Merge pull request #6500 from projectdiscovery/dwisiswant0/fix/issue-6499-6498

fix: suppress warn code flag not found & excludes known misc dir

.claude/settings.local.json

@@ -0,0 +1,35 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(find:*)",
+      "Bash(mkdir:*)",
+      "Bash(cp:*)",
+      "Bash(ls:*)",
+      "Bash(make:*)",
+      "Bash(go:*)",
+      "Bash(golangci-lint:*)",
+      "Bash(git merge:*)",
+      "Bash(git add:*)",
+      "Bash(git commit:*)",
+      "Bash(git push:*)",
+      "Bash(git pull:*)",
+      "Bash(git fetch:*)",
+      "Bash(git checkout:*)",
+      "WebFetch(*)",
+      "Write(*)",
+      "WebSearch(*)",
+      "MultiEdit(*)",
+      "Edit(*)",
+      "Bash(gh:*)",
+      "Bash(grep:*)",
+      "Bash(tree:*)",
+      "Bash(./nuclei:*)",
+      "WebFetch(domain:github.com)"
+    ],
+    "deny": [
+      "Bash(make run:*)",
+      "Bash(./bin/nuclei:*)"
+    ],
+    "defaultMode": "acceptEdits"
+  }
+}

.github/DISCUSSION_TEMPLATE.md

@@ -0,0 +1,76 @@
+# Nuclei Discussion Guidelines
+
+## Before Creating a Discussion
+
+1. **Search existing discussions and issues** to avoid duplicates
+2. **Check the documentation** and README first
+3. **Browse the FAQ** and common questions
+
+## Bug Reports in Discussions
+
+When reporting a bug in [Q&A Discussions](https://github.com/projectdiscovery/nuclei/discussions/categories/q-a), please include:
+
+### Required Information:
+- **Clear title** with `[BUG]` prefix (e.g., "[BUG] Nuclei crashes when...")
+- **Current behavior** - What's happening now?
+- **Expected behavior** - What should happen instead?
+- **Steps to reproduce** - Commands or actions that trigger the issue
+- **Environment details**:
+  - OS and version
+  - Nuclei version (`nuclei -version`)
+  - Go version (if installed via `go install`)
+- **Log output** - Run with `-verbose` or `-debug` for detailed logs
+- **Redact sensitive information** - Remove target URLs, credentials, etc.
+
+### After Discussion:
+- Maintainers will review and validate the bug report
+- Valid bugs will be converted to issues with proper labels and tracking
+- Questions and misconfigurations will be resolved in the discussion
+
+## Feature Requests in Discussions
+
+When requesting a feature in [Ideas Discussions](https://github.com/projectdiscovery/nuclei/discussions/categories/ideas), please include:
+
+### Required Information:
+- **Clear title** with `[FEATURE]` prefix (e.g., "[FEATURE] Add support for...")
+- **Feature description** - What do you want to be added?
+- **Use case** - Why is this feature needed? What problem does it solve?
+- **Implementation ideas** - If you have suggestions on how it could work
+- **Alternatives considered** - What other solutions have you thought about?
+
+### After Discussion:
+- Community and maintainers will discuss the feasibility
+- Popular and viable features will be converted to issues
+- Similar features may be grouped together
+- Rejected features will be explained in the discussion
+
+## Getting Help
+
+For general questions, troubleshooting, and "how-to" topics:
+- Use [Q&A Discussions](https://github.com/projectdiscovery/nuclei/discussions/categories/q-a)
+- Join the [Discord server](https://discord.gg/projectdiscovery) #nuclei channel
+- Check existing discussions for similar questions
+
+## Discussion to Issue Conversion Process
+
+Only maintainers can convert discussions to issues. The process:
+
+1. **Validation** - Maintainers review the discussion for completeness and validity
+2. **Classification** - Determine if it's a bug, feature, enhancement, etc.
+3. **Issue creation** - Create a properly formatted issue with appropriate labels
+4. **Linking** - Link the issue back to the original discussion
+5. **Resolution** - Mark the discussion as resolved or close it
+
+This process ensures:
+- High-quality issues that are actionable
+- Proper triage and labeling
+- Reduced noise in the issue tracker
+- Community involvement in the validation process
+
+## Why This Process?
+
+- **Better organization** - Issues contain only validated, actionable items
+- **Community input** - Discussions allow for community feedback before escalation
+- **Quality control** - Maintainers ensure proper formatting and information
+- **Reduced maintenance** - Fewer invalid or duplicate issues to manage
+- **Clear separation** - Questions vs. actual bugs/features are clearly distinguished

.github/ISSUE_TEMPLATE/config.yml

@@ -2,14 +2,22 @@ blank_issues_enabled: false
 
 contact_links:
 
-  - name: Ask an question / advise on using nuclei
+  - name: 🐛 Report a Bug (Start with Discussion)
-    url: https://github.com/projectdiscovery/nuclei/discussions/categories/q-a
+    url: https://github.com/orgs/projectdiscovery/discussions/new?category=q-a
-    about: Ask a question or request support for using nuclei
+    about: Start by reporting your issue in discussions for proper triage. Issues will be created after review to avoid duplicate/invalid reports.
 
-  - name: Share idea / feature to discuss for nuclei
+  - name: 💡 Request a Feature (Start with Discussion)
-    url: https://github.com/projectdiscovery/nuclei/discussions/categories/ideas
+    url: https://github.com/orgs/projectdiscovery/discussions/new?category=ideas
-    about: Share idea / feature to discuss for nuclei
+    about: Share your feature idea in discussions first. This helps validate and refine the request before creating an issue.
 
-  - name: Connect with PD Team (Discord)
+  - name: ❓ Ask Questions / Get Help
+    url: https://github.com/orgs/projectdiscovery/discussions
+    about: Get help and ask questions about using Nuclei. Many questions don't require issues.
+
+  - name: 🔍 Browse Existing Issues
+    url: https://github.com/projectdiscovery/nuclei/issues
+    about: Check existing issues to see if your problem has already been reported or is being worked on.
+
+  - name: 💬 Connect with PD Team (Discord)
     url: https://discord.gg/projectdiscovery
-    about: Connect with PD Team for direct communication
+    about: Join our Discord for real-time discussions and community support on the #nuclei channel.

.github/ISSUE_TEMPLATE/reference-templates/README.md

@@ -0,0 +1,45 @@
+# Issue Template References
+
+## Overview
+
+This folder contains the preserved issue templates that are **not** directly accessible to users. These templates serve as references for maintainers when converting discussions to issues.
+
+## New Workflow
+
+### For Users:
+1. **All reports start in Discussions** - Users cannot create issues directly
+2. Bug reports go to [Q&A Discussions](https://github.com/projectdiscovery/nuclei/discussions/categories/q-a)
+3. Feature requests go to [Ideas Discussions](https://github.com/projectdiscovery/nuclei/discussions/categories/ideas)
+4. This helps filter out duplicate questions, invalid reports, and ensures proper triage
+
+### For Maintainers:
+1. **Review discussions** in both Q&A and Ideas categories
+2. **Validate the reports** - ensure they're actual bugs/valid feature requests
+3. **Use reference templates** when converting discussions to issues:
+   - Copy content from `bug-report-reference.yml` or `feature-request-reference.yml`
+   - Create a new issue manually with the appropriate template structure
+   - Link back to the original discussion
+   - Close the discussion or mark it as resolved
+
+## Benefits
+
+- **Better triage**: Avoid cluttering issues with questions and invalid reports
+- **Community involvement**: Discussions allow for community input before creating issues
+- **Quality control**: Maintainers can ensure issues follow proper format and contain necessary information
+- **Reduced noise**: Only validated, actionable items become issues
+
+## Reference Templates
+
+- `bug-report-reference.yml` - Use when converting bug reports from discussions to issues
+- `feature-request-reference.yml` - Use when converting feature requests from discussions to issues
+
+## Converting a Discussion to Issue
+
+1. Identify a valid discussion that needs to become an issue
+2. Go to the main repository's Issues tab
+3. Click "New Issue"
+4. Manually create the issue using the reference template structure
+5. Include all relevant information from the discussion
+6. Add a comment linking back to the original discussion
+7. Apply appropriate labels
+8. Close or mark the discussion as resolved with a link to the created issue

.github/auto_assign.yml

@@ -2,6 +2,7 @@ addReviewers: true
 reviewers:
   - dogancanbakir
   - dwisiswant0
+  - mzack9999
 
 numberOfReviewers: 1
 skipKeywords:

.github/workflows/auto-merge.yaml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.actor == 'dependabot[bot]'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.DEPENDABOT_PAT }}
 

.github/workflows/compat-checks.yaml

@@ -13,7 +13,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: projectdiscovery/actions/setup/go/compat-checks@v1
         with:
           release-test: true

.github/workflows/generate-docs.yaml

@@ -11,7 +11,7 @@ jobs:
     if: "${{ !endsWith(github.actor, '[bot]') }}"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: projectdiscovery/actions/setup/go@v1
       - uses: projectdiscovery/actions/setup/git@v1
       - run: make syntax-docs

.github/workflows/generate-pgo.yaml

@@ -28,7 +28,7 @@ jobs:
       LIST_FILE: "/tmp/targets-${{ matrix.targets }}.txt"
       PROFILE_MEM: "/tmp/nuclei-profile-${{ matrix.targets }}-targets"
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: projectdiscovery/actions/setup/git@v1
       - uses: projectdiscovery/actions/setup/go@v1
       - name: Generate list

.github/workflows/govulncheck.yaml

@@ -16,7 +16,7 @@ jobs:
     env:
       OUTPUT: "/tmp/results.sarif"
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: projectdiscovery/actions/setup/go@v1
       - run: go install golang.org/x/vuln/cmd/govulncheck@latest
       - run: govulncheck -scan package -format sarif ./... > $OUTPUT

.github/workflows/perf-regression.yaml

@@ -11,7 +11,7 @@ jobs:
     env:
       BENCH_OUT: "/tmp/bench.out"
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: projectdiscovery/actions/setup/go@v1
       - run: make build-test
       - run: ./bin/nuclei.test -test.run - -test.bench=. -test.benchmem ./cmd/nuclei/ | tee $BENCH_OUT

.github/workflows/perf-test.yaml

@@ -16,7 +16,7 @@ jobs:
       LIST_FILE: "/tmp/targets-${{ matrix.count }}.txt"
       PROFILE_MEM: "/tmp/nuclei-perf-test-${{ matrix.count }}"
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: projectdiscovery/actions/setup/go@v1
       - run: make verify
       - name: Generate list

.github/workflows/release.yaml

@@ -10,7 +10,7 @@ jobs:
   release: 
     runs-on: ubuntu-latest-16-cores
     steps: 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with: 
           fetch-depth: 0
       - uses: projectdiscovery/actions/setup/go@v1

.github/workflows/stale.yaml

@@ -13,7 +13,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
         with:
           days-before-stale: 90
           days-before-close: 7

.github/workflows/tests.yaml

@@ -22,7 +22,7 @@ jobs:
     if: "${{ !endsWith(github.actor, '[bot]') }}"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: projectdiscovery/actions/setup/go@v1
       - uses: projectdiscovery/actions/golangci-lint/v2@v1
 
@@ -35,7 +35,7 @@ jobs:
         os: [ubuntu-latest, windows-latest, macOS-latest]
     runs-on: "${{ matrix.os }}"
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: projectdiscovery/actions/setup/go@v1
       - run: make vet
       - run: make build
@@ -52,7 +52,7 @@ jobs:
     needs: ["tests"]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: projectdiscovery/actions/setup/go@v1
       - name: "Simple"
         run: go run .
@@ -74,7 +74,7 @@ jobs:
         os: [ubuntu-latest, windows-latest, macOS-latest]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: projectdiscovery/actions/setup/go@v1
       - uses: projectdiscovery/actions/setup/python@v1
       - run: bash run.sh "${{ matrix.os }}"
@@ -93,7 +93,7 @@ jobs:
         os: [ubuntu-latest, windows-latest, macOS-latest]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: projectdiscovery/actions/setup/go@v1
       - uses: projectdiscovery/actions/setup/python@v1
       - run: bash run.sh
@@ -106,7 +106,7 @@ jobs:
     needs: ["tests"]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: projectdiscovery/actions/setup/go@v1
       - run: make template-validate
 
@@ -119,7 +119,7 @@ jobs:
       contents: read
       security-events: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: github/codeql-action/init@v3
         with:
           languages: 'go'
@@ -131,7 +131,7 @@ jobs:
     needs: ["tests"]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: projectdiscovery/actions/setup/go@v1
       - uses: projectdiscovery/actions/goreleaser@v1
 
@@ -143,7 +143,7 @@ jobs:
       TARGET_URL: "http://scanme.sh/a/?b=c"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - run: make build
       - name: "Setup environment (push)"
         if: ${{ github.event_name == 'push' }}

.gitignore

@@ -28,6 +28,8 @@
 /scrapefunc
 /scrapefuncs
 /tsgen
+/integration_tests/integration-test
+/integration_tests/nuclei
 
