adampielak/nuclei-templates

# nuclei-templates ## Layout Templates are split by engine and version so users do not get compatibility warnings from nuclei when loading the wrong dialect: nuclei-v3/ # nuclei v3+ templates (top-level: http, code, javascript, flow, dns, ...) nuclei-v2/ # legacy nuclei v2 templates (top-level: requests). Loadable by nuclei v3 # but emits deprecation warnings. xray/ # xray-poc dialect (top-level: rules). NOT compatible with nuclei. Each tree is sharded by leading character of the filename (`A/`, `B/`, ..., `0/`, `1/`, `misc/`) to keep directory sizes manageable. ## Usage # Run only modern nuclei templates against a target nuclei -t nuclei-v3/ -u https://target # Include legacy v2 as well nuclei -t nuclei-v3/ -t nuclei-v2/ -u https://target # xray templates must be loaded by xray, not nuclei xray webscan --plugins phantasm --poc 'xray/**/*.yaml' --url https://target ## Caveats - A subset of templates (≈13.5k under `nuclei-v2/`) reference a hardcoded wordlist path `/home/mahmoud/Wordlist/AllSubdomains.txt` for subdomain fuzzing. Replace with your own wordlist before running, or skip them. - OOB callback URLs have been rewritten to nuclei's built-in `{{interactsh-url}}` placeholder so payloads do not leak data to third-party collaborator instances. ## Don't be evil These templates are for **authorized** security testing only — your own infrastructure, scope explicitly granted by the asset owner, CTFs, or bug bounty programs where you are within scope. Running them against systems you do not own or have permission to test is illegal in most jurisdictions and unkind everywhere. Respect rate limits. Respect humans on the other end. ## Sync This mirror is regenerated automatically.