| name | pentest-cve-scanner |
| description | Automated CVE and misconfiguration scanning using Nuclei — Project Discovery's template-based vulnerability scanner. Covers 10,000+ CVEs, misconfigurations, exposed panels, default credentials, and more. Combine with nmap for full coverage.
|
| userInvocable | true |
| requiresBinaries | ["nuclei","nmap"] |
| tags | ["pentest","cve","scanning","nuclei"] |
| triggers | ["CVE","vulnerability scan","nuclei","misconfiguration","CVE scan","vulnerability assessment","default credentials","exposed panel"] |
pentest-cve-scanner — Automated CVE & Misconfiguration Scanning
Overview
Nuclei is a template-based vulnerability scanner with 10,000+ templates covering:
- Known CVEs (by year and severity)
- Misconfigurations (cloud, web, network)
- Exposed admin panels / login pages
- Default credentials
- Sensitive file exposure
- SSL/TLS weaknesses
- DNS misconfigurations
Combined Workflow: Nmap → discover services → Nuclei → scan for CVEs + misconfigs → ranked findings.
Output directory: /root/kali-workspace/cve-scan/<target>/
TARGET="<ip_or_domain>"
mkdir -p /root/kali-workspace/cve-scan/$TARGET
Step 1 — Update Nuclei Templates
nuclei -update-templates
nuclei -version
nuclei -tl | wc -l
Step 2 — Tiered Scanning Strategy
Tier 1 — Fast Critical-Only Scan (2-5 min)
nuclei \
-u https://$TARGET \
-tags cve \
-severity critical,high \
-o /root/kali-workspace/cve-scan/$TARGET/critical-high.txt \
-stats \
-silent
echo "[*] Critical/High findings: $(grep -c '\[' /root/kali-workspace/cve-scan/$TARGET/critical-high.txt 2>/dev/null || echo 0)"
Tier 2 — Full CVE + Misconfig Scan (10-30 min)
nuclei \
-u https://$TARGET \
-tags cve,misconfig \
-severity critical,high,medium \
-rate-limit 100 \
-o /root/kali-workspace/cve-scan/$TARGET/full-scan.txt \
-stats
echo "[*] All findings:"
cat /root/kali-workspace/cve-scan/$TARGET/full-scan.txt
Tier 3 — Comprehensive Scan (1+ hour, covers everything)
nuclei \
-u https://$TARGET \
-tags cve,misconfig,exposure,default-logins,panel,takeover,network \
-rate-limit 50 \
-timeout 10 \
-o /root/kali-workspace/cve-scan/$TARGET/comprehensive.txt \
-stats \
-markdown-export /root/kali-workspace/cve-scan/$TARGET/report.md
Step 3 — Nmap + Nuclei Combined Workflow
nmap -sV -T4 -p 80,443,8080,8443,8888,9090,3000,5000,7070 \
-oX /root/kali-workspace/cve-scan/$TARGET/nmap.xml $TARGET
nuclei \
-target $TARGET \
-tags cve,misconfig \
-severity critical,high,medium \
-o /root/kali-workspace/cve-scan/$TARGET/nuclei-from-nmap.txt \
-stats
Scan Multiple Hosts from File
cat /root/kali-workspace/osint/$TARGET/live-subdomains.txt > /tmp/hosts.txt
nuclei \
-l /tmp/hosts.txt \
-tags cve,misconfig \
-severity critical,high \
-rate-limit 50 \
-bulk-size 25 \
-o /root/kali-workspace/cve-scan/$TARGET/bulk-scan.txt \
-stats
Step 4 — Targeted Scanning by Technology
Web Frameworks
nuclei -u http://$TARGET -tags wordpress -o /root/kali-workspace/cve-scan/$TARGET/wordpress.txt
nuclei -u http://$TARGET -tags apache,nginx,iis -severity critical,high
nuclei -u http://$TARGET -tags spring,log4j,java -severity critical,high
nuclei -u http://$TARGET -id CVE-2021-44228,CVE-2021-45046 -o /root/kali-workspace/cve-scan/$TARGET/log4j.txt
nuclei -u http://$TARGET -tags exchange -severity critical,high
nuclei -u http://$TARGET -tags confluence,jira -severity critical,high