 # Templates
 /*.yaml

CLAUDE.md

@@ -0,0 +1,83 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+Nuclei is a modern, high-performance vulnerability scanner built in Go that leverages YAML-based templates for customizable vulnerability detection. It supports multiple protocols (HTTP, DNS, TCP, SSL, WebSocket, WHOIS, JavaScript, Code) and is designed for zero false positives through real-world condition simulation.
+
+## Development Commands
+
+### Building and Testing
+- `make build` - Build the main nuclei binary to ./bin/nuclei
+- `make test` - Run unit tests with race detection
+- `make integration` - Run integration tests (builds and runs test suite)
+- `make functional` - Run functional tests
+- `make vet` - Run go vet for code analysis
+- `make tidy` - Clean up go modules
+
+### Validation and Linting
+- `make template-validate` - Validate nuclei templates using the built binary
+- `go fmt ./...` - Format Go code
+- `go vet ./...` - Static analysis
+
+### Development Tools
+- `make devtools-all` - Build all development tools (bindgen, tsgen, scrapefuncs)
+- `make jsupdate-all` - Update JavaScript bindings and TypeScript definitions
+- `make docs` - Generate documentation
+- `make memogen` - Generate memoization code for JavaScript libraries
+
+### Testing Specific Components
+- Run single test: `go test -v ./pkg/path/to/package -run TestName`
+- Integration tests are in `integration_tests/` and can be run via `make integration`
+
+## Architecture Overview
+
+### Core Components
+- **cmd/nuclei** - Main CLI entry point with flag parsing and configuration
+- **internal/runner** - Core runner that orchestrates the entire scanning process
+- **pkg/core** - Execution engine with work pools and template clustering
+- **pkg/templates** - Template parsing, compilation, and management
+- **pkg/protocols** - Protocol implementations (HTTP, DNS, Network, etc.)
+- **pkg/operators** - Matching and extraction logic (matchers/extractors)
+- **pkg/catalog** - Template discovery and loading from disk/remote sources
+
+### Protocol Architecture
+Each protocol (HTTP, DNS, Network, etc.) implements:
+- Request interface with Compile(), ExecuteWithResults(), Match(), Extract() methods
+- Operators embedding for matching/extraction functionality
+- Protocol-specific request building and execution logic
+
+### Template System
+- Templates are YAML files defining vulnerability detection logic
+- Compiled into executable requests with operators (matchers/extractors)
+- Support for workflows (multi-step template execution)
+- Template clustering optimizes identical requests across multiple templates
+
+### Key Execution Flow
+1. Template loading and compilation via pkg/catalog/loader
+2. Input provider setup for targets
+3. Engine creation with work pools for concurrency
+4. Template execution with result collection via operators
+5. Output writing and reporting integration
+
+### JavaScript Integration
+- Custom JavaScript runtime for code protocol templates
+- Auto-generated bindings in pkg/js/generated/
+- Library implementations in pkg/js/libs/
+- Development tools for binding generation in pkg/js/devtools/
+
+## Template Development
+- Templates located in separate nuclei-templates repository
+- YAML format with info, requests, and operators sections  
+- Support for multiple protocol types in single template
+- Built-in DSL functions for dynamic content generation
+- Template validation available via `make template-validate`
+
+## Key Directories
+- **lib/** - SDK for embedding nuclei as a library
+- **examples/** - Usage examples for different scenarios
+- **integration_tests/** - Integration test suite with protocol-specific tests
+- **pkg/fuzz/** - Fuzzing engine and DAST capabilities
+- **pkg/input/** - Input processing for various formats (Burp, OpenAPI, etc.)
+- **pkg/reporting/** - Result export and issue tracking integrations

Makefile

@@ -147,13 +147,13 @@ template-validate: build
 template-validate:
 	./bin/nuclei -ut
 	./bin/nuclei -validate \
-		-et .github/ \
-		-et helpers/payloads/ \
 		-et http/technologies \
+		-t dns \
+		-t ssl \
+		-t network \
+		-t http/exposures \
 		-ept code
 	./bin/nuclei -validate \
 		-w workflows \
-		-et .github/ \
-		-et helpers/payloads/ \
 		-et http/technologies \
 		-ept code

README.md

@@ -356,6 +356,7 @@ CLOUD:
 AUTHENTICATION:
    -sf, -secret-file string[]  path to config file containing secrets for nuclei authenticated scan
    -ps, -prefetch-secrets      prefetch secrets from the secrets file
+   # NOTE: Headers in secrets files preserve exact casing (useful for case-sensitive APIs)
 
 
 EXAMPLES:

cmd/integration-test/exporters.go

@@ -0,0 +1,104 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"time"
+
+	"github.com/projectdiscovery/nuclei/v3/pkg/output"
+	"github.com/projectdiscovery/nuclei/v3/pkg/reporting/exporters/mongo"
+	"github.com/testcontainers/testcontainers-go"
+	mongocontainer "github.com/testcontainers/testcontainers-go/modules/mongodb"
+
+	osutil "github.com/projectdiscovery/utils/os"
+	mongoclient "go.mongodb.org/mongo-driver/mongo"
+	mongooptions "go.mongodb.org/mongo-driver/mongo/options"
+)
+
+const (
+	dbName  = "test"
+	dbImage = "mongo:8"
+)
+
+var exportersTestCases = []TestCaseInfo{
+	{Path: "exporters/mongo", TestCase: &mongoExporter{}, DisableOn: func() bool {
+		return osutil.IsWindows() || osutil.IsOSX()
+	}},
+}
+
+type mongoExporter struct{}
+
+func (m *mongoExporter) Execute(filepath string) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
+	defer cancel()
+
+	// Start a MongoDB container
+	mongodbContainer, err := mongocontainer.Run(ctx, dbImage)
+	defer func() {
+		if err := testcontainers.TerminateContainer(mongodbContainer); err != nil {
+			log.Printf("failed to terminate container: %s", err)
+		}
+	}()
+	if err != nil {
+		return fmt.Errorf("failed to start container: %w", err)
+	}
+
+	connString, err := mongodbContainer.ConnectionString(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to get connection string for MongoDB container: %s", err)
+	}
+	connString = connString + dbName
+
+	// Create a MongoDB exporter and write a test result to the database
+	opts := mongo.Options{
+		ConnectionString: connString,
+		CollectionName:   "test",
+		BatchSize:        1, // Ensure we write the result immediately
+	}
+
+	exporter, err := mongo.New(&opts)
+	if err != nil {
+		return fmt.Errorf("failed to create MongoDB exporter: %s", err)
+	}
+	defer func() {
+		if err := exporter.Close(); err != nil {
+			fmt.Printf("failed to close exporter: %s\n", err)
+		}
+	}()
+
+	res := &output.ResultEvent{
+		Request:  "test request",
+		Response: "test response",
+	}
+
+	err = exporter.Export(res)
+	if err != nil {
+		return fmt.Errorf("failed to export result event to MongoDB: %s", err)
+	}
+
+	// Verify that the result was written to the database
+	clientOptions := mongooptions.Client().ApplyURI(connString)
+	client, err := mongoclient.Connect(ctx, clientOptions)
+	if err != nil {
+		return fmt.Errorf("error creating MongoDB client: %s", err)
+	}
+	defer func() {
+		if err := client.Disconnect(ctx); err != nil {
+			fmt.Printf("failed to disconnect from MongoDB: %s\n", err)
+		}
+	}()
+
+	collection := client.Database(dbName).Collection(opts.CollectionName)
+	var actualRes output.ResultEvent
+	err = collection.FindOne(ctx, map[string]interface{}{"request": res.Request}).Decode(&actualRes)
+	if err != nil {
+		return fmt.Errorf("failed to find document in MongoDB: %s", err)
+	}
+
+	if actualRes.Request != res.Request || actualRes.Response != res.Response {
+		return fmt.Errorf("exported result does not match expected result: got %v, want %v", actualRes, res)
+	}
+
+	return nil
+}

cmd/integration-test/http.go

@@ -196,7 +196,7 @@ func (d *httpDefaultMatcherCondition) Execute(filePath string) error {
 		return err
 	}
 	if routerErr != nil {
-		return errkit.Append(errkit.New("failed to send http request to interactsh server"), routerErr)
+		return errkit.Wrap(routerErr, "failed to send http request to interactsh server")
 	}
 	if err := expectResultsCount(results, 1); err != nil {
 		return err
@@ -628,10 +628,10 @@ func (h *httpRawWithParams) Execute(filePath string) error {
 		// we intentionally use params["test"] instead of params.Get("test") to test the case where
 		// there are multiple parameters with the same name
 		if !reflect.DeepEqual(params["key1"], []string{"value1"}) {
-			errx = errkit.Append(errkit.New(fmt.Sprintf("expected %v, got %v", []string{"value1"}, params["key1"])), errx)
+			errx = errkit.Append(errx, errkit.New("key1 not found in params", "expected", []string{"value1"}, "got", params["key1"]))
 		}
 		if !reflect.DeepEqual(params["key2"], []string{"value2"}) {
-			errx = errkit.Append(errkit.New(fmt.Sprintf("expected %v, got %v", []string{"value2"}, params["key2"])), errx)
+			errx = errkit.Append(errx, errkit.New("key2 not found in params", "expected", []string{"value2"}, "got", params["key2"]))
 		}
 		_, _ = fmt.Fprintf(w, "Test is test raw-params-matcher text")
 	})
@@ -971,10 +971,10 @@ func (h *httpRequestSelfContainedWithParams) Execute(filePath string) error {
 		// we intentionally use params["test"] instead of params.Get("test") to test the case where
 		// there are multiple parameters with the same name
 		if !reflect.DeepEqual(params["something"], []string{"here"}) {
-			errx = errkit.Append(errkit.New(fmt.Sprintf("expected %v, got %v", []string{"here"}, params["something"])), errx)
+			errx = errkit.Append(errx, errkit.New("something not found in params", "expected", []string{"here"}, "got", params["something"]))
 		}
 		if !reflect.DeepEqual(params["key"], []string{"value"}) {
-			errx = errkit.Append(errkit.New(fmt.Sprintf("expected %v, got %v", []string{"value"}, params["key"])), errx)
+			errx = errkit.Append(errx, errkit.New("key not found in params", "expected", []string{"value"}, "got", params["key"]))
 		}
 		_, _ = w.Write([]byte("This is self-contained response"))
 	})
@@ -1027,10 +1027,10 @@ func (h *httpRequestSelfContainedFileInput) Execute(filePath string) error {
 	// create temp file
 	FileLoc, err := os.CreateTemp("", "self-contained-payload-*.txt")
 	if err != nil {
-		return errkit.Append(errkit.New("failed to create temp file"), err)
+		return errkit.Wrap(err, "failed to create temp file")
 	}
 	if _, err := FileLoc.Write([]byte("one\ntwo\n")); err != nil {
-		return errkit.Append(errkit.New("failed to write payload to temp file"), err)
+		return errkit.Wrap(err, "failed to write payload to temp file")
 	}
 	defer func() {
 		_ = FileLoc.Close()
@@ -1046,7 +1046,7 @@ func (h *httpRequestSelfContainedFileInput) Execute(filePath string) error {
 	}
 
 	if !sliceutil.ElementsMatch(gotReqToEndpoints, []string{"/one", "/two", "/one", "/two"}) {
-		return errkit.New(fmt.Sprintf("%s: expected requests to be sent to `/one` and `/two` endpoints but were sent to `%v`", filePath, gotReqToEndpoints)).Build()
+		return errkit.New("expected requests to be sent to `/one` and `/two` endpoints but were sent to `%v`", gotReqToEndpoints, "filePath", filePath)
 	}
 	return nil
 }

cmd/integration-test/integration-test.go

@@ -57,6 +57,7 @@ var (
 		"flow":            flowTestcases,
 		"javascript":      jsTestcases,
 		"matcher-status":  matcherStatusTestcases,
+		"exporters":       exportersTestCases,
 	}
 	// flakyTests are run with a retry count of 3
 	flakyTests = map[string]bool{

cmd/integration-test/javascript.go

@@ -15,13 +15,17 @@ var jsTestcases = []TestCaseInfo{
 	{Path: "protocols/javascript/ssh-server-fingerprint.yaml", TestCase: &javascriptSSHServerFingerprint{}, DisableOn: func() bool { return osutils.IsWindows() || osutils.IsOSX() }},
 	{Path: "protocols/javascript/net-multi-step.yaml", TestCase: &networkMultiStep{}},
 	{Path: "protocols/javascript/net-https.yaml", TestCase: &javascriptNetHttps{}},
+	{Path: "protocols/javascript/oracle-auth-test.yaml", TestCase: &javascriptOracleAuthTest{}, DisableOn: func() bool { return osutils.IsWindows() || osutils.IsOSX() }},
+	{Path: "protocols/javascript/vnc-pass-brute.yaml", TestCase: &javascriptVncPassBrute{}},
 }
 
 var (
-	redisResource *dockertest.Resource
+	redisResource  *dockertest.Resource
-	sshResource   *dockertest.Resource
+	sshResource    *dockertest.Resource
-	pool          *dockertest.Pool
+	oracleResource *dockertest.Resource
-	defaultRetry  = 3
+	vncResource    *dockertest.Resource
+	pool           *dockertest.Pool
+	defaultRetry   = 3
 )
 
 type javascriptNetHttps struct{}
@@ -98,6 +102,71 @@ func (j *javascriptSSHServerFingerprint) Execute(filePath string) error {
 	return multierr.Combine(errs...)
 }
 
+type javascriptOracleAuthTest struct{}
+
+func (j *javascriptOracleAuthTest) Execute(filePath string) error {
+	if oracleResource == nil || pool == nil {
+		// skip test as oracle is not running
+		return nil
+	}
+	tempPort := oracleResource.GetPort("1521/tcp")
+	finalURL := "localhost:" + tempPort
+	defer purge(oracleResource)
+
+	errs := []error{}
+	for i := 0; i < defaultRetry; i++ {
+		results := []string{}
+		var err error
+		_ = pool.Retry(func() error {
+			//let ssh server start
+			time.Sleep(3 * time.Second)
+			results, err = testutils.RunNucleiTemplateAndGetResults(filePath, finalURL, debug)
+			return nil
+		})
+		if err != nil {
+			return err
+		}
+		if err := expectResultsCount(results, 1); err == nil {
+			return nil
+		} else {
+			errs = append(errs, err)
+		}
+	}
+	return multierr.Combine(errs...)
+}
+
+type javascriptVncPassBrute struct{}
+
+func (j *javascriptVncPassBrute) Execute(filePath string) error {
+	if vncResource == nil || pool == nil {
+		// skip test as vnc is not running
+		return nil
+	}
+	tempPort := vncResource.GetPort("5900/tcp")
+	finalURL := "localhost:" + tempPort
+	defer purge(vncResource)
+	errs := []error{}
+	for i := 0; i < defaultRetry; i++ {
+		results := []string{}
+		var err error
+		_ = pool.Retry(func() error {
+			//let ssh server start
+			time.Sleep(3 * time.Second)
+			results, err = testutils.RunNucleiTemplateAndGetResults(filePath, finalURL, debug)
+			return nil
+		})
+		if err != nil {
+			return err
+		}
+		if err := expectResultsCount(results, 1); err == nil {
+			return nil
+		} else {
+			errs = append(errs, err)
+		}
+	}
+	return multierr.Combine(errs...)
+}
+
 // purge any given resource if it is not nil
 func purge(resource *dockertest.Resource) {
 	if resource != nil && pool != nil {
@@ -163,4 +232,41 @@ func init() {
 	if err := sshResource.Expire(30); err != nil {
 		log.Printf("Could not expire resource: %s", err)
 	}
+
+	// setup a temporary oracle instance
+	oracleResource, err = pool.RunWithOptions(&dockertest.RunOptions{
+		Repository: "gvenzl/oracle-xe",
+		Tag:        "latest",
+		Env: []string{
+			"ORACLE_PASSWORD=mysecret",
+		},
+		Platform: "linux/amd64",
+	})
+	if err != nil {
+		log.Printf("Could not start Oracle resource: %s", err)
+		return
+	}
+
+	// by default expire after 30 sec
+	if err := oracleResource.Expire(30); err != nil {
+		log.Printf("Could not expire Oracle resource: %s", err)
+	}
+
+	// setup a temporary vnc server
+	vncResource, err = pool.RunWithOptions(&dockertest.RunOptions{
+		Repository: "dorowu/ubuntu-desktop-lxde-vnc",
+		Tag:        "latest",
+		Env: []string{
+			"VNC_PASSWORD=mysecret",
+		},
+		Platform: "linux/amd64",
+	})
+	if err != nil {
+		log.Printf("Could not start resource: %s", err)
+		return
+	}
+	// by default expire after 30 sec
+	if err := vncResource.Expire(30); err != nil {
+		log.Printf("Could not expire resource: %s", err)
+	}
 }

