ProjectDiscovery's Nuclei is quickly becoming the go-to tool for automated vulnerability assessments, widely used by ASM vendors, VAPT service providers, crowdsourced security researchers and security teams around the world. Today, many rely on Nuclei. Its strong community has spent countless hours building reliable templates that help detect new vulnerabilities as they emerge. In this article, I’ll share a tactic to help the community expand Nuclei’s template coverage even further.

Vulnerability Prevalence and Exploit Maturity

Vulnerability Prevalence refers to how widespread or commonly found a vulnerability is across systems in the global community, while Exploit Maturity indicates the availability, reliability, and sophistication of the tools or code used to exploit that vulnerability.

When a vulnerability is both highly prevalent and has mature, readily available exploits, it poses a critical security risk due to the increased likelihood of attacks. For example, Log4Shell (CVE-2021-44228) was a critical vulnerability with very high prevalence, affecting millions of Java applications. Exploits became functional within hours of disclosure and were quickly weaponised, making it a severe and urgent security threat.

Daily Monitoring of Global Vulnerability Identifiers

Vulnerability and Exploit Data Aggregation System (VEDAS) provides accurate scoring of global vulnerabilities by analysing these two factors. These factors are derived from continuous monitoring of signals collected through an extensive network of public and proprietary intelligence sources.

VEDAS tracks over 150 global vulnerability identifiers, incorporating insights from malware telemetry, threat actor communications, underground forums, exploit repositories, and exploit kit activity.

These scores, particularly for CVE, EUVD, CNNVD & BDU are regularly published for free on GitHub. Scores for all other global identifiers can be accessed directly in real-time via VEDAS Platform or Exploit Observer API.

Now not just these scores but also the daily changes they go through can effectively indicate how exploitable the identifiers are and can notify you based on shifts in vulnerability prevalence and exploit maturity.

Hunting Nuclei-compatible exploits

Vulnerabilities with scores above 0.7 are generally well-known and actively exploited. Many of them already exist as Nuclei (YAML) or Metasploit (Ruby) signature, conveniently accessible on GitHub, and are routinely fuzzed across the internet on an hourly basis. As a result, they tend to be highly prevalent and mature.

The primary focus, however, should shift toward vulnerabilities scoring between 0.3 and 0.7. These may be exploitable but often lack publicly available detection signatures in tools like Nuclei or Metasploit.

Moreover, only a small subset of these CVEs are actually exploitable over a network. To effectively narrow them down, basic analysis of their descriptions is needed, specifically searching for keywords like LFI, XXE, XSS, SSRF, and similar indicators of network exploitability. I found one such implementation on GitHub that attempts this approach.

GitHub - edoardottt/missing-cve-nuclei-templates: Weekly updated list of missing CVEs in nuclei templates official repository. Mainly built for bug bounty, but useful for penetration tests and vulnerability assessments too.

Weekly updated list of missing CVEs in nuclei templates official repository. Mainly built for bug bounty, but useful for penetration tests and vulnerability assessments too. - edoardottt/missing-cv…

GitHubedoardottt

Correlating the identifiers from the above repository with VEDAS scores can help identify exploitable vulnerabilities that are suitable for Nuclei template creation but have not yet been covered.

Hunting exploits for a specific technology

At times, specific teams are assigned to monitor particular technologies, such as Grafana, Bitrix, Ivanti, Yonyou or phpMyAdmin, for potential exploits. This can be accomplished by regularly querying resources like the Exploit Observer API or using the Puncia CLI:

• https://api.exploit.observer/?keyword=bitrix
• https://api.exploit.observer/?keyword=grafana
• https://api.exploit.observer/?keyword=ivanti
• https://api.exploit.observer/?keyword=phpmyadmin
• https://api.exploit.observer/?keyword=yonyou

Any identifiers prefixed with "VEDAS:" should be treated as potentially exploitable and must be manually verified for confirmation.

Conclusion

That said, it is important to recognise that no public vulnerability intelligence source offers complete coverage. Many network-exploitable vulnerabilities, such as CVE-2025-47188, remains delayed, poorly documented and lack meaningful enrichment. Despite being actively exploited since May 2025, this vulnerability is still not covered by NVD, EPSS or proprietary vulnerability databases.

Nine out of ten Exploit Intelligence "hyped" startups, despite being trusted by global researchers and enterprises, focus solely on CVEs. Moreover, none can deliver complete, complete coverage of exploits as they appear on GitHub, entire Internet is just incomprehensible & unimaginable task for them.

This underscores the importance of taking a more proactive and independent approach to analysis. In these situations, intelligent & autonomous solutions like VEDAS can assist by leveraging public threat intelligence to add context and clarity around new vulnerabilities to the community.

If everyone is thinking alike, then somebody isn't thinking. - Gen. George Smith Patton