What are Nuclei templates?

Nuclei templates are YAML files that define how to detect a specific vulnerability, misconfiguration, or exposure. Each template describes the request to send and the conditions that confirm a match. The community template library contains thousands of templates covering CVEs, misconfigurations, default credentials, exposures, and takeovers.

How are Nuclei templates organized by severity?

Nuclei templates carry a severity field — info, low, medium, high, or critical — set in the template metadata. You can run scans filtered to specific severities, for example -severity high,critical to focus only on the findings most likely to matter, which dramatically reduces noise on large scopes.

Where do Nuclei CVE templates live?

In current Nuclei versions, CVE templates live inside the http/ directory of the templates repository, organized by year, rather than in a top-level cves/ folder. You can target them with the -tags cve flag or by template path, and they are updated continuously as new CVEs are disclosed.

Can you write custom Nuclei templates?

Yes. Custom templates are written in the same YAML format as community templates, defining the request, matchers, and metadata. Custom templates are how teams encode detection for issues specific to their own stack or for newly disclosed vulnerabilities before a community template exists.

How does PhantomRed automate Nuclei template management?

PhantomRed keeps the template library updated automatically, selects the appropriate severity and tag filters for each scan, and applies custom templates where relevant — so every scan runs against current detection logic without the user manually pulling updates or curating template sets.

Nuclei Template Automation — Master the Template Ecosystem for Vulnerability Detection

Why Manual Template Management Breaks

Running Nuclei is easy. Running it against the right templates, kept current, scoped to the relevant severities, is where most setups quietly fail. The template library is a living thing — and treating it as static causes three recurring problems.

FAILURE 01

Stale Templates

CVE templates are added daily. A library that has not been updated in weeks silently misses every newly disclosed vulnerability — the scan looks clean because it never checked.

FAILURE 02

Severity Noise

Running every template at every severity buries the critical findings under thousands of info-level matches. Without severity filtering, triage becomes the bottleneck.

FAILURE 03

No Custom Coverage

Community templates cover known issues. Stack-specific bugs and zero-days need custom templates — and most workflows never get around to writing or maintaining them.

Template automation addresses all three: the library stays continuously updated, severity and tag filters are applied per scan, and custom templates are versioned alongside the community set.

Understanding the Nuclei Template Ecosystem

A Nuclei template is a YAML file describing a request and the matchers that confirm a vulnerability. The community library organizes thousands of these by protocol and category, with severity metadata on each.

Severity Tiers

Every template declares a severity. Filtering by severity is the single most effective way to control signal-to-noise on a scan.

Critical

RCE, auth bypass, exposed admin with full control — drop everything and verify.

High

Serious exposures, injection, sensitive data leaks worth prompt attention.

Medium

Misconfigurations and weaknesses that matter in context or when chained.

Low

Minor issues and informational leaks with limited standalone impact.

Info

Fingerprinting and detection signals — useful context, not findings.

Template Categories & CVE Coverage

Templates are tagged by type — cve, misconfig, exposure, takeover, default-login, and more. CVE templates are the fastest-growing category; in current Nuclei versions they live inside the http/ directory organized by year, not in a separate top-level folder. Targeting them is a matter of the -tags cve flag or a path filter.

Example Template Automation Workflow

This workflow covers the template side: updating the library, running scoped scans by severity and tag, and authoring a custom template. (For chaining Nuclei into a full scan pipeline, see the execution-focused Nuclei automation workflows guide.)

bash Phase 1 — Keep the Library Current

# Update Nuclei engine and pull the latest templates
/opt/homebrew/bin/nuclei -update
/opt/homebrew/bin/nuclei -update-templates

# Verify template version and count
/opt/homebrew/bin/nuclei -templates-version

# Stale templates miss new CVEs — update before every campaign

bash Phase 2 — Scoped Scans by Severity & Tag

# CVE templates only, high and critical severity
/opt/homebrew/bin/nuclei \
  -list urls.txt \
  -tags cve \
  -severity high,critical \
  -o cve-findings.txt

# Misconfigurations and exposures, medium and up
/opt/homebrew/bin/nuclei \
  -list urls.txt \
  -tags misconfig,exposure \
  -severity medium,high,critical \
  -o misconfig-findings.txt