cmd/integration-test/loader.go

@@ -223,7 +223,7 @@ type loadTemplateWithID struct{}
 func (h *loadTemplateWithID) Execute(nooop string) error {
 	results, err := testutils.RunNucleiBareArgsAndGetResults(debug, nil, "-target", "scanme.sh", "-id", "self-signed-ssl")
 	if err != nil {
-		return errkit.Append(errkit.New("failed to load template with id"), err)
+		return errkit.Wrap(err, "failed to load template with id")
 	}
 	return expectResultsCount(results, 1)
 }

cmd/integration-test/profile-loader.go

@@ -18,7 +18,7 @@ type profileLoaderByRelFile struct{}
 func (h *profileLoaderByRelFile) Execute(testName string) error {
 	results, err := testutils.RunNucleiWithArgsAndGetResults(debug, "-tl", "-tp", "cloud.yml")
 	if err != nil {
-		return errkit.Append(errkit.New("failed to load template with id"), err)
+		return errkit.Wrap(err, "failed to load template with id")
 	}
 	if len(results) <= 10 {
 		return fmt.Errorf("incorrect result: expected more results than %d, got %v", 10, len(results))
@@ -31,7 +31,7 @@ type profileLoaderById struct{}
 func (h *profileLoaderById) Execute(testName string) error {
 	results, err := testutils.RunNucleiWithArgsAndGetResults(debug, "-tl", "-tp", "cloud")
 	if err != nil {
-		return errkit.Append(errkit.New("failed to load template with id"), err)
+		return errkit.Wrap(err, "failed to load template with id")
 	}
 	if len(results) <= 10 {
 		return fmt.Errorf("incorrect result: expected more results than %d, got %v", 10, len(results))
@@ -45,7 +45,7 @@ type customProfileLoader struct{}
 func (h *customProfileLoader) Execute(filepath string) error {
 	results, err := testutils.RunNucleiWithArgsAndGetResults(debug, "-tl", "-tp", filepath)
 	if err != nil {
-		return errkit.Append(errkit.New("failed to load template with id"), err)
+		return errkit.Wrap(err, "failed to load template with id")
 	}
 	if len(results) < 1 {
 		return fmt.Errorf("incorrect result: expected more results than %d, got %v", 1, len(results))

cmd/integration-test/template-dir.go

@@ -17,7 +17,7 @@ type templateDirWithTargetTest struct{}
 func (h *templateDirWithTargetTest) Execute(filePath string) error {
 	tempdir, err := os.MkdirTemp("", "nuclei-update-dir-*")
 	if err != nil {
-		return errkit.Append(errkit.New("failed to create temp dir"), err)
+		return errkit.Wrap(err, "failed to create temp dir")
 	}
 	defer func() {
 		_ = os.RemoveAll(tempdir)

cmd/nuclei/main.go

@@ -20,6 +20,7 @@ import (
 	_ "github.com/projectdiscovery/utils/pprof"
 	stringsutil "github.com/projectdiscovery/utils/strings"
 	"github.com/rs/xid"
+	"gopkg.in/yaml.v2"
 
 	"github.com/projectdiscovery/goflags"
 	"github.com/projectdiscovery/gologger/levels"
@@ -187,7 +188,7 @@ func main() {
 			options.Logger.Info().Msgf("Creating resume file: %s\n", resumeFileName)
 			err := nucleiRunner.SaveResumeConfig(resumeFileName)
 			if err != nil {
-				return errkit.Append(errkit.New("couldn't create crash resume file"), err)
+				return errkit.Wrap(err, "couldn't create crash resume file")
 			}
 			return nil
 		})
@@ -263,6 +264,8 @@ on extensive configurability, massive extensibility and ease of use.`)
 		flagSet.StringVarP(&options.InputFileMode, "input-mode", "im", "list", fmt.Sprintf("mode of input file (%v)", provider.SupportedInputFormats())),
 		flagSet.BoolVarP(&options.FormatUseRequiredOnly, "required-only", "ro", false, "use only required fields in input format when generating requests"),
 		flagSet.BoolVarP(&options.SkipFormatValidation, "skip-format-validation", "sfv", false, "skip format validation (like missing vars) when parsing input file"),
+		flagSet.BoolVarP(&options.VarsTextTemplating, "vars-text-templating", "vtt", false, "enable text templating for vars in input file (only for yaml input mode)"),
+		flagSet.StringSliceVarP(&options.VarsFilePaths, "var-file-paths", "vfp", nil, "list of yaml file contained vars to inject into yaml input", goflags.CommaSeparatedStringSliceOptions),
 	)
 
 	flagSet.CreateGroup("templates", "Templates",
@@ -571,6 +574,7 @@ Additional documentation is available at: https://docs.nuclei.sh/getting-started
 		config.DefaultConfig.SetConfigDir(customConfigDir)
 		readFlagsConfig(flagSet)
 	}
+
 	if cfgFile != "" {
 		if !fileutil.FileExists(cfgFile) {
 			options.Logger.Fatal().Msgf("given config file '%s' does not exist", cfgFile)
@@ -579,6 +583,41 @@ Additional documentation is available at: https://docs.nuclei.sh/getting-started
 		if err := flagSet.MergeConfigFile(cfgFile); err != nil {
 			options.Logger.Fatal().Msgf("Could not read config: %s\n", err)
 		}
+
+		if !options.Vars.IsEmpty() {
+			// Maybe we should add vars to the config file as well even if they are set via flags?
+			file, err := os.Open(cfgFile)
+			if err != nil {
+				gologger.Fatal().Msgf("Could not open config file: %s\n", err)
+			}
+			defer func() {
+				_ = file.Close()
+			}()
+			data := make(map[string]interface{})
+			err = yaml.NewDecoder(file).Decode(&data)
+			if err != nil {
+				gologger.Fatal().Msgf("Could not decode config file: %s\n", err)
+			}
+
+			variables := data["var"]
+			if variables != nil {
+				if varSlice, ok := variables.([]interface{}); ok {
+					for _, value := range varSlice {
+						if strVal, ok := value.(string); ok {
+							err = options.Vars.Set(strVal)
+							if err != nil {
+								gologger.Warning().Msgf("Could not set variable from config file: %s\n", err)
+							}
+						} else {
+							gologger.Warning().Msgf("Skipping non-string variable in config: %#v", value)
+						}
+					}
+				} else {
+					gologger.Warning().Msgf("No 'var' section found in config file: %s", cfgFile)
+				}
+			}
+
+		}
 	}
 	if options.NewTemplatesDirectory != "" {
 		config.DefaultConfig.SetTemplatesDir(options.NewTemplatesDirectory)

cmd/tmc/main.go

@@ -243,7 +243,7 @@ func enhanceTemplate(data string) (string, bool, error) {
 		return data, false, err
 	}
 	if resp.StatusCode != 200 {
-		return data, false, errkit.New(fmt.Sprintf("unexpected status code: %v", resp.Status)).Build()
+		return data, false, errkit.New("unexpected status code: %v", resp.Status)
 	}
 	var templateResp TemplateResp
 	if err := json.NewDecoder(resp.Body).Decode(&templateResp); err != nil {
@@ -254,20 +254,20 @@ func enhanceTemplate(data string) (string, bool, error) {
 	}
 	if templateResp.ValidateErrorCount > 0 {
 		if len(templateResp.ValidateError) > 0 {
-			return data, false, errkit.New(fmt.Sprintf("validate: %s: at line %v", templateResp.ValidateError[0].Message, templateResp.ValidateError[0].Mark.Line)).Build()
+			return data, false, errkit.New(templateResp.ValidateError[0].Message+": at line %v", templateResp.ValidateError[0].Mark.Line, "tag", "validate")
 		}
-		return data, false, errkit.New("validate: validation failed").Build()
+		return data, false, errkit.New("validation failed", "tag", "validate")
 	}
 	if templateResp.Error.Name != "" {
-		return data, false, errkit.New(templateResp.Error.Name).Build()
+		return data, false, errkit.New("%s", templateResp.Error.Name)
 	}
 	if strings.TrimSpace(templateResp.Enhanced) == "" && !templateResp.Lint {
 		if templateResp.LintError.Reason != "" {
-			return data, false, errkit.New(fmt.Sprintf("lint: %s : at line %v", templateResp.LintError.Reason, templateResp.LintError.Mark.Line)).Build()
+			return data, false, errkit.New(templateResp.LintError.Reason+" : at line %v", templateResp.LintError.Mark.Line, "tag", "lint")
 		}
-		return data, false, errkit.New(fmt.Sprintf("lint: at line: %v", templateResp.LintError.Mark.Line)).Build()
+		return data, false, errkit.New("at line: %v", templateResp.LintError.Mark.Line, "tag", "lint")
 	}
-	return data, false, errkit.New("template enhance failed").Build()
+	return data, false, errkit.New("template enhance failed")
 }
 
 // formatTemplate formats template data using templateman format api
@@ -277,7 +277,7 @@ func formatTemplate(data string) (string, bool, error) {
 		return data, false, err
 	}
 	if resp.StatusCode != 200 {
-		return data, false, errkit.New(fmt.Sprintf("unexpected status code: %v", resp.Status)).Build()
+		return data, false, errkit.New("unexpected status code: %v", resp.Status)
 	}
 	var templateResp TemplateResp
 	if err := json.NewDecoder(resp.Body).Decode(&templateResp); err != nil {
@@ -288,20 +288,20 @@ func formatTemplate(data string) (string, bool, error) {
 	}
 	if templateResp.ValidateErrorCount > 0 {
 		if len(templateResp.ValidateError) > 0 {
-			return data, false, errkit.New(fmt.Sprintf("validate: %s: at line %v", templateResp.ValidateError[0].Message, templateResp.ValidateError[0].Mark.Line)).Build()
+			return data, false, errkit.New(templateResp.ValidateError[0].Message+": at line %v", templateResp.ValidateError[0].Mark.Line, "tag", "validate")
 		}
-		return data, false, errkit.New("validate: validation failed").Build()
+		return data, false, errkit.New("validation failed", "tag", "validate")
 	}
 	if templateResp.Error.Name != "" {
-		return data, false, errkit.New(templateResp.Error.Name).Build()
+		return data, false, errkit.New("%s", templateResp.Error.Name)
 	}
 	if strings.TrimSpace(templateResp.Updated) == "" && !templateResp.Lint {
 		if templateResp.LintError.Reason != "" {
-			return data, false, errkit.New(fmt.Sprintf("lint: %s : at line %v", templateResp.LintError.Reason, templateResp.LintError.Mark.Line)).Build()
+			return data, false, errkit.New(templateResp.LintError.Reason+" : at line %v", templateResp.LintError.Mark.Line, "tag", "lint")
 		}
-		return data, false, errkit.New(fmt.Sprintf("lint: at line: %v", templateResp.LintError.Mark.Line)).Build()
+		return data, false, errkit.New("at line: %v", templateResp.LintError.Mark.Line, "tag", "lint")
 	}
-	return data, false, errkit.New("template format failed").Build()
+	return data, false, errkit.New("template format failed")
 }
 
 // lintTemplate lints template data using templateman lint api
@@ -311,7 +311,7 @@ func lintTemplate(data string) (bool, error) {
 		return false, err
 	}
 	if resp.StatusCode != 200 {
-		return false, errkit.New(fmt.Sprintf("unexpected status code: %v", resp.Status)).Build()
+		return false, errkit.New("unexpected status code: %v", resp.Status)
 	}
 	var lintResp TemplateLintResp
 	if err := json.NewDecoder(resp.Body).Decode(&lintResp); err != nil {
@@ -321,9 +321,9 @@ func lintTemplate(data string) (bool, error) {
 		return true, nil
 	}
 	if lintResp.LintError.Reason != "" {
-		return false, errkit.New(fmt.Sprintf("lint: %s : at line %v", lintResp.LintError.Reason, lintResp.LintError.Mark.Line)).Build()
+		return false, errkit.New(lintResp.LintError.Reason+" : at line %v", lintResp.LintError.Mark.Line, "tag", "lint")
 	}
-	return false, errkit.New(fmt.Sprintf("lint: at line: %v", lintResp.LintError.Mark.Line)).Build()
+	return false, errkit.New("at line: %v", lintResp.LintError.Mark.Line, "tag", "lint")
 }
 
 // validateTemplate validates template data using templateman validate api
@@ -333,7 +333,7 @@ func validateTemplate(data string) (bool, error) {
 		return false, err
 	}
 	if resp.StatusCode != 200 {
-		return false, errkit.New(fmt.Sprintf("unexpected status code: %v", resp.Status)).Build()
+		return false, errkit.New("unexpected status code: %v", resp.Status)
 	}
 	var validateResp TemplateResp
 	if err := json.NewDecoder(resp.Body).Decode(&validateResp); err != nil {
@@ -344,14 +344,14 @@ func validateTemplate(data string) (bool, error) {
 	}
 	if validateResp.ValidateErrorCount > 0 {
 		if len(validateResp.ValidateError) > 0 {
-			return false, errkit.New(fmt.Sprintf("validate: %s: at line %v", validateResp.ValidateError[0].Message, validateResp.ValidateError[0].Mark.Line)).Build()
+			return false, errkit.New(validateResp.ValidateError[0].Message+": at line %v", validateResp.ValidateError[0].Mark.Line, "tag", "validate")
 		}
-		return false, errkit.New("validate: validation failed").Build()
+		return false, errkit.New("validation failed", "tag", "validate")
 	}
 	if validateResp.Error.Name != "" {
-		return false, errkit.New(validateResp.Error.Name).Build()
+		return false, errkit.New("%s", validateResp.Error.Name)
 	}
-	return false, errkit.New("template validation failed").Build()
+	return false, errkit.New("template validation failed")
 }
 
