bypass] Content-Security-Policy Bypass - Yastatic Angular (@renniepak, @dhiyaneshdk) [medium]
[youku-acs-csp-bypass] Content-Security-Policy Bypass - Youku ACS (@renniepak, @dhiyaneshdk) [medium]
[youtube-api-csp-bypass] Content-Security-Policy Bypass - YouTube API (@renniepak, @dhiyaneshdk) [medium]
[youtube-suggestqueries-csp-bypass] CSP Bypass - YouTube SuggestQueries (@renniepak, @dhiyaneshdk) [medium]
[ytimg-s-csp-bypass] Content-Security-Policy Bypass - YTImg S (@renniepak, @dhiyaneshdk) [medium]
[yuedust-angular-csp-bypass] Content-Security-Policy Bypass - Yuedust Angular (@renniepak, @dhiyaneshdk) [medium]
[yugiohmonstrosdeduelo-blogger-csp-bypass] CSP Bypass - Yugiohmonstrosdedue Blogger (@renniepak, @dhiyaneshdk) [medium]
[zendesk-support-csp-bypass] Content-Security-Policy Bypass - Zendesk Support (@renniepak, @dhiyaneshdk) [medium]
[zendesk-thiscanbeanything-csp-bypass] CSP Bypass - Zendesk ThisCanBeAnything (@renniepak, @dhiyaneshdk) [medium]
[zhike-help-csp-bypass] Content-Security-Policy Bypass - Zhike Help (@renniepak, @dhiyaneshdk) [medium]
[zhuanjia-sogou-csp-bypass] Content-Security-Policy Bypass - Zhuanjia Sogou (@renniepak, @dhiyaneshdk) [medium]
[zoom-st3-csp-bypass] Content-Security-Policy Bypass - Zoom ST3 (@renniepak, @dhiyaneshdk) [medium]
[file-change-default-port] Change SSH Default Port (@pussycat0x) [info]
[file-disable-empty-password] Disable SSH Empty Password (@pussycat0x) [unknown]
[file-disable-root-login] Disable SSH Root Login (@pussycat0x) [unknown]
[file-disable-ssh-forwarding] Disable SSH Forwarding (@pussycat0x) [unknown]
[file-disable-sshp-protocol] Disable SSH Protocol (@pussycat0x) [unknown]
[file-enable-ssh-privilege-separation] Enable Privilege Separation in SSH (@pussycat0x) [unknown]
[file-hide-last-login-information] Hide SSH Last Login Information (@pussycat0x) [unknown]
[file-idle-timeout-interval] Set SSH Idle Timeout Interval (@pussycat0x) [unknown]
[file-limit-max-auth-attempts] Limit Maximum SSH Authentication Attempts (@pussycat0x) [unknown]
[file-limit-ssh-group] Limit SSH Users Group Access (@pussycat0x) [unknown]
[file-limit-ssh-users-access] Limit SSH Users Access (@pussycat0x) [unknown]
[file-ssh-unrestricted-nonwhitelist] Unrestricted SSH Access from Non-Whitelisted IPs (@pussycat0x) [unknown]
[file-ssh-key-auth-disabled] SSH Key-Based Authentication - Disabled (@pussycat0x) [unknown]
[klog-server-default-login] KLog Server - Default Login (@s4e-io) [high]
[app-manager-default-login] ManageEngine Applications Manager - Default Credentials (@0midC13) [high]
[beszel-panel] Beszel Login Panel - Detect (@righettod) [info]
[dex-panel] Dex Authentication - Panel (@rxerium) [info]
[irisnext-panel] IRISNext Login Panel - Detect (@righettod) [info]
[kerion-control-panel] Kerio Controle Panel - Detect (@johnk3r) [info]
[squidex-panel] Squidex Headless CMS Panel - Detect (@johnk3r) [info]
[zoraxy-panel] Zoraxy Login Panel - Detect (@righettod) [info]
[credit-card-number-detect] Credit and Debit Card Number - Detection (@Spidersilk, @morsy, @geeknik) [medium]
[intercom-identity-misconfiguration] Intercom Identity Verification Misconfiguration (@domwhewell-sage) [medium]
[salesforce-community-misconfig] Salesforce Community Misconfiguration (@domwhewell-sage) [medium]
[pomerium-detect] Pomerium Detect (@rxerium) [info]
[shibboleth-detect] Shibboleth SSO Detect (@rxerium) [info]
[winrm-detect] Windows Remote Management - Detection (@pussycat0x) [info]
[wordpress-aryo-activity-log] Activity Log – Monitor & Record User Changes Detection (@ricardomaia) [info]
[wordpress-speedycache] SpeedyCache – Cache, Optimization, Performance Detection (@ricardomaia) [info]
[leantime-stored-xss] Leantime < 3.3 = Cross-Site Scripting (@iamnoooob, @rootxharsh, @pdresearch) [high]
[change-default-port] Change SSH Default Port (@pussycat0x) [info]
[disable-empty-password] Disable SSH Empty Password (@pussycat0x) [high]
[disable-root-login] Disable SSH Root Login (@pussycat0x) [high]
[disable-ssh-forwarding] Disable SSH Forwarding (@pussycat0x) [unknown]
[disable-ssh-protocol-1] Disable SSH Protocol 1 (@pussycat0x) [low]
[enable-ssh-privilege-separation] Enable Privilege Separation in SSH (@pussycat0x) [unknown]
[hide-last-login-information] Hide SSH Last Login Information (@pussycat0x) [unknown]
[idle-timeout-interval] Set SSH Idle Timeout Interval (@pussycat0x) [low]
[limit-ssh-group] Limit SSH Users Group Access (@pussycat0x) [unknown]
[limit-ssh-users-access] Limit SSH Users Access (@pussycat0x) [unknown]
[ssh-key-auth-disabled] SSH Key-Based Authentication - Disabled (@pussycat0x) [low]
[ssh-unrestricted-nonwhitelist] Unrestricted SSH Access from Non-Whitelisted IPs (@pussycat0x) [unknown]

New Contributors

@SilverS3c made their first contribution in #11652
@smolse made their first contribution in #11401
@incogbyte made their first contribution in #11676
@asteria121 made their first contribution in #11525

Full Changelog: v10.1.3...v10.1.5

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CSP Bypass Templates - Nuclei Templates v10.1.5 🎉

🔥 Release Highlights 🔥

Other Highlights

What's Changed

New Templates Added: `281` | CVEs Added: `23` | First-time contributions: `4`

New Contributors

Contributors

CSP Bypass Templates - Nuclei Templates v10.1.5 🎉

🔥 Release Highlights 🔥

Other Highlights

What's Changed

New Templates Added: 281 | CVEs Added: 23 | First-time contributions: 4

New Contributors

Contributors

New Templates Added: `281` | CVEs Added: `23` | First-time contributions: `4`