ProjectDiscovery contributors opened and advanced Nuclei template pull requests for two newly tracked vulnerabilities: CVE-2026-4257, a server-side template injection issue in the WordPress Contact Form by Supsystic plugin, and CVE-2026-33032, a broken access control flaw in Nginx UI. The GitHub activity shows template development intended to support detection of both issues, with one pull request referencing a new CVE-2026-4257.yaml file and another marked ready to merge for the Nginx UI vulnerability.
The available records are limited to repository metadata and do not include technical write-ups, affected version ranges, exploitation details, or vendor remediation guidance. Even so, the publication of detection content for these CVEs indicates that security researchers are operationalizing checks for exposed systems, and defenders using Nuclei should watch for template releases covering both the WordPress plugin SSTI and the Nginx UI authorization weakness.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
A GitHub pull request for a nuclei template referencing CVE-2026-33032 was marked ready to merge, with contributor DhiyaneshGeek associated with the work. The visible metadata identifies the issue as broken access control in Nginx UI, without additional technical or remediation details.
A GitHub pull request for a nuclei template referencing CVE-2026-4257 was self-assigned by the contributor theamanrawat. The available content identifies the issue as a server-side template injection affecting the WordPress Contact Form by Supsystic plugin, but provides no further technical details.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
github.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.