 // parseAndAddMaxRequests parses and adds max requests to templates

go.mod

@@ -1,10 +1,12 @@
 module github.com/projectdiscovery/nuclei/v3
 
-go 1.24.1
+go 1.24.2
+
+toolchain go1.24.4
 
 require (
 	github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible
-	github.com/andygrunwald/go-jira v1.16.0
+	github.com/andygrunwald/go-jira v1.16.1
 	github.com/antchfx/htmlquery v1.3.4
 	github.com/bluele/gcache v0.0.2
 	github.com/go-playground/validator/v10 v10.26.0
@@ -16,16 +18,16 @@ require (
 	github.com/json-iterator/go v1.1.12
 	github.com/julienschmidt/httprouter v1.3.0
 	github.com/logrusorgru/aurora v2.0.3+incompatible
-	github.com/miekg/dns v1.1.66
+	github.com/miekg/dns v1.1.68
 	github.com/olekukonko/tablewriter v1.0.8
 	github.com/pkg/errors v0.9.1
 	github.com/projectdiscovery/clistats v0.1.1
-	github.com/projectdiscovery/fastdialer v0.4.4
+	github.com/projectdiscovery/fastdialer v0.4.12
-	github.com/projectdiscovery/hmap v0.0.92
+	github.com/projectdiscovery/hmap v0.0.95
 	github.com/projectdiscovery/interactsh v1.2.4
 	github.com/projectdiscovery/rawhttp v0.1.90
-	github.com/projectdiscovery/retryabledns v1.0.105
+	github.com/projectdiscovery/retryabledns v1.0.108
-	github.com/projectdiscovery/retryablehttp-go v1.0.119
+	github.com/projectdiscovery/retryablehttp-go v1.0.127
 	github.com/projectdiscovery/yamldoc-go v1.0.6
 	github.com/remeh/sizedwaitgroup v1.0.0
 	github.com/rs/xid v1.6.0
@@ -35,26 +37,28 @@ require (
 	github.com/spf13/cast v1.9.2
 	github.com/syndtr/goleveldb v1.0.0
 	github.com/valyala/fasttemplate v1.2.2
-	github.com/weppos/publicsuffix-go v0.40.3-0.20250408071509-6074bbe7fd39
+	github.com/weppos/publicsuffix-go v0.50.0
 	go.uber.org/multierr v1.11.0
-	golang.org/x/net v0.41.0
+	golang.org/x/net v0.44.0
 	golang.org/x/oauth2 v0.30.0
-	golang.org/x/text v0.26.0
+	golang.org/x/text v0.29.0
 	gopkg.in/yaml.v2 v2.4.0
 )
 
 require (
-	code.gitea.io/sdk/gitea v0.21.0
+	carvel.dev/ytt v0.52.0
+	code.gitea.io/sdk/gitea v0.17.0
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1
-	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.1.0
 	github.com/DataDog/gostackparse v0.7.0
-	github.com/Masterminds/semver/v3 v3.4.0
+	github.com/Masterminds/semver/v3 v3.2.1
 	github.com/Mzack9999/gcache v0.0.0-20230410081825-519e28eab057
 	github.com/Mzack9999/goja v0.0.0-20250507184235-e46100e9c697
 	github.com/Mzack9999/goja_nodejs v0.0.0-20250507184139-66bcbf65c883
+	github.com/alexsnet/go-vnc v0.1.0
 	github.com/alitto/pond v1.9.2
 	github.com/antchfx/xmlquery v1.4.4
-	github.com/antchfx/xpath v1.3.4
+	github.com/antchfx/xpath v1.3.3
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2
 	github.com/aws/aws-sdk-go-v2 v1.36.5
 	github.com/aws/aws-sdk-go-v2/config v1.29.17
@@ -87,49 +91,51 @@ require (
 	github.com/microsoft/go-mssqldb v1.9.2
 	github.com/ory/dockertest/v3 v3.12.0
 	github.com/praetorian-inc/fingerprintx v1.1.15
-	github.com/projectdiscovery/dsl v0.5.0
+	github.com/projectdiscovery/dsl v0.7.2
 	github.com/projectdiscovery/fasttemplate v0.0.2
 	github.com/projectdiscovery/gcache v0.0.0-20241015120333-12546c6e3f4c
 	github.com/projectdiscovery/go-smb2 v0.0.0-20240129202741-052cc450c6cb
 	github.com/projectdiscovery/goflags v0.1.74
-	github.com/projectdiscovery/gologger v1.1.54
+	github.com/projectdiscovery/gologger v1.1.57
 	github.com/projectdiscovery/gostruct v0.0.2
-	github.com/projectdiscovery/gozero v0.0.3
+	github.com/projectdiscovery/gozero v0.1.0
-	github.com/projectdiscovery/httpx v1.7.0
+	github.com/projectdiscovery/httpx v1.7.2-0.20250911192144-fc425deb041a
-	github.com/projectdiscovery/mapcidr v1.1.34
+	github.com/projectdiscovery/mapcidr v1.1.95
 	github.com/projectdiscovery/n3iwf v0.0.0-20230523120440-b8cd232ff1f5
-	github.com/projectdiscovery/networkpolicy v0.1.18
+	github.com/projectdiscovery/networkpolicy v0.1.26
-	github.com/projectdiscovery/ratelimit v0.0.81
+	github.com/projectdiscovery/ratelimit v0.0.82
 	github.com/projectdiscovery/rdap v0.9.0
 	github.com/projectdiscovery/sarif v0.0.1
-	github.com/projectdiscovery/tlsx v1.1.9
+	github.com/projectdiscovery/tlsx v1.2.1
 	github.com/projectdiscovery/uncover v1.1.0
-	github.com/projectdiscovery/useragent v0.0.101
+	github.com/projectdiscovery/useragent v0.0.102
-	github.com/projectdiscovery/utils v0.4.23
+	github.com/projectdiscovery/utils v0.6.0
-	github.com/projectdiscovery/wappalyzergo v0.2.36
+	github.com/projectdiscovery/wappalyzergo v0.2.49
 	github.com/redis/go-redis/v9 v9.11.0
 	github.com/seh-msft/burpxml v1.0.1
 	github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466
-	github.com/stretchr/testify v1.10.0
+	github.com/sijms/go-ora/v2 v2.9.0
+	github.com/stretchr/testify v1.11.1
 	github.com/tarunKoyalwar/goleak v0.0.0-20240429141123-0efa90dbdcf9
+	github.com/testcontainers/testcontainers-go v0.38.0
+	github.com/testcontainers/testcontainers-go/modules/mongodb v0.37.0
 	github.com/yassinebenaid/godump v0.11.1
 	github.com/zmap/zgrab2 v0.1.8
 	gitlab.com/gitlab-org/api/client-go v0.130.1
 	go.mongodb.org/mongo-driver v1.17.4
-	golang.org/x/term v0.32.0
+	golang.org/x/term v0.35.0
 	gopkg.in/yaml.v3 v3.0.1
 	moul.io/http2curl v1.0.0
 )
 
 require (
 	aead.dev/minisign v0.2.0 // indirect
-	dario.cat/mergo v1.0.0 // indirect
+	dario.cat/mergo v1.0.2 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	git.mills.io/prologic/smtpd v0.0.0-20210710122116-a525b76c287a // indirect
-	github.com/42wim/httpsig v1.2.2 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
@@ -179,27 +185,35 @@ require (
 	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
 	github.com/charmbracelet/x/exp/slice v0.0.0-20250327172914-2fdc97757edf // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
-	github.com/cheggaaa/pb/v3 v3.1.4 // indirect
+	github.com/cheggaaa/pb/v3 v3.1.6 // indirect
 	github.com/cloudflare/cfssl v1.6.4 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
 	github.com/cloudwego/base64x v0.1.5 // indirect
-	github.com/cnf/structhash v0.0.0-20201127153200-e1b16c1ebc08 // indirect
+	github.com/cnf/structhash v0.0.0-20250313080605-df4c6cc74a9a // indirect
 	github.com/containerd/continuity v0.4.5 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/containerd/platforms v0.2.1 // indirect
+	github.com/cpuguy83/dockercfg v0.3.2 // indirect
 	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/davidmz/go-pageant v1.0.2 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/distribution/reference v0.6.0 // indirect
 	github.com/dlclark/regexp2 v1.11.5 // indirect
 	github.com/docker/cli v27.4.1+incompatible // indirect
-	github.com/docker/docker v28.0.0+incompatible // indirect
+	github.com/docker/docker v28.3.3+incompatible // indirect
-	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 // indirect
+	github.com/ebitengine/purego v0.8.4 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/felixge/fgprof v0.9.5 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/free5gc/util v1.0.5-0.20230511064842-2e120956883b // indirect
 	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
-	github.com/gaissmai/bart v0.20.5 // indirect
+	github.com/gaissmai/bart v0.25.0 // indirect
 	github.com/geoffgarside/ber v1.1.0 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
 	github.com/gin-gonic/gin v1.9.1 // indirect
@@ -207,20 +221,22 @@ require (
 	github.com/go-fed/httpsig v1.1.0 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
-	github.com/go-ole/go-ole v1.2.6 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-sourcemap/sourcemap v2.1.4+incompatible // indirect
-	github.com/go-viper/mapstructure/v2 v2.3.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
 	github.com/golang-sql/sqlexp v0.1.0 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
-	github.com/google/certificate-transparency-go v1.1.4 // indirect
+	github.com/google/certificate-transparency-go v1.3.2 // indirect
 	github.com/google/go-github/v30 v30.1.0 // indirect
 	github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
@@ -234,6 +250,7 @@ require (
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/hbakhtiyor/strsim v0.0.0-20190107154042-4d2bbb273edf // indirect
 	github.com/hdm/jarm-go v0.0.7 // indirect
+	github.com/iangcarroll/cookiemonster v1.6.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/itchyny/timefmt-go v0.1.6 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
@@ -243,6 +260,7 @@ require (
 	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
+	github.com/k14s/starlark-go v0.0.0-20200720175618-3a5c849cc368 // indirect
 	github.com/kataras/jwt v0.1.10 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
@@ -255,8 +273,9 @@ require (
 	github.com/logrusorgru/aurora/v4 v4.0.0 // indirect
 	github.com/lor00x/goldap v0.0.0-20180618054307-a546dffdd1a3 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
-	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
+	github.com/lufia/plan9stats v0.0.0-20250821153705-5981dea3221d // indirect
 	github.com/mackerelio/go-osstat v0.2.4 // indirect
+	github.com/magiconair/properties v1.8.10 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
@@ -268,12 +287,17 @@ require (
 	github.com/minio/selfupdate v0.6.1-0.20230907112617-f11e74f84ca7 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/sys/user v0.3.0 // indirect
+	github.com/moby/go-archive v0.1.0 // indirect
-	github.com/moby/term v0.5.0 // indirect
+	github.com/moby/patternmatcher v0.6.0 // indirect
+	github.com/moby/sys/sequential v0.6.0 // indirect
+	github.com/moby/sys/user v0.4.0 // indirect
+	github.com/moby/sys/userns v0.1.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
 	github.com/montanaflynn/stats v0.7.1 // indirect
+	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/muesli/reflow v0.3.0 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
 	github.com/nwaples/rardecode/v2 v2.1.0 // indirect
@@ -282,7 +306,7 @@ require (
 	github.com/olekukonko/errors v1.1.0 // indirect
 	github.com/olekukonko/ll v0.0.9 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/opencontainers/runc v1.2.3 // indirect
 	github.com/openrdap/rdap v0.9.1 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
@@ -291,10 +315,10 @@ require (
 	github.com/pjbgf/sha1cd v0.3.2 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
+	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
 	github.com/projectdiscovery/asnmap v1.1.1 // indirect
 	github.com/projectdiscovery/blackrock v0.0.1 // indirect
-	github.com/projectdiscovery/cdncheck v1.1.26 // indirect
+	github.com/projectdiscovery/cdncheck v1.2.4 // indirect
 	github.com/projectdiscovery/freeport v0.0.7 // indirect
 	github.com/projectdiscovery/ldapserver v1.0.2-0.20240219154113-dcc758ebc0cb // indirect
 	github.com/projectdiscovery/machineid v0.0.0-20240226150047-2e2c51e35983 // indirect
@@ -302,6 +326,7 @@ require (
 	github.com/sashabaranov/go-openai v1.37.0 // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/shirou/gopsutil v3.21.11+incompatible // indirect
+	github.com/shirou/gopsutil/v4 v4.25.7 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
@@ -310,16 +335,16 @@ require (
 	github.com/tidwall/buntdb v1.3.1 // indirect
 	github.com/tidwall/gjson v1.18.0 // indirect
 	github.com/tidwall/grect v0.1.4 // indirect
-	github.com/tidwall/match v1.1.1 // indirect
+	github.com/tidwall/match v1.2.0 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tidwall/rtred v0.1.2 // indirect
 	github.com/tidwall/tinyqueue v0.1.1 // indirect
 	github.com/tim-ywliu/nested-logrus-formatter v1.3.2 // indirect
-	github.com/tklauser/go-sysconf v0.3.12 // indirect
+	github.com/tklauser/go-sysconf v0.3.15 // indirect
-	github.com/tklauser/numcpus v0.6.1 // indirect
+	github.com/tklauser/numcpus v0.10.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.11 // indirect
-	github.com/ulikunitz/xz v0.5.12 // indirect
+	github.com/ulikunitz/xz v0.5.15 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
@@ -333,13 +358,18 @@ require (
 	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
 	github.com/ysmood/fetchup v0.2.3 // indirect
 	github.com/ysmood/got v0.40.0 // indirect
-	github.com/yuin/goldmark v1.7.8 // indirect
+	github.com/yuin/goldmark v1.7.13 // indirect
 	github.com/yuin/goldmark-emoji v1.0.5 // indirect
 	github.com/zcalusic/sysinfo v1.0.2 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
+	go.opentelemetry.io/otel v1.37.0 // indirect
+	go.opentelemetry.io/otel/metric v1.37.0 // indirect
+	go.opentelemetry.io/otel/trace v1.37.0 // indirect
 	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
 	golang.org/x/arch v0.3.0 // indirect
-	golang.org/x/sync v0.15.0 // indirect
+	golang.org/x/sync v0.17.0 // indirect
 	gopkg.in/djherbis/times.v1 v1.3.0 // indirect
 	mellium.im/sasl v0.3.2 // indirect
 )
@@ -360,16 +390,16 @@ require (
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	github.com/zmap/rc2 v0.0.0-20190804163417-abaa70531248 // indirect
 	github.com/zmap/zcrypto v0.0.0-20240512203510-0fef58d9a9db // indirect
-	go.etcd.io/bbolt v1.3.10 // indirect
+	go.etcd.io/bbolt v1.4.0 // indirect
-	go.uber.org/zap v1.25.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
 	goftp.io/server/v2 v2.0.1 // indirect
-	golang.org/x/crypto v0.39.0 // indirect
+	golang.org/x/crypto v0.42.0 // indirect
-	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b
+	golang.org/x/exp v0.0.0-20250911091902-df9299821621
-	golang.org/x/mod v0.25.0 // indirect
+	golang.org/x/mod v0.28.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/sys v0.36.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
-	golang.org/x/tools v0.34.0
+	golang.org/x/tools v0.37.0
-	google.golang.org/protobuf v1.35.1 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6 // indirect
 	gopkg.in/corvus-ch/zbase32.v1 v1.0.0 // indirect
 )
@@ -382,3 +412,10 @@ require (
 
