v3.8.0

What's Changed

Security Fixes

• JS: Respect allow-local-file-access in require by @dwisiswant0 (#7332)
  • GHSA-29rg-wmcw-hpf4
• Expressions: Only evaluate template-authored expressions by @dwisiswant0 (#7221)(#7321)
  • GHSA-jm34-66cf-qpvr

Bug Fixes

• HTTP: Respect annotations in unsafe mode by @dwisiswant0 (#7044)
• HTTP: Isolate project cache keys by scheme & host by @dwisiswant0 (#7043)
• Expressions: Propagate unresolved variable markers through encoding functions by @dogancanbakir (#7033)
• SDK: Respect WithOptions rate limit by @dwisiswant0 (#7342)
• Fuzz: Prevent path mutation across sequential Rebuild calls by @promisingcoder (#7253)
• Fuzz: Use actual parameter for frequency deduplication by @Godzilla675 (#7037)
• Fuzz: Fix concurrent map writes in multipart form parsing by @Mzack9999 (#7291)
• Fuzz: Propagate custom headers to time_delay analyzer follow-up requests by @usernametooshort (#7125)
• JS: Fix watchdog and propagate context to all JS library network calls by @Mzack9999 (#7299)
• JS: Interrupt goja runtime on context cancel by @mikhail5555 (#7343)
• WebSocket: Fix path handling when merging template & target URLs by @Mzack9999 (#7290)
• Runner: Stop spawning template goroutines in host-spray when host is unresponsive by @usernametooshort (#7129)
• Input: Optimize removeTargets to prevent hang on large exclusions by @JawsKim (#6760)
• Installer: Prevent unnecessary update checks by @dahezhiquan (#7337)
• Utils: Normalize unbracketed IPv6 literals for probing by @dwisiswant0 (#7045)
• Client pool: Replace global variable with local scoping by @mikhail5555 (#7294)
• Fix InFlight map race condition via Snapshot method by @n3integration (#7026)
• Fix race condition in Dynamic.Fetch and always prefetch secrets by @hussain-alsaibai (#6976)
• Fix nil interface set in createEphemeralObjects to prevent panic by @maxwolf8852 (#6944)
• Fix DAST skipping URLs with part: request and mode: multiple by @dogancanbakir (#7326)
• Fix headless JS loading with -tlsi and addheader/setheader by @dogancanbakir (#7325)
• Fix flow execution with auth by @Mzack9999 (#7298)
• Fix redirect handling by @Mzack9999 (#7286)
• Fix Elastic export by @Mzack9999 (#7287)
• Use crypto/rand instead of math/rand in JS global functions by @sandiyochristan (#7215)

New Features

• Fuzz: Add XSS reflection context analyzer by @ZachL111 (#7164)
• Reporting: Add PDF export option for scan results by @Gengyscan (#7254)
• Network templates: Support service names in port field by @dogancanbakir (#7303)
• Add honeypot detection to reduce scan noise by @HarshadaGawas05 (#7277)
• Add inline targets and secrets to template profiles by @SaurabhCodesAI (#6858)

Performance & Improvements

• Runner: Fast path for tag listing by @dwisiswant0 (#7143)
• Runner: Use Print instead for listAvailableStoreTags by @dwisiswant0 (#7145)
• Resume state: Refactored as cache data by @dwisiswant0 (#7042)
• Capture stderr output by @Mzack9999 (#7292)

Tests & CI

• Add fuzz tests by @dwisiswant0 (#7311)
• Add request condition tests for multi-raw-request flow templates by @Mzack9999 (#7300)
• Refactor native tests by @dwisiswant0 (#7307)
• Add GITHUB_TOKEN to workflows for authenticated template updates by @dwisiswant0 (#7119)
• Integrate typos spell checker into CI by @telewin95 (#7158)

Documentation

• Update outdated documentation links across all translations by @Pitrat-wav (#7020)

New Contributors

• @usernametooshort made their first contribution in #7129
• @Pitrat-wav made their first contribution in #7020
• @n3integration made their first contribution in #7026
• @JawsKim made their first contribution in #6760
• @sandiyochristan made their first contribution in #7215
• @telewin95 made their first contribution in #7158
• @Gengyscan made their first contribution in #7254
• @hussain-alsaibai made their first contribution in #6976
• @promisingcoder made their first contribution in #7253
• @Godzilla675 made their first contribution in #7037
• @SaurabhCodesAI made their first contribution in #6858
• @ZachL111 made their first contribution in #7164
• @HarshadaGawas05 made their first contribution in #7277
• @mikelolasagasti made their first contribution in #7282
• @maxwolf8852 made their first contribution in #6944
• @mikhail5555 made their first contribution in #7294
• @dahezhiquan made their first contribution in #7337