Network Services
nuclei -u $TARGET -tags network,cisco,fortinet,palo-alto -severity critical,high
nuclei -u $TARGET -tags mongodb,redis,elasticsearch,cassandra
nuclei -u http://$TARGET -tags default-logins -severity high,medium
Specific CVE Checks
nuclei -u http://$TARGET -id CVE-2022-26134
nuclei -u http://$TARGET -id CVE-2022-22965
nuclei -u http://$TARGET -id CVE-2021-41773
nuclei -u http://$TARGET -id CVE-2020-14882
nuclei -u http://$TARGET -id CVE-2019-0708
nuclei -u http://$TARGET -tags cve -tags cve2023 -severity critical,high
Step 5 — Exposed Panel & Sensitive File Discovery
nuclei -u http://$TARGET -tags panel -o /root/kali-workspace/cve-scan/$TARGET/panels.txt
nuclei -u http://$TARGET -tags exposure,config -severity info,low,medium,high,critical \
-o /root/kali-workspace/cve-scan/$TARGET/exposures.txt
nuclei -u http://$TARGET -tags takeover -o /root/kali-workspace/cve-scan/$TARGET/takeover.txt
nuclei -u http://$TARGET -tags s3,aws,gcp,azure -o /root/kali-workspace/cve-scan/$TARGET/cloud.txt
Step 6 — Parse and Prioritize Findings
SCAN_FILE="/root/kali-workspace/cve-scan/$TARGET/full-scan.txt"
echo "=== Findings by Severity ==="
for sev in critical high medium low info; do
count=$(grep -ic "\[$sev\]" "$SCAN_FILE" 2>/dev/null || echo 0)
echo " $sev: $count"
done
echo "=== CRITICAL Findings ==="
grep -i "\[critical\]" "$SCAN_FILE"
echo "=== CVEs Triggered ==="
grep -oP 'CVE-\d{4}-\d+' "$SCAN_FILE" | sort -u
Nuclei Output Interpretation
| Field Pattern | Meaning |
|---|
[CVE-XXXX-XXXXX] | Specific CVE matched |
[critical] | CVSS 9.0–10.0 — exploit immediately |
[high] | CVSS 7.0–8.9 — exploit next |
[medium] | CVSS 4.0–6.9 — document, test manually |
[low] | CVSS 0.1–3.9 — note in report |
[info] | Technology fingerprint, exposed panel |
[misconfig] | Configuration weakness |
[exposure] | File/data unintentionally accessible |
[default-logins] | Default credentials accepted |
[takeover] | Subdomain/service takeover possible |
Post-Scan Next Steps
| Nuclei Finding | Follow-Up Action |
|---|
| CVE with RCE | searchsploit + msfconsole immediately |
| Default credentials | Login, enumerate access, escalate |
| SQL injection signature | sqlmap --batch --dbs --risk=3 --level=5 |
| Path traversal | Enumerate with ffuf, try /etc/passwd |
| Exposed .env / config | Grep for API_KEY, DB_PASS, SECRET |
| AWS keys exposed | Test with aws sts get-caller-identity |
| Admin panel found | Default creds + auth bypass testing |
| Subdomain takeover | Claim the dangling subdomain |
CVE Scan Report Template
# CVE Scan Report — <Target>
Date: <date>
Scanner: Nuclei v<version> with <count> templates
## Summary
| Severity | Count |
| -------- | ----- |
| Critical | <n> |
| High | <n> |
| Medium | <n> |
| Low | <n> |
| Info | <n> |
## Critical Findings
### CVE-XXXX-XXXXX — <Name>
- **Severity:** Critical (CVSS: <score>)
- **Location:** <URL/IP:port>
- **Evidence:** <nuclei output snippet>
- **Description:** <what the vulnerability is>
- **Impact:** Remote code execution / <impact>
- **Remediation:** Upgrade to <version> / apply patch
## Misconfigurations Found
1. <description> — <URL>
## Next Steps
1. Exploit CVE-XXXX-XXXXX via msfconsole module <name>
2. Test default credentials on exposed admin panel
3. Enumerate all databases via SQLi endpoint