 // https://go.dev/ref/mod#go-mod-file-retract
 retract v3.2.0 // retract due to broken js protocol issue
+
+// Fix genproto version conflicts
+replace (
+	google.golang.org/genproto => google.golang.org/genproto v0.0.0-20240814211410-ddb44dafa142
+	google.golang.org/genproto/googleapis/api => google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142
+	google.golang.org/genproto/googleapis/rpc => google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1
+)

integration_tests/fuzz/fuzz-body.yaml

@@ -0,0 +1,38 @@
+id: fuzz-body
+
+info:
+  name: fuzzing error sqli payloads in http req body
+  author: pdteam
+  severity: info
+  description: |
+    This template attempts to find SQL injection vulnerabilities by fuzzing http body
+    It automatically handles and parses json,xml,multipart form and x-www-form-urlencoded data
+    and performs fuzzing on the value of every key
+
+http:
+  - pre-condition:
+      - type: dsl
+        dsl:
+          - method != "GET"
+          - method != "HEAD"
+        condition: and
+    
+    payloads:
+      injection:
+        - "'"
+        - "\""
+        - ";"
+    
+    fuzzing:
+      - part: body
+        type: postfix
+        mode: single
+        fuzz:
+          - '{{injection}}'
+  
+    stop-at-first-match: true
+    matchers:
+      - type: word
+        words:
+          - "unrecognized token:"
+          - "null"

integration_tests/protocols/javascript/vnc-pass-brute.yaml

@@ -0,0 +1,38 @@
+id: vnc-password-test
+
+info:
+  name: VNC Password Authentication Test
+  author: pdteam
+  severity: high
+  description: |
+    Tests VNC authentication with correct and incorrect passwords.
+  metadata:
+    shodan-query: product:"vnc"
+  tags: js,network,vnc,authentication
+
+javascript:
+  - pre-condition: |
+      isPortOpen(Host,Port)
+
+    code: |
+      let vnc = require('nuclei/vnc');
+      let client = new vnc.VNCClient();
+      client.Connect(Host, Port, Password);
+
+    args:
+      Host: "{{Host}}"
+      Port: "5900"
+      Password: "{{passwords}}"
+    payloads:
+      passwords:
+        - ""
+        - root
+        - password
+        - admin
+        - mysecret
+    stop-at-first-match: true
+      
+    matchers:
+      - type: dsl
+        dsl:
+          - "success == true"

internal/pdcp/writer.go

@@ -77,11 +77,11 @@ func NewUploadWriter(ctx context.Context, logger *gologger.Logger, creds *pdcpau
 		output.WithJson(true, true),
 	)
 	if err != nil {
-		return nil, errkit.Append(errkit.New("could not create output writer"), err)
+		return nil, errkit.Wrap(err, "could not create output writer")
 	}
 	tmp, err := urlutil.Parse(creds.Server)
 	if err != nil {
-		return nil, errkit.Append(errkit.New("could not parse server url"), err)
+		return nil, errkit.Wrap(err, "could not parse server url")
 	}
 	tmp.Path = uploadEndpoint
 	tmp.Update()
@@ -199,7 +199,7 @@ func (u *UploadWriter) autoCommit(ctx context.Context, r *io.PipeReader) {
 // uploadChunk uploads a chunk of data to the server
 func (u *UploadWriter) uploadChunk(buff *bytes.Buffer) error {
 	if err := u.upload(buff.Bytes()); err != nil {
-		return errkit.Append(errkit.New("could not upload chunk"), err)
+		return errkit.Wrap(err, "could not upload chunk")
 	}
 	// if successful, reset the buffer
 	buff.Reset()
@@ -211,25 +211,25 @@ func (u *UploadWriter) uploadChunk(buff *bytes.Buffer) error {
 func (u *UploadWriter) upload(data []byte) error {
 	req, err := u.getRequest(data)
 	if err != nil {
-		return errkit.Append(errkit.New("could not create upload request"), err)
+		return errkit.Wrap(err, "could not create upload request")
 	}
 	resp, err := u.client.Do(req)
 	if err != nil {
-		return errkit.Append(errkit.New("could not upload results"), err)
+		return errkit.Wrap(err, "could not upload results")
 	}
 	defer func() {
 		_ = resp.Body.Close()
 	}()
 	bin, err := io.ReadAll(resp.Body)
 	if err != nil {
-		return errkit.Append(errkit.New("could not get id from response"), err)
+		return errkit.Wrap(err, "could not get id from response")
 	}
 	if resp.StatusCode != http.StatusOK {
 		return fmt.Errorf("could not upload results got status code %v on %v", resp.StatusCode, resp.Request.URL.String())
 	}
 	var uploadResp uploadResponse
 	if err := json.Unmarshal(bin, &uploadResp); err != nil {
-		return errkit.Append(errkit.New(fmt.Sprintf("could not unmarshal response got %v", string(bin))), err)
+		return errkit.Wrap(err, fmt.Sprintf("could not unmarshal response got %v", string(bin)))
 	}
 	if uploadResp.ID != "" && u.scanID == "" {
 		u.scanID = uploadResp.ID
@@ -254,7 +254,7 @@ func (u *UploadWriter) getRequest(bin []byte) (*retryablehttp.Request, error) {
 	}
 	req, err := retryablehttp.NewRequest(method, url, bytes.NewReader(bin))
 	if err != nil {
-		return nil, errkit.Append(errkit.New("could not create cloud upload request"), err)
+		return nil, errkit.Wrap(err, "could not create cloud upload request")
 	}
 	// add pdtm meta params
 	req.Params.Merge(updateutils.GetpdtmParams(config.Version))

internal/runner/lazy.go

@@ -32,7 +32,7 @@ func GetAuthTmplStore(opts *types.Options, catalog catalog.Catalog, execOpts *pr
 	for _, file := range opts.SecretsFile {
 		data, err := authx.GetTemplatePathsFromSecretFile(file)
 		if err != nil {
-			return nil, errkit.Append(errkit.New("failed to get template paths from secrets file"), err)
+			return nil, errkit.Wrap(err, "failed to get template paths from secrets file")
 		}
 		tmpls = append(tmpls, data...)
 	}
@@ -58,7 +58,7 @@ func GetAuthTmplStore(opts *types.Options, catalog catalog.Catalog, execOpts *pr
 	cfg.StoreId = loader.AuthStoreId
 	store, err := loader.New(cfg)
 	if err != nil {
-		return nil, errkit.Append(errkit.New("failed to initialize dynamic auth templates store"), err)
+		return nil, errkit.Wrap(err, "failed to initialize dynamic auth templates store")
 	}
 	return store, nil
 }

internal/runner/proxy.go

@@ -50,7 +50,7 @@ func loadProxyServers(options *types.Options) error {
 	}
 	proxyURL, err := url.Parse(aliveProxy)
 	if err != nil {
-		return errkit.Append(errkit.New(fmt.Sprintf("failed to parse proxy got %v", err)), err)
+		return errkit.Wrapf(err, "failed to parse proxy got %v", err)
 	}
 	if options.ProxyInternal {
 		_ = os.Setenv(HTTP_PROXY_ENV, proxyURL.String())

internal/runner/runner.go

@@ -384,11 +384,7 @@ func New(options *types.Options) (*Runner, error) {
 	if options.RateLimit > 0 && options.RateLimitDuration == 0 {
 		options.RateLimitDuration = time.Second
 	}
-	if options.RateLimit == 0 && options.RateLimitDuration == 0 {
+	runner.rateLimiter = utils.GetRateLimiter(context.Background(), options.RateLimit, options.RateLimitDuration)
-		runner.rateLimiter = ratelimit.NewUnlimited(context.Background())
-	} else {
-		runner.rateLimiter = ratelimit.New(context.Background(), uint(options.RateLimit), options.RateLimitDuration)
-	}
 
 	if tmpDir, err := os.MkdirTemp("", "nuclei-tmp-*"); err == nil {
 		runner.tmpDir = tmpDir

lib/config.go

@@ -7,7 +7,8 @@ import (
 
 	"github.com/projectdiscovery/goflags"
 	"github.com/projectdiscovery/gologger"
-	"github.com/projectdiscovery/ratelimit"
+	"github.com/projectdiscovery/nuclei/v3/pkg/utils"
+	"github.com/projectdiscovery/utils/errkit"
 
 	"github.com/projectdiscovery/nuclei/v3/pkg/authprovider"
 	"github.com/projectdiscovery/nuclei/v3/pkg/catalog"
@@ -102,7 +103,7 @@ type InteractshOpts interactsh.Options
 func WithInteractshOptions(opts InteractshOpts) NucleiSDKOptions {
 	return func(e *NucleiEngine) error {
 		if e.mode == threadSafe {
-			return ErrOptionsNotSupported("WithInteractshOptions")
+			return errkit.Wrap(ErrOptionsNotSupported, "WithInteractshOptions")
 		}
 		optsPtr := &opts
 		e.interactshOpts = (*interactsh.Options)(optsPtr)
@@ -180,7 +181,7 @@ func WithGlobalRateLimitCtx(ctx context.Context, maxTokens int, duration time.Du
 	return func(e *NucleiEngine) error {
 		e.opts.RateLimit = maxTokens
 		e.opts.RateLimitDuration = duration
-		e.rateLimiter = ratelimit.New(ctx, uint(e.opts.RateLimit), e.opts.RateLimitDuration)
+		e.rateLimiter = utils.GetRateLimiter(ctx, e.opts.RateLimit, e.opts.RateLimitDuration)
 		return nil
 	}
 }
@@ -229,7 +230,7 @@ type StatsOptions struct {
 func EnableStatsWithOpts(opts StatsOptions) NucleiSDKOptions {
 	return func(e *NucleiEngine) error {
 		if e.mode == threadSafe {
-			return ErrOptionsNotSupported("EnableStatsWithOpts")
+			return errkit.Wrap(ErrOptionsNotSupported, "EnableStatsWithOpts")
 		}
 		if opts.Interval == 0 {
 			opts.Interval = 5 //sec
@@ -257,7 +258,7 @@ type VerbosityOptions struct {
 func WithVerbosity(opts VerbosityOptions) NucleiSDKOptions {
 	return func(e *NucleiEngine) error {
 		if e.mode == threadSafe {
-			return ErrOptionsNotSupported("WithVerbosity")
+			return errkit.Wrap(ErrOptionsNotSupported, "WithVerbosity")
 		}
 		e.opts.Verbose = opts.Verbose
 		e.opts.Silent = opts.Silent
@@ -290,7 +291,7 @@ type NetworkConfig struct {
 func WithNetworkConfig(opts NetworkConfig) NucleiSDKOptions {
 	return func(e *NucleiEngine) error {
 		if e.mode == threadSafe {
-			return ErrOptionsNotSupported("WithNetworkConfig")
+			return errkit.Wrap(ErrOptionsNotSupported, "WithNetworkConfig")
 		}
 		e.opts.NoHostErrors = opts.DisableMaxHostErr
 		e.opts.MaxHostError = opts.MaxHostError
@@ -321,7 +322,7 @@ func WithNetworkConfig(opts NetworkConfig) NucleiSDKOptions {
 func WithProxy(proxy []string, proxyInternalRequests bool) NucleiSDKOptions {
 	return func(e *NucleiEngine) error {
 		if e.mode == threadSafe {
-			return ErrOptionsNotSupported("WithProxy")
+			return errkit.Wrap(ErrOptionsNotSupported, "WithProxy")
 		}
 		e.opts.Proxy = proxy
 		e.opts.ProxyInternal = proxyInternalRequests
@@ -346,7 +347,7 @@ type OutputWriter output.Writer
 func UseOutputWriter(writer OutputWriter) NucleiSDKOptions {
 	return func(e *NucleiEngine) error {
 		if e.mode == threadSafe {
-			return ErrOptionsNotSupported("UseOutputWriter")
+			return errkit.Wrap(ErrOptionsNotSupported, "UseOutputWriter")
 		}
 		e.customWriter = writer
 		return nil
@@ -361,7 +362,7 @@ type StatsWriter progress.Progress
 func UseStatsWriter(writer StatsWriter) NucleiSDKOptions {
 	return func(e *NucleiEngine) error {
 		if e.mode == threadSafe {
-			return ErrOptionsNotSupported("UseStatsWriter")
+			return errkit.Wrap(ErrOptionsNotSupported, "UseStatsWriter")
 		}
 		e.customProgress = writer
 		return nil
@@ -375,7 +376,7 @@ func UseStatsWriter(writer StatsWriter) NucleiSDKOptions {
 func WithTemplateUpdateCallback(disableTemplatesAutoUpgrade bool, callback func(newVersion string)) NucleiSDKOptions {
 	return func(e *NucleiEngine) error {
 		if e.mode == threadSafe {
-			return ErrOptionsNotSupported("WithTemplateUpdateCallback")
+			return errkit.Wrap(ErrOptionsNotSupported, "WithTemplateUpdateCallback")
 		}
 		e.disableTemplatesAutoUpgrade = disableTemplatesAutoUpgrade
 		e.onUpdateAvailableCallback = callback
@@ -387,7 +388,7 @@ func WithTemplateUpdateCallback(disableTemplatesAutoUpgrade bool, callback func(
 func WithSandboxOptions(allowLocalFileAccess bool, restrictLocalNetworkAccess bool) NucleiSDKOptions {
 	return func(e *NucleiEngine) error {
 		if e.mode == threadSafe {
-			return ErrOptionsNotSupported("WithSandboxOptions")
+			return errkit.Wrap(ErrOptionsNotSupported, "WithSandboxOptions")
 		}
 		e.opts.AllowLocalFileAccess = allowLocalFileAccess
 		e.opts.RestrictLocalNetworkAccess = restrictLocalNetworkAccess

