CyberCheatsheets

Nuclei Cheat Sheet

Template-based fast scanner for CVEs, misconfigs, and exposures across HTTP, DNS, and more.

Scanning & Enumerationautomationprojectdiscoverytemplatesvulnerability-scanUpdated 2026-06-02

Overview

Nuclei runs YAML templates against URLs, IPs, and other inputs to detect known vulnerabilities, misconfigurations, and security exposures. It scales well after asset discovery (httpx, subfinder) and integrates into CI and bug bounty pipelines.

Authorized testing only. Templates can be intrusive (RCE checks, fuzzing). Use tagged subsets, rate limits, and scope files on production.

Install

go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
nuclei -update-templates
nuclei -version

Essential commands

Single URL, default templates

nuclei -u https://target.example.com

List of targets

nuclei -l urls.txt

Severity filter

nuclei -l urls.txt -severity critical,high

Specific tags

nuclei -l urls.txt -tags cve,exposure

Common workflows

Post-httpx scanning —

httpx -l subs.txt -silent -o live.txt
nuclei -l live.txt -severity medium,high,critical -o nuclei_findings.txt

Targeted CVE / technology —

nuclei -u https://target.example.com -tags apache -severity high,critical
nuclei -l urls.txt -t cves/2024/

Rate limit and resume —

nuclei -l urls.txt -rl 50 -c 25 -resume -o results.txt

Headless / workflows (when configured) —

nuclei -u https://target.example.com -headless -tags headless

Custom template —

nuclei -u https://target.example.com -t ./custom-template.yaml

Flags reference

-u

Single target URL

-l

Target list file

-t

Template path or directory

-tags

Run templates with tags

-severity

info, low, medium, high, critical

-o

Output file

-jsonl

JSON lines export

-c

Concurrency

-rl

Rate limit (req/s)

-H

Custom header

-header

Header from file

-proxy

HTTP/SOCKS proxy

-silent

Findings only

-stats

Show scan statistics

-update-templates

Update template repo

Tips

  • Run nuclei -update-templates regularly; template quality varies—validate critical hits manually.
  • Start with -severity high,critical on large lists, then widen.
  • Use -tags to avoid destructive checks until approved (rce, dos, etc.).
  • Store outputs as JSONL for jq filtering and report automation.
  • Respect -rl on shared infrastructure and WAF-fronted sites.

References

Aide-mémoires similaires