Full Changelog: v3.7.1...v3.8.0

v3.7.1

What's Changed

🐞 Bug Fixes

• Fixed panic by replacing it with error handling in template loader (#6674) by @umer12-12 in #7090
• Fixed cluster failure handling by @bf-rbrown in #6843
• Fixed by avoiding cross-test chrome teardown races in headless by @dwisiswant0 in #7053
• Fixed data race in evaluateVarsWithInteractsh by @yusei-wy in #6828
• Fixed panic by replacing it with error handling in template loader by @bimakw in #6825

Other Changes

• Added memogen workflow by @dwisiswant0 in #6736
• Removed double parsing in template loading by @dwisiswant0 in #6796
• Bumped github.com/bytedance/sonic to 1.15.0 for Go 1.26 support by @stefanb in #6841
• Improved API by exposing cluster ids mapping to template ids by @yaron12n in #6788

New Contributors

• @yusei-wy made their first contribution in #6828
• @yaron12n made their first contribution in #6788
• @bimakw made their first contribution in #6825
• @umer12-12 made their first contribution in #7090

Full Changelog: v3.7.0...v3.7.1

v3.7.0

What's Changed

🎉 New Features

• Added cdp-endpoint option to allow users to specify a WebSocket endpoint for control in headless mode by @dwisiswant0 in #5786
• Added RSYNC module by @Mzack9999 in #6410

🐞 Bug Fixes

• Fixed resume file path condition by @dogancanbakir in #6784
• Fixed race condition regression by @dwisiswant0 in #6748
• Fixed duplicate log spam for permanent errors by @dwisiswant0 in #6697
• Fixed ExecutionId initialization in DefaultOptions function by @dogancanbakir in #6598
• Fixed handling full URLs in unsafe raw requests by @dwisiswant0 in #6589
• Fixed segfault in workflow parsing with global-matchers templates by @dwisiswant0 in #6774
• Fixed logging update summary table to stderr by @ayuxsec in #6769
• Fixed sanitizing host when target has host port by @knakul853 in #6759
• Fixed interactsh matching with payloads by @dwisiswant0 in #6778
• Fixed passing template variables to TCP inputs pre-compilation by @dogancanbakir in #6776

Other Changes

• Replaced seh-msft/burpxml with utils package by @dogancanbakir in #6763
• Removed genproto replace directives from go.mod by @ehsandeep in #6608
• Improved telnet login and added crypto by @Mzack9999 in #6419
• Added Turkish README and enhanced CONTRIBUTING.md by @bahattinyunus in #6740
• Refactored WithNetworkConfig and WithInteractshOptions to be used by NewThreadSafeNucleiEngineCtx by @meme-lord in #5972
• Improved cache template signature verification performance by @dwisiswant0 in #6779

New Contributors

• @bahattinyunus made their first contribution in #6740
• @promalert made their first contribution in #6756
• @ayuxsec made their first contribution in #6769

Full Changelog: v3.6.2...v3.7.0

v3.6.2

What's Changed

✨ New Features

• Enabled TLS session caching in the client pool to improve connection reuse and reduce handshake overhead (internal) by @dwisiswant0 in #6713
• Added support for providing a custom Jira server URL (site-url) when using OAuth authentication by @Ice3man543 in #6716

🐞 Bug Fixes

• Improved duplicate issue detection by properly paginating Gitea issue searches by @leonjza in #6707
• Restored JavaScript template execution when the Port argument is not provided by @dwisiswant0 in #6709
• Added pagination support when searching for duplicate issues in GitLab by @dwisiswant0 in #6712
• Corrected an incorrect PostgreSQL execution call signature in the JavaScript engine by @Mzack9999 in #6731
• Fixed a MySQL panic caused by a missing executionId in the execution context by @dwisiswant0 in #6735
• Fixed a segmentation fault in flow execution related to hasMatchers by @dwisiswant0 in #6739

⚡ Performance Improvements

• Optimized the MergeMaps generator to reduce memory allocations by @dwisiswant0 in #6718

🔧 Maintenance

• Updated projectdiscovery/utils to v0.8.0 to fix a deadlock in httputil.ResponseChain by @dwisiswant0 in #6723
• Introduced a PowerShell integration test to improve cross-platform test coverage by @Mzack9999 in #6724
• Updated multiple Go module dependencies across two dependency refreshes by @dependabot[bot] in #6729 & #6741

