Template basics Nuclei uses YAML-based templates to define vulnerability detection logic. You can run all templates, specific templates, or templates from certain directories.
Default template behavior When you run Nuclei without specifying templates, it uses all templates from the nuclei-templates repository:
nuclei -target https://example.com
Nuclei automatically downloads and updates templates from the nuclei-templates repository on first run. Running specific templates Single template file Run a specific template by providing its path:
nuclei -target https://example.com -templates http/cves/2021/CVE-2021-44228.yaml
Short flag:
nuclei -u https://example.com -t http/cves/2021/CVE-2021-44228.yaml
Multiple template files Run multiple specific templates:
nuclei -target https://example.com \ -templates http/cves/2021/CVE-2021-44228.yaml \ -templates http/exposures/configs/git-config.yaml
Short flag:
nuclei -u https://example.com \ -t http/cves/2021/CVE-2021-44228.yaml \ -t http/exposures/configs/git-config.yaml
Templates from file Provide a list of templates in a file:
http/cves/2021/CVE-2021-44228.yaml http/vulnerabilities/wordpress/ network/
Run templates from the file:
nuclei -target https://example.com -templates my-templates.txt
Template directories Run entire directory Run all templates in a directory:
CVE templates
Exposure templates
Network templates
All CVEs from 2024
nuclei -target https://example.com -templates http/cves/
Multiple directories Run templates from multiple directories:
nuclei -target https://example.com \ -templates http/cves/ \ -templates http/vulnerabilities/ \ -templates network/
Short flag:
nuclei -u https://example.com -t http/cves/ -t ssl/ -t dns/
Remote templates Load templates from remote URLs:
Single remote template nuclei -target https://example.com \ -template-url https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/http/cves/2021/CVE-2021-44228.yaml
Short flag:
nuclei -u https://example.com -turl https://example.com/custom-template.yaml
Multiple remote templates nuclei -target https://example.com \ -template-url https://example.com/template1.yaml \ -template-url https://example.com/template2.yaml
Remote template list Load URLs from a file:
https://example.com/template1.yaml https://example.com/template2.yaml https://raw.githubusercontent.com/org/repo/main/template.yaml
nuclei -target https://example.com -template-url remote-templates.txt
Only load templates from trusted sources. Malicious templates can execute arbitrary code.
Workflows Workflows enable multi-step template execution with conditional logic:
Run a workflow nuclei -target https://example.com -workflows workflows/wordpress-workflow.yaml
Short flag:
nuclei -u https://example.com -w workflows/wordpress-workflow.yaml
Multiple workflows nuclei -target https://example.com \ -workflows workflows/wordpress-workflow.yaml \ -workflows workflows/jira-workflow.yaml
Workflow directories nuclei -target https://example.com -workflows workflows/
Remote workflows nuclei -target https://example.com \ -workflow-url https://example.com/custom-workflow.yaml
Short flag:
nuclei -u https://example.com -wurl https://example.com/workflow.yaml
Workflows allow you to create complex scanning logic where templates execute conditionally based on previous results.
Template profiles Template profiles provide pre-configured template sets for common scenarios:
List available profiles Short flag:
Use a profile nuclei -target https://example.com -profile cves
Short flag:
nuclei -u https://example.com -tp cves
Common profiles:
cves - All CVE templatesexposures - Information disclosuretechnologies - Technology detectionmisconfigurations - Security misconfigurations
Template ID selection Select templates by their ID:
Single template ID nuclei -target https://example.com -template-id CVE-2021-44228
Short flag:
nuclei -u https://example.com -id CVE-2021-44228
Multiple template IDs nuclei -target https://example.com \ -template-id CVE-2021-44228,CVE-2021-26855,CVE-2020-14882
Template IDs from file CVE-2021-44228 CVE-2021-26855 wp-login-brute
nuclei -target https://example.com -template-id template-ids.txt
Wildcard matching Use wildcards to match multiple template IDs:
# All Log4j CVEs nuclei -target https://example.com -template-id CVE-2021-4 * # All 2024 CVEs nuclei -target https://example.com -template-id CVE-2024- *
Wildcard matching is useful for running all templates related to a specific vulnerability family.
