Mining 63,000+ Unmapped CVEs: How missing-cve-nuclei-templates Finds Bug Bounty Gold

Hook

While most bug bounty hunters compete over the same 3,000 Nuclei templates, 63,647 CVEs sit unmapped—representing vulnerabilities your competitors probably aren't checking for.

Context

Nuclei has become the de facto standard for automated vulnerability scanning in bug bounty and penetration testing. With its template-based approach, security researchers can test for thousands of known vulnerabilities in seconds. But here's the problem: ProjectDiscovery's official nuclei-templates repository, despite containing over 3,000 templates, covers only a fraction of published CVEs. When you're competing with thousands of other researchers hitting the same targets with the same templates, finding unique vulnerabilities becomes critical.

The missing-cve-nuclei-templates project by Edoardo Ottavianelli tackles this gap analysis problem head-on. Instead of manually comparing CVE databases against template repositories—a task that would take weeks and be outdated immediately—this automated system performs weekly differential analysis. It scrapes CVE data, compares it against existing Nuclei templates, and produces categorized lists of unmapped vulnerabilities. For bug bounty hunters, this represents a goldmine: CVEs that likely affect real targets but aren't being actively scanned by the majority of researchers. The 433 GitHub stars reflect its value to the security community as a research tool that turns publicly available data into actionable intelligence.

Technical Insight

The architecture is deliberately simple but effective. Built entirely in Shell scripts, the system orchestrates three main operations: CVE data ingestion from trickest/cve, template enumeration from nuclei-templates, and differential analysis through keyword matching. The brilliance lies not in complex algorithms but in automation cadence—weekly runs ensure the dataset reflects new CVE disclosures within days.

The core workflow starts with fetching the comprehensive CVE list from trickest's repository, which aggregates data from official CVE feeds. The script then scrapes nuclei-templates to build a list of already-covered CVEs by parsing template metadata. The differential analysis identifies gaps, then applies regex-based classification to categorize missing CVEs into 12 vulnerability types: XSS, RCE, SQLi, SSRF, LFI, RFI, Open Redirect, Prototype Pollution, Traversal, SSTI, XXE, and Redirects.

Here's a simplified version of how the classification logic works:

#!/bin/bash
# Categorize CVEs by vulnerability type using keyword matching

while IFS= read -r cve_line; do
  cve_id=$(echo "$cve_line" | cut -d',' -f1)
  description=$(echo "$cve_line" | cut -d',' -f2- | tr '[:upper:]' '[:lower:]')
  
  # Check for RCE indicators
  if echo "$description" | grep -qE "remote code execution|execute arbitrary code|command injection"; then
    echo "$cve_id" >> missing_rce.txt
  
  # Check for XSS indicators
  elif echo "$description" | grep -qE "cross-site scripting|xss|inject.*script"; then
    echo "$cve_id" >> missing_xss.txt
  
  # Check for SQLi indicators
  elif echo "$description" | grep -qE "sql injection|inject.*sql"; then
    echo "$cve_id" >> missing_sqli.txt
  
  # Additional patterns for other vulnerability types...
  fi
done < missing_cves.txt

The output structure is intentionally flat: text files organized by vulnerability type and year. This makes consumption trivial—security researchers can grep, pipe, or import these lists into their workflow tools without parsing complex formats. For example, missing_xss_2024.txt contains a simple newline-separated list of CVE identifiers that describe XSS vulnerabilities disclosed in 2024 without corresponding Nuclei templates.

The weekly automation runs via GitHub Actions (or similar CI), cloning both source repositories, running the differential analysis, and committing updated lists back to the repository. This "database as a git repository" approach provides version history, diff visibility, and zero infrastructure costs. Researchers can subscribe to repository notifications to get alerts when new unmapped CVEs appear in their specialization area.

One particularly clever aspect is the keyword-based classification system. While simple, it effectively triages tens of thousands of CVEs into actionable categories. A bug bounty hunter specializing in SSRF vulnerabilities can immediately jump to missing_ssrf.txt and start evaluating template development opportunities without wading through irrelevant CVEs. The system essentially performs automated reconnaissance on the reconnaissance tool ecosystem itself.

The data flow reveals an interesting meta-pattern: this is essentially dependency analysis applied to security intelligence. Just as tools track outdated npm packages, this tracks "outdated" vulnerability coverage in scanning tools. The 40% gap it reveals (63,647 missing out of ~160,000 total CVEs) quantifies how much of the vulnerability landscape remains unautomated, creating opportunities for researchers willing to do the manual template development work.

Gotcha

The primary limitation stems from the keyword-based classification approach. CVE descriptions are written by humans with varying levels of detail and consistency. A CVE might mention that a vulnerability "could potentially lead to remote code execution under certain conditions" and get categorized as RCE, when in reality it's a low-severity logic flaw that requires extensive preconditions. This creates false positives where you'll invest time researching CVEs that aren't practical for Nuclei template development.

More critically, the system can't determine exploitability context. Many CVEs in the missing lists affect client-side software, Android apps, Windows desktop applications, or require local access—scenarios where Nuclei templates aren't applicable. There's no filtering for remotely exploitable web vulnerabilities specifically, which is where Nuclei excels. You'll find CVE-2024-XXXXX for an Android kernel bug sitting next to a legitimate web application RCE, both flagged as "missing" even though only one is actually a missed opportunity. The tool provides raw intelligence, not validated leads, meaning you need domain expertise to separate signal from noise. Additionally, the 12 predefined vulnerability categories mean emerging attack classes (like recent Server-Side Template Injection variants or GraphQL-specific vulnerabilities) might be miscategorized or missed entirely if their CVE descriptions don't match established keyword patterns. This creates a bias toward well-documented, traditional vulnerability types.

Verdict

Use if: You're a bug bounty hunter or penetration tester looking for template development opportunities that give you competitive advantage over researchers using only standard Nuclei templates. The categorized lists provide excellent starting points for identifying under-scanned vulnerabilities in your target technologies. This is particularly valuable if you specialize in specific vulnerability classes and want to expand coverage in your niche. Also use it if you're building custom scanning infrastructure and need to understand coverage gaps in open-source tooling. Skip if: You need high-accuracy vulnerability intelligence without manual validation, or if you're only interested in vulnerabilities that already have battle-tested community templates. The keyword-based classification requires human review to filter out false positives and inapplicable CVEs, making this a research tool rather than an automated solution. Skip it if your workflow can't accommodate the manual verification step before template development, or if you prefer working with officially vetted templates rather than exploring edge cases. The value proposition is time-saving reconnaissance, not turnkey automation.