Other Changes

• Updated issue and pull request templates by @dwisiswant0 in #6673
• Refactored CI workflows by @dwisiswant0 in #6728, this includes:
  • Shipping binaries with Green Tea GC enabled via GOEXPERIMENT
  • Shipping binaries built with profile-guided optimization (PGO)
  • Fixing an auto-merge workflow that never triggered
• Switched release tests to use a stable Go version by @dwisiswant0 in #6737
• Upgraded actions/download-artifact from v6 to v7 in GitHub workflows by @dependabot[bot] in #6742
• Updated compatibility checks to use a stable Go version by @dwisiswant0 in #6743

Full Changelog: v3.6.1...v3.6.2

v3.6.1

What’s Changed

🐞 Bug Fixes

• fix(config): template exclusion logic for paths with reserved names by @dwisiswant0 in #6663
• fix(http): lost request body on retries & redirects by @dwisiswant0 in #6666
• fix(http): pass dynamicValues to EvaluateWithInteractsh by @dwisiswant0 in #6685
• fix(lib): segfault when initializing the engine with EnableHeadlessWithOpts by @dwisiswant0 in #6602
• build: fix compilation on loong64 architecture by @dwisiswant0 in #6667
• fix: enable all template types for template list and display by @dwisiswant0 in #6668
• fix(http): cache response strings to reduce memory allocations by @dwisiswant0 in #6679
• fix: body loss on retries/redirects in remaining paths by @dwisiswant0 in #6693
• fix(headless): data race when reading page history by @dwisiswant0 in #6687
• fix(update): handle empty folder edge case during template updates by @Mzack9999 in #6573

🔨 Maintenance

• chore: run goimports to format the codebase by @stringscut in #6691
• chore(deps): bump fastdialer to v0.4.20 to fix >10s delays by @dwisiswant0 in #6688
• chore(deps): bump Go modules (10 updates) by @dependabot[bot] in #6675
• chore(deps): bump Go modules (7 updates) by @dependabot[bot] in #6698
• chore(deps): bump GitHub workflows (2 updates) by @dependabot[bot] in #6699

📚 Documentation

• docs: fix typos in multiple files by @didier-durand in #6653
• docs: fix additional typos across various files by @didier-durand in #6661
• docs: typos and minor improvements by @AaryanBansal-dev in #6669

New Contributors

• @didier-durand made their first contribution in #6653
• @AaryanBansal-dev made their first contribution in #6669
• @stringscut made their first contribution in #6691

Full Changelog: v3.6.0...v3.6.1

v3.6.0

What's Changed

✨ New Features

• Write resume file specified by flag by @circleous (#6616)
• Javascript Multi-Port Support by @pussycat0x (#6501)
• Direct fuzzing using target URL for OpenAPI/Swagger by @roiswd (#6542)
• Bump DSL with .NET deserialization helpers by @Ice3man543 (#6625)
• Implement persistent metadata cache in loader by @dwisiswant0 (#6630)
• Check for undefined params for lazy evaluation in variables by @dwisiswant0 (#6618)

🐛 Fixed

• Configure tmpDir for SDK by @AuditeMarlow (#6596)
• Skip DNS lookups on Interactsh domains by @dwisiswant0 (#6614)
• Restore parallel processing in file protocol by @dwisiswant0 (#6493)

⚙️ Changed / Improvements

• Enable BenchmarkRunEnumeration/Default benchmark by @dwisiswant0 (#6603)
• Cache Go-rod browser in CI by @dwisiswant0 (#6640)
• Apply free-disk-space check on tests by @dwisiswant0 (#6642)
• Disable stale workflow for enhancements by @dogancanbakir (#6637)
• Omit unnecessary reassignment by @ledigang (#6622)

🧹 Maintenance / Dependencies

• Bump the modules group with 6 updates by @dependabot[bot] (#6615)
• Bump actions/checkout from 5 to 6 in workflows by @dependabot[bot] (#6628)
• Bump PD modules & update httputil calls by @dependabot[bot] (#6629)
• Bump the modules group with 11 updates by @dependabot[bot] (#6646)
• Bump golang.org/x/crypto from 0.43.0 to 0.45.0 by @dependabot[bot] (#6621)
• Bump github.com/projectdiscovery/fastdialer@v0.4.16 by @dwisiswant0 (#6624)

🌱 New Contributors

• @AuditeMarlow (#6596)
• @roiswd (#6542)
• @ledigang (#6622)