# Scoping by tag + severity keeps findings precise and triageable

yaml Phase 3 — Author a Custom Template

# custom-templates/exposed-config.yaml
id: exposed-app-config

info:
  name: Exposed Application Config File
  author: phantomred
  severity: high
  tags: exposure,config

http:
  - method: GET
    path:
      - "{{BaseURL}}/config.json"
    matchers:
      - type: word
        words:
          - "api_key"
          - "db_password"
        condition: or

bash Run the Custom Template

# Point Nuclei at your custom template directory
/opt/homebrew/bin/nuclei \
  -list urls.txt \
  -t custom-templates/ \
  -o custom-findings.txt

# Custom templates encode detection for your specific stack

Operational Note Validate custom templates with -validate before running them at scale, and keep them in version control alongside scan configs. A malformed matcher can silently fail to match, producing false confidence. Only scan targets you are authorized to test.

Template Control Flag Reference

These flags govern which templates run and how the library is maintained — the template side of Nuclei, distinct from scan execution tuning.

Flag	Purpose	Notes
-update-templates	Refresh library	Pulls the latest community templates; run before every campaign
-severity	Filter by tier	-severity high,critical — the primary noise-control lever
-tags	Filter by category	-tags cve,misconfig,exposure — select template types to run
-t	Specific templates	-t custom-templates/ — run a directory or single template file
-exclude-tags	Suppress categories	Drop noisy or irrelevant template types from a run
-validate	Lint templates	Confirms custom template syntax before scanning at scale
-templates-version	Check freshness	Reports installed template version — verify currency before a campaign

How PhantomRed Automates Template Management

PhantomRed treats the template library as managed infrastructure. Every scan runs against a current template set, scoped to the right severities and tags for the target — no manual updates, no curating template lists by hand.

On the template side, the platform provides:

▸ Always-current library Templates are kept up to date automatically, so newly disclosed CVEs are covered without user action.
▸ Smart severity scoping Scans are filtered to meaningful severities, keeping findings precise and triage fast.
▸ Custom template support Stack-specific detection logic runs alongside the community set where relevant.
▸ Findings in context Each match carries its template ID, severity, and CVE reference, feeding the AI risk summary.

Template management is one half of Nuclei; execution is the other. See the Nuclei automation workflows guide for the pipeline side, or the full Nmap + Nuclei + FFUF tool chain.

Benefits of Automated Template Management

01 No missed CVEs A continuously updated library catches newly disclosed vulnerabilities the day templates ship.
02 Precise findings Severity and tag scoping cut info-level noise so critical issues surface immediately.
03 Stack-specific coverage Custom templates detect issues unique to your environment that community templates never will.
04 Reproducible scans Versioned templates and configs mean identical detection logic across every run.
05 Faster triage Findings arrive scoped and tagged, so reviewers spend time validating, not filtering.
06 Lower maintenance No one has to remember to pull updates or hand-curate template sets before each campaign.

⬡ Continue the Workflow

Related Scanning Resources

Explore connected techniques in the PhantomRed Academy workflow library.

Frequently Asked Questions

Nuclei templates are YAML files that define how to detect a specific vulnerability, misconfiguration, or exposure. Each template describes the request to send and the conditions that confirm a match. The community template library contains thousands of templates covering CVEs, misconfigurations, default credentials, exposures, and takeovers.
Nuclei templates carry a severity field — info, low, medium, high, or critical — set in the template metadata. You can run scans filtered to specific severities, for example -severity high,critical to focus only on the findings most likely to matter, which dramatically reduces noise on large scopes.
In current Nuclei versions, CVE templates live inside the http/ directory of the templates repository, organized by year, rather than in a top-level cves/ folder. You can target them with the -tags cve flag or by template path, and they are updated continuously as new CVEs are disclosed.
Yes. Custom templates are written in the same YAML format as community templates, defining the request, matchers, and metadata. Custom templates are how teams encode detection for issues specific to their own stack or for newly disclosed vulnerabilities before a community template exists.
PhantomRed keeps the template library updated automatically, selects the appropriate severity and tag filters for each scan, and applies custom templates where relevant — so every scan runs against current detection logic without the user manually pulling updates or curating template sets.

Scan With Current Templates, Automatically

PhantomRed keeps your Nuclei templates current and scoped — so every scan checks for the latest CVEs without manual upkeep.

Start Free Scan →