Nuclei Templates Added for Ghost CMS SQLi and n8n Form Node RCE
ProjectDiscovery's public nuclei-templates repository received new detection content for two newly tracked web application flaws: CVE-2026-26980 in Ghost CMS and CVE-2026-27493 in n8n. One pull request adds a template for a Ghost CMS SQL injection issue, with the contributor reporting validation against both vulnerable and patched targets to improve detection accuracy and reduce false positives. A second pull request adds coverage for a critical unauthenticated expression injection flaw in n8n Form nodes that can lead to remote code execution.
The n8n issue affects versions earlier than 2.10.1, 2.9.3, and 1.123.22, and the proposed template targets the /form/contact-us endpoint. The submission says attacker-controlled expressions in form fields are double-evaluated by the server, allowing arbitrary shell command execution; the detection logic verifies exploitation by looking for Linux uid/gid output after running a command in a controlled test. Both submissions were reported as validated on vulnerable and patched hosts and entered the standard GitHub review workflow, signaling rapidly emerging scanner coverage for high-impact Ghost CMS and n8n exposures.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Nuclei template published for n8n expression injection CVE-2026-27493
A new pull request proposed a Nuclei template for CVE-2026-27493, a critical unauthenticated expression injection flaw in n8n Form nodes that can lead to remote code execution via double evaluation of attacker-supplied expressions. The submission identified affected versions earlier than 2.10.1, 2.9.3, and 1.123.22, and said the template was validated on vulnerable and patched hosts.
Nuclei template submitted for Ghost CMS SQL injection CVE-2026-26980
A pull request was opened in the ProjectDiscovery nuclei-templates repository to add detection for CVE-2026-26980, described as a Ghost CMS SQL injection vulnerability. The contributor said the template was validated against both vulnerable and patched targets to confirm accurate detection.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Create CVE-2026-27493 by omkar7505 · Pull Request #15783 · projectdiscovery/nuclei-templates · GitHub
github.com
Open sourceAdd CVE-2026-26980 for Ghost CMS SQL Injection by domwhewell-sage · Pull Request #15727 · projectdiscovery/nuclei-templates · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Nuclei Templates Added for WordPress SSTI and Nginx UI Access Control Flaws
ProjectDiscovery contributors opened and advanced Nuclei template pull requests for two newly tracked vulnerabilities: **`CVE-2026-4257`**, a **server-side template injection** issue in the **WordPress Contact Form by Supsystic** plugin, and **`CVE-2026-33032`**, a **broken access control** flaw in **Nginx UI**. The GitHub activity shows template development intended to support detection of both issues, with one pull request referencing a new `CVE-2026-4257.yaml` file and another marked ready to merge for the Nginx UI vulnerability. The available records are limited to repository metadata and do not include technical write-ups, affected version ranges, exploitation details, or vendor remediation guidance. Even so, the publication of detection content for these CVEs indicates that security researchers are operationalizing checks for exposed systems, and defenders using Nuclei should watch for template releases covering both the WordPress plugin SSTI and the Nginx UI authorization weakness.
Apr 16, 2026
ProjectDiscovery Adds Nuclei Checks for WordPress, Synway, and XSS Flaws
ProjectDiscovery's `nuclei-templates` repository received several pull requests adding or refining detection logic for newly disclosed web vulnerabilities. Proposed templates covered **CVE-2026-0561** for cross-site scripting, **CVE-2025-69411** for a high-severity path traversal/local file read in the WordPress plugin `ioncube-tester-plus`, **CVE-2026-1405** for a critical SSRF issue in a WordPress REST API endpoint, and an unauthenticated remote command execution flaw in **Synway SMG Gateway** via `9-2radius.php`. The submissions generally reported validation against vulnerable and patched targets to reduce false positives, with several marked ready for merge pending maintainer review. The WordPress `ioncube-tester-plus` template demonstrated file disclosure through `loader-wizard.php` by abusing the `ininame` parameter to retrieve `/etc/passwd`, while the `slider-future` WordPress template showed SSRF by sending an external `image_url` to `/wp-json/slider-future/v1/upload-image/` and confirming outbound DNS interaction through OAST. The Synway SMG Gateway submission described command injection through the `radius_address` parameter reaching a `system()` call, but automated review flagged template quality problems including weak matching logic and missing metadata. Separately, a fix was proposed for the **CVE-2025-71243** template after reports of frequent false positives, replacing reflection-based checks with `md5`-based proof of code execution to improve accuracy.
Apr 15, 2026
Nuclei Templates Added for CWP Control Web Panel and Letta AI RCE Flaws
ProjectDiscovery's `nuclei-templates` repository added detection content for two remote code execution vulnerabilities: **CVE-2025-48703** affecting **CWP Control Web Panel** and **CVE-2025-51482** affecting **Letta AI**. One pull request identifies the CWP issue as an RCE flaw, while a second names an RCE path in Letta AI via the `/v1/tools/run` endpoint. The references indicate public detection coverage is being created for both issues, which can increase defender visibility as well as attacker awareness. The available material does not include affected versions, exploitation evidence, patch guidance, or victim impact, but it does confirm that both vulnerabilities were significant enough to warrant dedicated `nuclei` checks for internet-exposed systems.
Apr 4, 2026