Full Changelog: v3.5.1 → v3.6.0

v3.5.1

What's Changed

• Remove genproto replace directives from go.mod by @ehsandeep in #6608

Full Changelog: v3.5.0...v3.5.1

v3.5.0

What's Changed

🎉 New Features

• Adding json + xpath headless extractors by @Mzack9999 in #6559
• Adding VNC auth by @Mzack9999 in #6413
• Feat(templating): add vars templating into yaml inputs (ytt) by @alban-stourbe-wmx in #6261
• Feat: added new text/template syntax to jira custom fields by @Ice3man543 in #6464
• Feat(fuzz): enhance MultiPartForm with metadata APIs by @dwisiswant0 in #6486
• Feat: http(s) probing optimization by @matejsmycka in #6511
• Add option to control number of concurrent templates loaded on startup by @mielverkerken in #6373
• CheckRDPEncryption function by @pussycat0x in #6204
• SSH keyboard-interactive by @chovanecadam in #6508
• Feat(templates): add file metadata fields to parsedTemplate by @dwisiswant0 in #6534
• Add env variable for nuclei templates dir by @dogancanbakir in #6588
• Adding support for execution in docker by @Mzack9999 in #6549

🐞 Bug Fixes

• Clean up pools after 24hours inactivity by @Mzack9999 in #6545
• Using clone options for auth store by @Mzack9999 in #6572
• Path-based fuzzing SQL fix by @tarunKoyalwar in #6400
• Fix(fuzz): handles duplicate multipart form field names by @dwisiswant0 in #6404
• Don't load templates with the same ID by @dogancanbakir in #6465
• Remove the stack trace when the nuclei-ignore file does not exist by @nu11zy in #6455
• Fix: update go jira deps by @knakul853 in #6475
• Jira: hotfix for Cloud to use /rest/api/3/search/jql by @knakul853 in #6489
• Fix: improve cleanup in parallel execution by @knakul853 in #6490
• Fix headless template loading logic when -dast option is enabled by @dogancanbakir in #6495
• Fix: suppress warn code flag not found & excludes known misc dir by @dwisiswant0 in #6500
• Fix(variable): global variable not same between two request in flow mode by @iuliu8899 in #6395
• Log failed expr compilations by @dogancanbakir in #6528
• Fixing failing integration tests by @Mzack9999 in #6544
• Fix: populate req_url_pattern before event creation by @Ice3man543 in #6547
• Fix(headless): fixed memory leak issue during page initialization by @Deamhan in #6569
• Fix(templates): mem leaks in parser cache by @dwisiswant0 in #6584
• Fix(http): resolve timeout config issues by @dwisiswant0 in #6562
• Fix(charts): fixed out of bounds read by @Deamhan in #6607
• Feat 6231 deadlock by @Mzack9999 in #6469

⚡ Performance Improvements

• Perf(loader): reuse cached parsed templates by @dwisiswant0 in #6504
• Http probing optimizations high ports by @matejsmycka in #6538
• Cache, goroutine and unbounded workers management by @knakul853 in #6420
• Centralizing ratelimiter logic by @Mzack9999 in #6472

🔧 Refactoring

• Refactor to use reflect.TypeFor by @cuiweixie in #6428
• Refactored header-based auth scans not to normalize the header names by @halcyondream in #6479
• Refactor(disk): templates catalog by @dwisiswant0 in #5914

📦 Other Changes

• Test(reporting/exporters/mongo): add mongo integration test with test… by @loresuso in #6237
• Bump httpx version by @dogancanbakir in #6425
• Reporting validation by @mkrs2404 in #6456
• Code from #6427 by @Mzack9999 in #6471
• No changes message for github custom template update to INF from ERR for better logging by @zy9ard3 in #6422
• Update Go version requirement in README by @DFwJZ in #6529
• Chore(typos): fix typos by @pstoeckle in #6521
• Chore: add typos check into tests CI by @dwisiswant0 in #6533
• Revert "chore: add typos check into tests CI" by @dwisiswant0 in #6535
• Chore: preserve issue report w/ issue form by @dwisiswant0 in #6531
• Update go version in logo by @DFwJZ in #6530
• Update -tl flag by @matejsmycka in #6536

New Contributors

• @loresuso made their first contribution in #6237
• @cuiweixie made their first contribution in #6428
• @mkrs2404 made their first contribution in #6456
• @nu11zy made their first contribution in #6455
• @zy9ard3 made their first contribution in #6422
• @halcyondream made their first contribution in #6479
• @matejsmycka made their first contribution in #6511
• @mielverkerken made their first contribution in #6373
• @DFwJZ made their first contribution in #6529
• @pstoeckle made their first contribution in #6521
• @Deamhan made their first contribution in #6569
• @chovanecadam made their first contribution in #6508

Full Changelog: v3.4.10...v3.5.0

v3.4.10

What's Changed

Other Changes

• fix: segfault in template caching logic by @dwisiswant0 in #6421

Full Changelog: v3.4.9...v3.4.10

v3.4.9

What's Changed

Other Changes

• feat: fixed output event for skipped hosts by @Ice3man543 in #6415

Full Changelog: v3.4.8...v3.4.9