Template exclusion Exclude specific templates nuclei -target https://example.com \ -templates http/cves/ \ -exclude-templates http/cves/2018/
Short flag:
nuclei -u https://example.com -t http/ -et http/fuzzing/
Exclude by template ID nuclei -target https://example.com \ -exclude-id CVE-2021-44228,wordpress-login
Short flag:
nuclei -u https://example.com -eid CVE-2021-44228
Exclude templates from file http/fuzzing/ network/detection/ CVE-2018-*
nuclei -target https://example.com -exclude-templates exclude-templates.txt
Force include templates Include templates even if they’re in the default exclusion list:
Include specific templates nuclei -target https://example.com -include-templates http/fuzzing/
Short flag:
nuclei -u https://example.com -it http/fuzzing/
Include by tag nuclei -target https://example.com -include-tags dos
Short flag:
nuclei -u https://example.com -itags dos
Include by ID nuclei -target https://example.com -include-id aggressive-scan
Some templates are excluded by default because they may be disruptive or generate false positives. Use include flags carefully.
New templates only Latest release templates Run only templates added in the most recent nuclei-templates release:
nuclei -target https://example.com -new-templates
Short flag:
nuclei -u https://example.com -nt
Specific version templates Run templates added in a specific version:
nuclei -target https://example.com -new-templates-version v9.6.0
Short flag:
nuclei -u https://example.com -ntv v9.6.0
Multiple versions nuclei -target https://example.com \ -new-templates-version v9.6.0,v9.5.0
This is useful for testing newly released templates against your infrastructure.
Automatic template selection Automatically select templates based on detected technologies:
nuclei -target https://example.com -automatic-scan
Short flag:
nuclei -u https://example.com -as
Nuclei uses Wappalyzer technology detection to identify the technology stack and run relevant templates.
Template validation Validate template syntax without running scans:
nuclei -validate -templates custom-templates/
Display template contents nuclei -template-display -templates http/cves/2021/CVE-2021-44228.yaml
Short flag:
nuclei -td -t http/cves/2021/CVE-2021-44228.yaml
List all templates List all templates matching current filters:
nuclei -template-list -tags cve,critical
Short flag:
Display all available template tags:
Short flag:
AI-generated templates Generate and run templates using AI:
nuclei -target https://example.com \ -prompt "Check for SQL injection in login form"
Short flag:
nuclei -u https://example.com -ai "Test for XSS vulnerabilities"
AI template generation requires API configuration and is an experimental feature.
Custom template directory Update or specify custom template directory:
# Update templates to custom directory nuclei -update-templates -update-template-dir /custom/templates/ # Use custom directory for scans nuclei -target https://example.com -templates /custom/templates/http/
Short flags:
nuclei -ut -ud /custom/templates/
Special template types Code templates Enable code protocol templates:
nuclei -target https://example.com -code
Code templates can execute arbitrary code. Only enable for trusted templates.
Self-contained templates Enable self-contained templates:
nuclei -target https://example.com -enable-self-contained
Short flag:
nuclei -u https://example.com -esc
Global matchers Enable global matcher templates:
nuclei -target https://example.com -enable-global-matchers
Short flag:
nuclei -u https://example.com -egm
File templates Enable file protocol templates:
nuclei -target https://example.com -file
Unsigned templates Disable unsigned templates for security:
nuclei -target https://example.com -disable-unsigned-templates
Short flag:
nuclei -u https://example.com -dut
Practical examples Example 1: CVE scanning Scan for all critical CVEs from 2024:
nuclei -target https://example.com \ -templates http/cves/2024/ \ -severity critical,high \ -json-export cve-findings.json
Example 2: Technology-specific scan Scan WordPress site with relevant templates:
nuclei -target https://wordpress-site.com \ -tags wordpress \ -workflows workflows/wordpress-workflow.yaml \ -severity medium,high,critical
Example 3: Custom template testing Test custom templates before deployment:
nuclei -validate -templates /path/to/custom-templates/ -verbose
Example 4: Targeted ID scan Scan for specific vulnerabilities:
nuclei -list targets.txt \ -template-id CVE-2021-44228,CVE-2021-45046,CVE-2021-45105 \ -rate-limit 100 \ -output log4j-scan.txt
Example 5: Exclude noisy templates Run all templates except fuzzing and detection:
nuclei -target https://example.com \ -exclude-templates http/fuzzing/,network/detection/ \ -exclude-tags dos,intrusive
Example 6: Latest templates only Test with newest templates:
nuclei -list production-targets.txt \ -new-templates \ -severity high,critical \ -silent \ -json-export new-template-findings.json
Template organization tips
Use template profiles
Start with profiles for common scenarios: nuclei -target example.com -profile cves
Combine with filters
Mix template selection with severity filters: nuclei -target example.com -templates http/cves/ -severity critical,high
Create template lists
Maintain lists for different scan types: nuclei -target example.com -templates production-safe.txt
Validate before running
Always validate custom templates: nuclei -validate -templates custom/ && nuclei -u example.com -t custom/
Next steps
Filtering templates Filter templates by tags, severity, and more
Writing templates Create your own custom templates
Output options Export and format scan results
Rate limiting Control template execution speed