lib/multi.go

@@ -12,7 +12,7 @@ import (
 	"github.com/projectdiscovery/nuclei/v3/pkg/output"
 	"github.com/projectdiscovery/nuclei/v3/pkg/protocols"
 	"github.com/projectdiscovery/nuclei/v3/pkg/types"
-	"github.com/projectdiscovery/ratelimit"
+	"github.com/projectdiscovery/nuclei/v3/pkg/utils"
 	"github.com/projectdiscovery/utils/errkit"
 	"github.com/rs/xid"
 )
@@ -53,11 +53,7 @@ func createEphemeralObjects(ctx context.Context, base *NucleiEngine, opts *types
 	if opts.RateLimit > 0 && opts.RateLimitDuration == 0 {
 		opts.RateLimitDuration = time.Second
 	}
-	if opts.RateLimit == 0 && opts.RateLimitDuration == 0 {
+	u.executerOpts.RateLimiter = utils.GetRateLimiter(ctx, opts.RateLimit, opts.RateLimitDuration)
-		u.executerOpts.RateLimiter = ratelimit.NewUnlimited(ctx)
-	} else {
-		u.executerOpts.RateLimiter = ratelimit.New(ctx, uint(opts.RateLimit), opts.RateLimitDuration)
-	}
 	u.engine = core.New(opts)
 	u.engine.SetExecuterOptions(u.executerOpts)
 	return u, nil
@@ -147,13 +143,13 @@ func (e *ThreadSafeNucleiEngine) ExecuteNucleiWithOptsCtx(ctx context.Context, t
 	// load templates
 	workflowLoader, err := workflow.NewLoader(unsafeOpts.executerOpts)
 	if err != nil {
-		return errkit.Append(errkit.New("Could not create workflow loader"), err)
+		return errkit.Wrapf(err, "Could not create workflow loader: %s", err)
 	}
 	unsafeOpts.executerOpts.WorkflowLoader = workflowLoader
 
 	store, err := loader.New(loader.NewConfig(tmpEngine.opts, e.eng.catalog, unsafeOpts.executerOpts))
 	if err != nil {
-		return errkit.Append(errkit.New("Could not create loader client"), err)
+		return errkit.Wrapf(err, "Could not create loader client: %s", err)
 	}
 	store.Load()
 

lib/sdk.go

@@ -4,7 +4,6 @@ import (
 	"bufio"
 	"bytes"
 	"context"
-	"fmt"
 	"io"
 	"sync"
 
@@ -38,18 +37,15 @@ type NucleiSDKOptions func(e *NucleiEngine) error
 
 var (
 	// ErrNotImplemented is returned when a feature is not implemented
-	ErrNotImplemented = errkit.New("Not implemented").Build()
+	ErrNotImplemented = errkit.New("Not implemented")
 	// ErrNoTemplatesAvailable is returned when no templates are available to execute
-	ErrNoTemplatesAvailable = errkit.New("No templates available").Build()
+	ErrNoTemplatesAvailable = errkit.New("No templates available")
 	// ErrNoTargetsAvailable is returned when no targets are available to scan
-	ErrNoTargetsAvailable = errkit.New("No targets available").Build()
+	ErrNoTargetsAvailable = errkit.New("No targets available")
+	// ErrOptionsNotSupported is returned when an option is not supported in thread safe mode
+	ErrOptionsNotSupported = errkit.New("Option not supported in thread safe mode")
 )
 
-// ErrOptionsNotSupported returns an error when an option is not supported in thread safe mode
-func ErrOptionsNotSupported(option string) error {
-	return errkit.New(fmt.Sprintf("Option %v not supported in thread safe mode", option)).Build()
-}
-
 type engineMode uint
 
 const (
@@ -102,13 +98,13 @@ type NucleiEngine struct {
 func (e *NucleiEngine) LoadAllTemplates() error {
 	workflowLoader, err := workflow.NewLoader(e.executerOpts)
 	if err != nil {
-		return errkit.Append(errkit.New("Could not create workflow loader"), err)
+		return errkit.Wrapf(err, "Could not create workflow loader: %s", err)
 	}
 	e.executerOpts.WorkflowLoader = workflowLoader
 
 	e.store, err = loader.New(loader.NewConfig(e.opts, e.catalog, e.executerOpts))
 	if err != nil {
-		return errkit.Append(errkit.New("Could not create loader client"), err)
+		return errkit.Wrapf(err, "Could not create loader client: %s", err)
 	}
 	e.store.Load()
 	e.templatesLoaded = true

pkg/authprovider/authx/dynamic.go

@@ -3,7 +3,7 @@ package authx
 import (
 	"fmt"
 	"strings"
-	"sync"
+	"sync/atomic"
 
 	"github.com/projectdiscovery/gologger"
 	"github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/replacer"
@@ -30,8 +30,8 @@ type Dynamic struct {
 	Input         string                 `json:"input" yaml:"input"` // (optional) target for the dynamic secret
 	Extracted     map[string]interface{} `json:"-" yaml:"-"`         // extracted values from the dynamic secret
 	fetchCallback LazyFetchSecret        `json:"-" yaml:"-"`
-	m             *sync.Mutex            `json:"-" yaml:"-"` // mutex for lazy fetch
+	fetched       *atomic.Bool           `json:"-" yaml:"-"` // atomic flag to check if the secret has been fetched
-	fetched       bool                   `json:"-" yaml:"-"` // flag to check if the secret has been fetched
+	fetching      *atomic.Bool           `json:"-" yaml:"-"` // atomic flag to prevent recursive fetch calls
 	error         error                  `json:"-" yaml:"-"` // error if any
 }
 
@@ -53,7 +53,7 @@ func (d *Dynamic) GetDomainAndDomainRegex() ([]string, []string) {
 
 func (d *Dynamic) UnmarshalJSON(data []byte) error {
 	if d == nil {
-		return errkit.New("cannot unmarshal into nil Dynamic struct").Build()
+		return errkit.New("cannot unmarshal into nil Dynamic struct")
 	}
 
 	// Use an alias type (auxiliary) to avoid a recursive call in this method.
@@ -70,12 +70,13 @@ func (d *Dynamic) UnmarshalJSON(data []byte) error {
 
 // Validate validates the dynamic secret
 func (d *Dynamic) Validate() error {
-	d.m = &sync.Mutex{}
+	d.fetched = &atomic.Bool{}
+	d.fetching = &atomic.Bool{}
 	if d.TemplatePath == "" {
-		return errkit.New(" template-path is required for dynamic secret").Build()
+		return errkit.New(" template-path is required for dynamic secret")
 	}
 	if len(d.Variables) == 0 {
-		return errkit.New("variables are required for dynamic secret").Build()
+		return errkit.New("variables are required for dynamic secret")
 	}
 
 	if d.Secret != nil {
@@ -97,9 +98,7 @@ func (d *Dynamic) Validate() error {
 func (d *Dynamic) SetLazyFetchCallback(callback LazyFetchSecret) {
 	d.fetchCallback = func(d *Dynamic) error {
 		err := callback(d)
-		d.fetched = true
 		if err != nil {
-			d.error = err
 			return err
 		}
 		if len(d.Extracted) == 0 {
@@ -184,9 +183,15 @@ func (d *Dynamic) applyValuesToSecret(secret *Secret) error {
 
 // GetStrategy returns the auth strategies for the dynamic secret
 func (d *Dynamic) GetStrategies() []AuthStrategy {
-	if !d.fetched {
+	if d.fetched.Load() {
+		if d.error != nil {
+			return nil
+		}
+	} else {
+		// Try to fetch if not already fetched
 		_ = d.Fetch(true)
 	}
+
 	if d.error != nil {
 		return nil
 	}
@@ -203,12 +208,23 @@ func (d *Dynamic) GetStrategies() []AuthStrategy {
 // Fetch fetches the dynamic secret
 // if isFatal is true, it will stop the execution if the secret could not be fetched
 func (d *Dynamic) Fetch(isFatal bool) error {
-	d.m.Lock()
+	if d.fetched.Load() {
-	defer d.m.Unlock()
+		return d.error
-	if d.fetched {
-		return nil
 	}
+
+	// Try to set fetching flag atomically
+	if !d.fetching.CompareAndSwap(false, true) {
+		// Already fetching, return current error
+		return d.error
+	}
+
+	// We're the only one fetching, call the callback
 	d.error = d.fetchCallback(d)
+
+	// Mark as fetched and clear fetching flag
+	d.fetched.Store(true)
+	d.fetching.Store(false)
+
 	if d.error != nil && isFatal {
 		gologger.Fatal().Msgf("Could not fetch dynamic secret: %s\n", d.error)
 	}

pkg/authprovider/authx/file.go

@@ -55,7 +55,7 @@ type Secret struct {
 	Type            string   `json:"type" yaml:"type"`
 	Domains         []string `json:"domains" yaml:"domains"`
 	DomainsRegex    []string `json:"domains-regex" yaml:"domains-regex"`
-	Headers         []KV     `json:"headers" yaml:"headers"`
+	Headers         []KV     `json:"headers" yaml:"headers"` // Headers preserve exact casing (useful for case-sensitive APIs)
 	Cookies         []Cookie `json:"cookies" yaml:"cookies"`
 	Params          []KV     `json:"params" yaml:"params"`
 	Username        string   `json:"username" yaml:"username"` // can be either email or username
@@ -148,7 +148,7 @@ func (s *Secret) Validate() error {
 }
 
 type KV struct {
-	Key   string `json:"key" yaml:"key"`
+	Key   string `json:"key" yaml:"key"`   // Header key (preserves exact casing)
 	Value string `json:"value" yaml:"value"`
 }
 
@@ -237,7 +237,9 @@ func GetAuthDataFromYAML(data []byte) (*Authx, error) {
 	var auth Authx
 	err := yaml.Unmarshal(data, &auth)
 	if err != nil {
-		return nil, errkit.Append(errkit.New("could not unmarshal yaml"), err)
+		errorErr := errkit.FromError(err)
+		errorErr.Msgf("could not unmarshal yaml")
+		return nil, errorErr
 	}
 	return &auth, nil
 }
@@ -247,7 +249,9 @@ func GetAuthDataFromJSON(data []byte) (*Authx, error) {
 	var auth Authx
 	err := json.Unmarshal(data, &auth)
 	if err != nil {
-		return nil, errkit.Append(errkit.New("could not unmarshal json"), err)
+		errorErr := errkit.FromError(err)
+		errorErr.Msgf("could not unmarshal json")
+		return nil, errorErr
 	}
 	return &auth, nil
 }

pkg/authprovider/authx/headers_auth.go

@@ -21,15 +21,19 @@ func NewHeadersAuthStrategy(data *Secret) *HeadersAuthStrategy {
 }
 
 // Apply applies the headers auth strategy to the request
+// NOTE: This preserves exact header casing (e.g., barAuthToken stays as barAuthToken)
+// This is useful for APIs that require case-sensitive header names
 func (s *HeadersAuthStrategy) Apply(req *http.Request) {
 	for _, header := range s.Data.Headers {
-		req.Header.Set(header.Key, header.Value)
+		req.Header[header.Key] = []string{header.Value}
 	}
 }
 
 // ApplyOnRR applies the headers auth strategy to the retryable request
+// NOTE: This preserves exact header casing (e.g., barAuthToken stays as barAuthToken)
+// This is useful for APIs that require case-sensitive header names
 func (s *HeadersAuthStrategy) ApplyOnRR(req *retryablehttp.Request) {
 	for _, header := range s.Data.Headers {
-		req.Header.Set(header.Key, header.Value)
+		req.Header[header.Key] = []string{header.Value}
 	}
 }

pkg/authprovider/authx/testData/example-auth.yaml

@@ -12,6 +12,8 @@ info:
 # static secrets
 static:
   # for header based auth session
+  # NOTE: Headers preserve exact casing (e.g., x-pdcp-key stays as x-pdcp-key)
+  # This is useful for APIs that require case-sensitive header names
   - type: header
     domains:
       - api.projectdiscovery.io
@@ -20,6 +22,8 @@ static:
     headers:
       - key: x-pdcp-key
         value: <api-key-here>
+      - key: barAuthToken
+        value: <auth-token-here>
 
   # for query based auth session
   - type: Query

pkg/authprovider/file.go

@@ -1,7 +1,6 @@
 package authprovider
 
 import (
-	"fmt"
 	"net"
 	"net/url"
 	"regexp"
@@ -31,16 +30,20 @@ func NewFileAuthProvider(path string, callback authx.LazyFetchSecret) (AuthProvi
 		return nil, ErrNoSecrets
 	}
 	if len(store.Dynamic) > 0 && callback == nil {
-		return nil, errkit.New("lazy fetch callback is required for dynamic secrets").Build()
+		return nil, errkit.New("lazy fetch callback is required for dynamic secrets")
 	}
 	for _, secret := range store.Secrets {
 		if err := secret.Validate(); err != nil {
-			return nil, errkit.Append(errkit.New(fmt.Sprintf("invalid secret in file: %s", path)), err)
+			errorErr := errkit.FromError(err)
+			errorErr.Msgf("invalid secret in file: %s", path)
+			return nil, errorErr
 		}
 	}
 	for i, dynamic := range store.Dynamic {
 		if err := dynamic.Validate(); err != nil {
-			return nil, errkit.Append(errkit.New(fmt.Sprintf("invalid dynamic in file: %s", path)), err)
+			errorErr := errkit.FromError(err)
+			errorErr.Msgf("invalid dynamic in file: %s", path)
+			return nil, errorErr
 		}
 		dynamic.SetLazyFetchCallback(callback)
 		store.Dynamic[i] = dynamic

pkg/catalog/config/constants.go

@@ -31,7 +31,7 @@ const (
 	CLIConfigFileName               = "config.yaml"
 	ReportingConfigFilename         = "reporting-config.yaml"
 	// Version is the current version of nuclei
-	Version = `v3.4.8`
+	Version = `v3.4.10`
 	// Directory Names of custom templates
 	CustomS3TemplatesDirName     = "s3"
 	CustomGitHubTemplatesDirName = "github"

pkg/catalog/config/ignorefile.go

@@ -2,7 +2,6 @@ package config
 
 import (
 	"os"
-	"runtime/debug"
 
 	"github.com/projectdiscovery/gologger"
 	"gopkg.in/yaml.v2"
@@ -18,7 +17,7 @@ type IgnoreFile struct {
 func ReadIgnoreFile() IgnoreFile {
 	file, err := os.Open(DefaultConfig.GetIgnoreFilePath())
 	if err != nil {
-		gologger.Error().Msgf("Could not read nuclei-ignore file: %s\n%s\n", err, string(debug.Stack()))
+		gologger.Error().Msgf("Could not read nuclei-ignore file: %s\n", err)
 		return IgnoreFile{}
 	}
 	defer func() {

pkg/catalog/config/nucleiconfig.go

@@ -140,13 +140,13 @@ func (c *Config) UpdateNucleiIgnoreHash() error {
 	if fileutil.FileExists(ignoreFilePath) {
 		bin, err := os.ReadFile(ignoreFilePath)
 		if err != nil {
-			return errkit.Append(errkit.New("could not read nuclei ignore file"), err)
+			return errkit.Newf("could not read nuclei ignore file: %v", err)
 		}
 		c.NucleiIgnoreHash = fmt.Sprintf("%x", md5.Sum(bin))
 		// write config to disk
 		return c.WriteTemplatesConfig()
 	}
-	return errkit.New("config: ignore file not found: could not update nuclei ignore hash").Build()
+	return errkit.New("ignore file not found: could not update nuclei ignore hash")
 }
 
 // GetConfigDir returns the nuclei configuration directory
@@ -257,7 +257,7 @@ func (c *Config) SetTemplatesVersion(version string) error {
 	c.TemplateVersion = version
 	// write config to disk
 	if err := c.WriteTemplatesConfig(); err != nil {
-		return errkit.Append(errkit.New(fmt.Sprintf("could not write nuclei config file at %s", c.getTemplatesConfigFilePath())), err)
+		return errkit.Newf("could not write nuclei config file at %s: %v", c.getTemplatesConfigFilePath(), err)
 	}
 	return nil
 }
@@ -265,15 +265,15 @@ func (c *Config) SetTemplatesVersion(version string) error {
 // ReadTemplatesConfig reads the nuclei templates config file
 func (c *Config) ReadTemplatesConfig() error {
 	if !fileutil.FileExists(c.getTemplatesConfigFilePath()) {
-		return errkit.New(fmt.Sprintf("config: nuclei config file at %s does not exist", c.getTemplatesConfigFilePath())).Build()
+		return errkit.Newf("nuclei config file at %s does not exist", c.getTemplatesConfigFilePath())
 	}
 	var cfg *Config
 	bin, err := os.ReadFile(c.getTemplatesConfigFilePath())
 	if err != nil {
-		return errkit.Append(errkit.New(fmt.Sprintf("could not read nuclei config file at %s", c.getTemplatesConfigFilePath())), err)
+		return errkit.Newf("could not read nuclei config file at %s: %v", c.getTemplatesConfigFilePath(), err)
 	}
 	if err := json.Unmarshal(bin, &cfg); err != nil {
-		return errkit.Append(errkit.New(fmt.Sprintf("could not unmarshal nuclei config file at %s", c.getTemplatesConfigFilePath())), err)
+		return errkit.Newf("could not unmarshal nuclei config file at %s: %v", c.getTemplatesConfigFilePath(), err)
 	}
 	// apply config
 	c.TemplatesDirectory = cfg.TemplatesDirectory
@@ -292,10 +292,10 @@ func (c *Config) WriteTemplatesConfig() error {
 	}
 	bin, err := json.Marshal(c)
 	if err != nil {
-		return errkit.Append(errkit.New("failed to marshal nuclei config"), err)
+		return errkit.Newf("failed to marshal nuclei config: %v", err)
 	}
 	if err = os.WriteFile(c.getTemplatesConfigFilePath(), bin, 0600); err != nil {
-		return errkit.Append(errkit.New(fmt.Sprintf("failed to write nuclei config file at %s", c.getTemplatesConfigFilePath())), err)
+		return errkit.Newf("failed to write nuclei config file at %s: %v", c.getTemplatesConfigFilePath(), err)
 	}
 	return nil
 }
@@ -319,7 +319,7 @@ func (c *Config) getTemplatesConfigFilePath() string {
 func (c *Config) createConfigDirIfNotExists() error {
 	if !fileutil.FolderExists(c.configDir) {
 		if err := fileutil.CreateFolder(c.configDir); err != nil {
-			return errkit.Append(errkit.New(fmt.Sprintf("could not create nuclei config directory at %s", c.configDir)), err)
+			return errkit.Newf("could not create nuclei config directory at %s: %v", c.configDir, err)
 		}
 	}
 	return nil

pkg/catalog/config/template.go

@@ -12,7 +12,10 @@ import (
 	stringsutil "github.com/projectdiscovery/utils/strings"
 )
 
-var knownConfigFiles = []string{"cves.json", "contributors.json", "TEMPLATES-STATS.json"}
+var (
+	knownConfigFiles     = []string{"cves.json", "contributors.json", "TEMPLATES-STATS.json"}
+	knownMiscDirectories = []string{".git", ".github", "helpers"}
+)
 
 // TemplateFormat
 type TemplateFormat uint8
@@ -23,6 +26,25 @@ const (
 	Unknown
 )
 
+// GetKnownConfigFiles returns known config files.
+func GetKnownConfigFiles() []string {
+	return knownConfigFiles
+}
+
+// GetKnownMiscDirectories returns known misc directories with trailing slashes.
+//
+// The trailing slash ensures that directory matching is explicit and avoids
+// falsely match files with similar names (e.g. "helpers" matching
+// "some-helpers.yaml"), since [IsTemplate] checks against normalized full paths.
+func GetKnownMiscDirectories() []string {
+	trailedSlashDirs := make([]string, 0, len(knownMiscDirectories))
+	for _, dir := range knownMiscDirectories {
+		trailedSlashDirs = append(trailedSlashDirs, dir+string(os.PathSeparator))
+	}
+
+	return trailedSlashDirs
+}
+
 // GetTemplateFormatFromExt returns template format
 func GetTemplateFormatFromExt(filePath string) TemplateFormat {
 	fileExt := strings.ToLower(filepath.Ext(filePath))
@@ -41,13 +63,22 @@ func GetSupportTemplateFileExtensions() []string {
 	return []string{extensions.YAML, extensions.JSON}
 }
 
-// IsTemplate is a callback function used by goflags to decide if given file should be read
+// IsTemplate returns true if the file is a template based on its path.
-// if it is not a nuclei-template file only then file is read
+// It used by goflags and other places to filter out non-template files.
-func IsTemplate(filename string) bool {
+func IsTemplate(fpath string) bool {
-	if stringsutil.ContainsAny(filename, knownConfigFiles...) {
+	fpath = filepath.FromSlash(fpath)
+	fname := filepath.Base(fpath)
+	fext := strings.ToLower(filepath.Ext(fpath))
+
+	if stringsutil.ContainsAny(fname, GetKnownConfigFiles()...) {
 		return false
 	}
-	return stringsutil.EqualFoldAny(filepath.Ext(filename), GetSupportTemplateFileExtensions()...)
+
+	if stringsutil.ContainsAny(fpath, GetKnownMiscDirectories()...) {
+		return false
+	}
+
+	return stringsutil.EqualFoldAny(fext, GetSupportTemplateFileExtensions()...)
 }
 
 type template struct {

pkg/catalog/disk/find.go

@@ -257,7 +257,7 @@ func (c *DiskCatalog) findDirectoryMatches(absPath string, processed map[string]
 				if err != nil {
 					return nil
 				}
-				if !d.IsDir() && config.GetTemplateFormatFromExt(path) != config.Unknown {
+				if !d.IsDir() && config.IsTemplate(path) {
 					if _, ok := processed[path]; !ok {
 						results = append(results, path)
 						processed[path] = struct{}{}
@@ -281,7 +281,7 @@ func (c *DiskCatalog) findDirectoryMatches(absPath string, processed map[string]
 				if err != nil {
 					return nil
 				}
-				if !d.IsDir() && config.GetTemplateFormatFromExt(path) != config.Unknown {
+				if !d.IsDir() && config.IsTemplate(path) {
 					if _, ok := processed[path]; !ok {
 						results = append(results, path)
 						processed[path] = struct{}{}

pkg/catalog/loader/ai_loader.go

@@ -3,7 +3,6 @@ package loader
 import (
 	"bytes"
 	"encoding/json"
-	"fmt"
 	"io"
 	"net/http"
 	"os"
@@ -34,27 +33,27 @@ type AITemplateResponse struct {
 func getAIGeneratedTemplates(prompt string, options *types.Options) ([]string, error) {
 	prompt = strings.TrimSpace(prompt)
 	if len(prompt) < 5 {
-		return nil, errkit.New("Prompt is too short. Please provide a more descriptive prompt").Build()
+		return nil, errkit.Newf("Prompt is too short. Please provide a more descriptive prompt")
 	}
 
 	if len(prompt) > 3000 {
-		return nil, errkit.New("Prompt is too long. Please limit to 3000 characters").Build()
+		return nil, errkit.Newf("Prompt is too long. Please limit to 3000 characters")
 	}
 
 	template, templateID, err := generateAITemplate(prompt)
 	if err != nil {
-		return nil, errkit.New(fmt.Sprintf("Failed to generate template: %v", err)).Build()
+		return nil, errkit.Newf("Failed to generate template: %v", err)
 	}
 
 	pdcpTemplateDir := filepath.Join(config.DefaultConfig.GetTemplateDir(), "pdcp")
 	if err := os.MkdirAll(pdcpTemplateDir, 0755); err != nil {
-		return nil, errkit.New(fmt.Sprintf("Failed to create pdcp template directory: %v", err)).Build()
+		return nil, errkit.Newf("Failed to create pdcp template directory: %v", err)
 	}
 
 	templateFile := filepath.Join(pdcpTemplateDir, templateID+".yaml")
 	err = os.WriteFile(templateFile, []byte(template), 0644)
 	if err != nil {
-		return nil, errkit.New(fmt.Sprintf("Failed to generate template: %v", err)).Build()
+		return nil, errkit.Newf("Failed to generate template: %v", err)
 	}
 
 	options.Logger.Info().Msgf("Generated template available at: https://cloud.projectdiscovery.io/templates/%s", templateID)
@@ -92,22 +91,22 @@ func generateAITemplate(prompt string) (string, string, error) {
 	}
 	jsonBody, err := json.Marshal(reqBody)
 	if err != nil {
-		return "", "", errkit.New(fmt.Sprintf("Failed to marshal request body: %v", err)).Build()
+		return "", "", errkit.Newf("Failed to marshal request body: %v", err)
 	}
 
 	req, err := http.NewRequest(http.MethodPost, aiTemplateGeneratorAPIEndpoint, bytes.NewBuffer(jsonBody))
 	if err != nil {
-		return "", "", errkit.New(fmt.Sprintf("Failed to create HTTP request: %v", err)).Build()
+		return "", "", errkit.Newf("Failed to create HTTP request: %v", err)
 	}
 
 	ph := pdcpauth.PDCPCredHandler{}
 	creds, err := ph.GetCreds()
 	if err != nil {
-		return "", "", errkit.New(fmt.Sprintf("Failed to get PDCP credentials: %v", err)).Build()
+		return "", "", errkit.Newf("Failed to get PDCP credentials: %v", err)
 	}
 
 	if creds == nil {
-		return "", "", errkit.New("PDCP API Key not configured, Create one for free at https://cloud.projectdiscovery.io/").Build()
+		return "", "", errkit.Newf("PDCP API Key not configured, Create one for free at https://cloud.projectdiscovery.io/")
 	}
 
 	req.Header.Set("Content-Type", "application/json")
@@ -115,28 +114,28 @@ func generateAITemplate(prompt string) (string, string, error) {
 
 	resp, err := retryablehttp.DefaultClient().Do(req)
 	if err != nil {
-		return "", "", errkit.New(fmt.Sprintf("Failed to send HTTP request: %v", err)).Build()
+		return "", "", errkit.Newf("Failed to send HTTP request: %v", err)
 	}
 	defer func() {
 		_ = resp.Body.Close()
 	}()
 
 	if resp.StatusCode == http.StatusUnauthorized {
-		return "", "", errkit.New("Invalid API Key or API Key not configured, Create one for free at https://cloud.projectdiscovery.io/").Build()
+		return "", "", errkit.Newf("Invalid API Key or API Key not configured, Create one for free at https://cloud.projectdiscovery.io/")
 	}
 
 	if resp.StatusCode != http.StatusOK {
 		body, _ := io.ReadAll(resp.Body)
-		return "", "", errkit.New(fmt.Sprintf("API returned status code %d: %s", resp.StatusCode, string(body))).Build()
+		return "", "", errkit.Newf("API returned status code %d: %s", resp.StatusCode, string(body))
 	}
 
 	var result AITemplateResponse
 	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
-		return "", "", errkit.New(fmt.Sprintf("Failed to decode API response: %v", err)).Build()
+		return "", "", errkit.Newf("Failed to decode API response: %v", err)
 	}
 
 	if result.TemplateID == "" || result.Completion == "" {
-		return "", "", errkit.New("Failed to generate template").Build()
+		return "", "", errkit.Newf("Failed to generate template")
 	}
 
 	return result.Completion, result.TemplateID, nil

pkg/catalog/loader/loader.go

@@ -25,6 +25,7 @@ import (
 	"github.com/projectdiscovery/nuclei/v3/pkg/workflows"
 	"github.com/projectdiscovery/retryablehttp-go"
 	"github.com/projectdiscovery/utils/errkit"
+	mapsutil "github.com/projectdiscovery/utils/maps"
 	sliceutil "github.com/projectdiscovery/utils/slice"
 	stringsutil "github.com/projectdiscovery/utils/strings"
 	syncutil "github.com/projectdiscovery/utils/sync"
@@ -238,7 +239,7 @@ func (store *Store) ReadTemplateFromURI(uri string, remote bool) ([]byte, error)
 		uri = handleTemplatesEditorURLs(uri)
 		remoteTemplates, _, err := getRemoteTemplatesAndWorkflows([]string{uri}, nil, store.config.RemoteTemplateDomainList)
 		if err != nil || len(remoteTemplates) == 0 {
-			return nil, errkit.Append(errkit.New(fmt.Sprintf("Could not load template %s: got %v", uri, remoteTemplates)), err)
+			return nil, errkit.Wrapf(err, "Could not load template %s: got %v", uri, remoteTemplates)
 		}
 		resp, err := retryablehttp.Get(remoteTemplates[0])
 		if err != nil {
@@ -315,6 +316,8 @@ func (store *Store) LoadTemplatesOnlyMetadata() error {
 	}
 	templatesCache := parserItem.Cache()
 
+	loadedTemplateIDs := mapsutil.NewSyncLockMap[string, struct{}]()
+
 	for templatePath := range validPaths {
 		template, _, _ := templatesCache.Has(templatePath)
 
@@ -339,6 +342,12 @@ func (store *Store) LoadTemplatesOnlyMetadata() error {
 		}
 
 		if template != nil {
+			if loadedTemplateIDs.Has(template.ID) {
+				store.logger.Debug().Msgf("Skipping duplicate template ID '%s' from path '%s'", template.ID, templatePath)
+				continue
+			}
+
+			_ = loadedTemplateIDs.Set(template.ID, struct{}{})
 			template.Path = templatePath
 			store.templates = append(store.templates, template)
 		}
@@ -492,8 +501,16 @@ func (store *Store) LoadTemplatesWithTags(templatesList, tags []string) []*templ
 	templatePathMap := store.pathFilter.Match(includedTemplates)
 
 	loadedTemplates := sliceutil.NewSyncSlice[*templates.Template]()
+	loadedTemplateIDs := mapsutil.NewSyncLockMap[string, struct{}]()
 
 	loadTemplate := func(tmpl *templates.Template) {
+		if loadedTemplateIDs.Has(tmpl.ID) {
+			store.logger.Debug().Msgf("Skipping duplicate template ID '%s' from path '%s'", tmpl.ID, tmpl.Path)
+			return
+		}
+
+		_ = loadedTemplateIDs.Set(tmpl.ID, struct{}{})
+
 		loadedTemplates.Append(tmpl)
 		// increment signed/unsigned counters
 		if tmpl.Verified {
@@ -563,7 +580,14 @@ func (store *Store) LoadTemplatesWithTags(templatesList, tags []string) []*templ
 						// check if the template is a DAST template
 						// also allow global matchers template to be loaded
 						if parsed.IsFuzzing() || parsed.Options.GlobalMatchers != nil && parsed.Options.GlobalMatchers.HasMatchers() {
-							loadTemplate(parsed)
+							if len(parsed.RequestsHeadless) > 0 && !store.config.ExecutorOptions.Options.Headless {
+								stats.Increment(templates.ExcludedHeadlessTmplStats)
+								if config.DefaultConfig.LogAllEvents {
+									store.logger.Print().Msgf("[%v] Headless flag is required for headless template '%s'.\n", aurora.Yellow("WRN").String(), templatePath)
+								}
+							} else {
+								loadTemplate(parsed)
+							}
 						}
 					} else if len(parsed.RequestsHeadless) > 0 && !store.config.ExecutorOptions.Options.Headless {
 						// donot include headless template in final list if headless flag is not set

pkg/core/executors.go

@@ -48,8 +48,15 @@ func (e *Engine) executeAllSelfContained(ctx context.Context, alltemplates []*te
 
 // executeTemplateWithTargets executes a given template on x targets (with a internal targetpool(i.e concurrency))
 func (e *Engine) executeTemplateWithTargets(ctx context.Context, template *templates.Template, target provider.InputProvider, results *atomic.Bool) {
-	// this is target pool i.e max target to execute
+	if e.workPool == nil {
-	wg := e.workPool.InputPool(template.Type())
+		e.workPool = e.GetWorkPool()
+	}
+	// Bounded worker pool using input concurrency
+	pool := e.workPool.InputPool(template.Type())
+	workerCount := 1
+	if pool != nil && pool.Size > 0 {
+		workerCount = pool.Size
+	}
 
 	var (
 		index uint32
@@ -78,6 +85,41 @@ func (e *Engine) executeTemplateWithTargets(ctx context.Context, template *templ
 		currentInfo.Unlock()
 	}
 
+	// task represents a single target execution unit
+	type task struct {
+		index uint32
+		skip  bool
+		value *contextargs.MetaInput
+	}
+
+	tasks := make(chan task)
+	var workersWg sync.WaitGroup
+	workersWg.Add(workerCount)
+	for i := 0; i < workerCount; i++ {
+		go func() {
+			defer workersWg.Done()
+			for t := range tasks {
+				func() {
+					defer cleanupInFlight(t.index)
+					select {
+					case <-ctx.Done():
+						return
+					default:
+					}
+					if t.skip {
+						return
+					}
+
+					match, err := e.executeTemplateOnInput(ctx, template, t.value)
+					if err != nil {
+						e.options.Logger.Warning().Msgf("[%s] Could not execute step on %s: %s\n", e.executerOpts.Colorizer.BrightBlue(template.ID), t.value.Input, err)
+					}
+					results.CompareAndSwap(false, match)
+				}()
+			}
+		}()
+	}
+
 	target.Iterate(func(scannedValue *contextargs.MetaInput) bool {
 		select {
 		case <-ctx.Done():
@@ -128,43 +170,13 @@ func (e *Engine) executeTemplateWithTargets(ctx context.Context, template *templ
 			return true
 		}
 
-		wg.Add()
+		tasks <- task{index: index, skip: skip, value: scannedValue}
-		go func(index uint32, skip bool, value *contextargs.MetaInput) {
-			defer wg.Done()
-			defer cleanupInFlight(index)
-			if skip {
-				return
-			}
-
-			var match bool
-			var err error
-			ctxArgs := contextargs.New(ctx)
-			ctxArgs.MetaInput = value
-			ctx := scan.NewScanContext(ctx, ctxArgs)
-			switch template.Type() {
-			case types.WorkflowProtocol:
-				match = e.executeWorkflow(ctx, template.CompiledWorkflow)
-			default:
-				if e.Callback != nil {
-					if results, err := template.Executer.ExecuteWithResults(ctx); err == nil {
-						for _, result := range results {
-							e.Callback(result)
-						}
-					}
-					match = true
-				} else {
-					match, err = template.Executer.Execute(ctx)
-				}
-			}
-			if err != nil {
-				e.options.Logger.Warning().Msgf("[%s] Could not execute step on %s: %s\n", e.executerOpts.Colorizer.BrightBlue(template.ID), value.Input, err)
-			}
-			results.CompareAndSwap(false, match)
-		}(index, skip, scannedValue)
 		index++
 		return true
 	})
-	wg.Wait()
+
+	close(tasks)
+	workersWg.Wait()
 
 	// on completion marks the template as completed
 	currentInfo.Lock()
@@ -202,26 +214,7 @@ func (e *Engine) executeTemplatesOnTarget(ctx context.Context, alltemplates []*t
 		go func(template *templates.Template, value *contextargs.MetaInput, wg *syncutil.AdaptiveWaitGroup) {
 			defer wg.Done()
 
-			var match bool
+			match, err := e.executeTemplateOnInput(ctx, template, value)
-			var err error
-			ctxArgs := contextargs.New(ctx)
-			ctxArgs.MetaInput = value
-			ctx := scan.NewScanContext(ctx, ctxArgs)
-			switch template.Type() {
-			case types.WorkflowProtocol:
-				match = e.executeWorkflow(ctx, template.CompiledWorkflow)
-			default:
-				if e.Callback != nil {
-					if results, err := template.Executer.ExecuteWithResults(ctx); err == nil {
-						for _, result := range results {
-							e.Callback(result)
-						}
-					}
-					match = true
-				} else {
-					match, err = template.Executer.Execute(ctx)
-				}
-			}
 			if err != nil {
 				e.options.Logger.Warning().Msgf("[%s] Could not execute step on %s: %s\n", e.executerOpts.Colorizer.BrightBlue(template.ID), value.Input, err)
 			}
@@ -229,3 +222,27 @@ func (e *Engine) executeTemplatesOnTarget(ctx context.Context, alltemplates []*t
 		}(tpl, target, sg)
 	}
 }
+
+// executeTemplateOnInput performs template execution for a single input and returns match status and error
+func (e *Engine) executeTemplateOnInput(ctx context.Context, template *templates.Template, value *contextargs.MetaInput) (bool, error) {
+	ctxArgs := contextargs.New(ctx)
+	ctxArgs.MetaInput = value
+	scanCtx := scan.NewScanContext(ctx, ctxArgs)
+
+	switch template.Type() {
+	case types.WorkflowProtocol:
+		return e.executeWorkflow(scanCtx, template.CompiledWorkflow), nil
+	default:
+		if e.Callback != nil {
+			results, err := template.Executer.ExecuteWithResults(scanCtx)
+			if err != nil {
+				return false, err
+			}
+			for _, result := range results {
+				e.Callback(result)
+			}
+			return len(results) > 0, nil
+		}
+		return template.Executer.Execute(scanCtx)
+	}
+}

pkg/core/executors_test.go

@@ -0,0 +1,148 @@
+package core
+
+import (
+	"context"
+	"fmt"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	inputtypes "github.com/projectdiscovery/nuclei/v3/pkg/input/types"
+	"github.com/projectdiscovery/nuclei/v3/pkg/output"
+	"github.com/projectdiscovery/nuclei/v3/pkg/protocols"
+	"github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/contextargs"
+	"github.com/projectdiscovery/nuclei/v3/pkg/scan"
+	"github.com/projectdiscovery/nuclei/v3/pkg/templates"
+	tmpltypes "github.com/projectdiscovery/nuclei/v3/pkg/templates/types"
+	"github.com/projectdiscovery/nuclei/v3/pkg/types"
+)
+
+// fakeExecuter is a simple stub for protocols.Executer used to test executeTemplateOnInput
+type fakeExecuter struct {
+	withResults bool
+}
+
+func (f *fakeExecuter) Compile() error                              { return nil }
+func (f *fakeExecuter) Requests() int                               { return 1 }
+func (f *fakeExecuter) Execute(ctx *scan.ScanContext) (bool, error) { return !f.withResults, nil }
+func (f *fakeExecuter) ExecuteWithResults(ctx *scan.ScanContext) ([]*output.ResultEvent, error) {
+	if !f.withResults {
+		return nil, nil
+	}
+	return []*output.ResultEvent{{Host: "h"}}, nil
+}
+
+// newTestEngine creates a minimal Engine for tests
+func newTestEngine() *Engine {
+	return New(&types.Options{})
+}
+
+func Test_executeTemplateOnInput_CallbackPath(t *testing.T) {
+	e := newTestEngine()
+	called := 0
+	e.Callback = func(*output.ResultEvent) { called++ }
+
+	tpl := &templates.Template{}
+	tpl.Executer = &fakeExecuter{withResults: true}
+
+	ok, err := e.executeTemplateOnInput(context.Background(), tpl, &contextargs.MetaInput{Input: "x"})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if !ok {
+		t.Fatalf("expected match true")
+	}
+	if called == 0 {
+		t.Fatalf("expected callback to be called")
+	}
+}
+
+func Test_executeTemplateOnInput_ExecutePath(t *testing.T) {
+	e := newTestEngine()
+	tpl := &templates.Template{}
+	tpl.Executer = &fakeExecuter{withResults: false}
+
+	ok, err := e.executeTemplateOnInput(context.Background(), tpl, &contextargs.MetaInput{Input: "x"})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if !ok {
+		t.Fatalf("expected match true from Execute path")
+	}
+}
+
+type fakeExecuterErr struct{}
+
+func (f *fakeExecuterErr) Compile() error                              { return nil }
+func (f *fakeExecuterErr) Requests() int                               { return 1 }
+func (f *fakeExecuterErr) Execute(ctx *scan.ScanContext) (bool, error) { return false, nil }
+func (f *fakeExecuterErr) ExecuteWithResults(ctx *scan.ScanContext) ([]*output.ResultEvent, error) {
+	return nil, fmt.Errorf("boom")
+}
+
+func Test_executeTemplateOnInput_CallbackErrorPropagates(t *testing.T) {
+	e := newTestEngine()
+	e.Callback = func(*output.ResultEvent) {}
+	tpl := &templates.Template{}
+	tpl.Executer = &fakeExecuterErr{}
+
+	ok, err := e.executeTemplateOnInput(context.Background(), tpl, &contextargs.MetaInput{Input: "x"})
+	if err == nil {
+		t.Fatalf("expected error to propagate")
+	}
+	if ok {
+		t.Fatalf("expected match to be false on error")
+	}
+}
+
+type fakeTargetProvider struct {
+	values []*contextargs.MetaInput
+}
+
+func (f *fakeTargetProvider) Count() int64 { return int64(len(f.values)) }
+func (f *fakeTargetProvider) Iterate(cb func(value *contextargs.MetaInput) bool) {
+	for _, v := range f.values {
+		if !cb(v) {
+			return
+		}
+	}
+}
+func (f *fakeTargetProvider) Set(string, string) {}
+func (f *fakeTargetProvider) SetWithProbe(string, string, inputtypes.InputLivenessProbe) error {
+	return nil
+}
+func (f *fakeTargetProvider) SetWithExclusions(string, string) error { return nil }
+func (f *fakeTargetProvider) InputType() string                      { return "test" }
+func (f *fakeTargetProvider) Close()                                 {}
+
+type slowExecuter struct{}
+
+func (s *slowExecuter) Compile() error { return nil }
+func (s *slowExecuter) Requests() int  { return 1 }
+func (s *slowExecuter) Execute(ctx *scan.ScanContext) (bool, error) {
+	select {
+	case <-ctx.Context().Done():
+		return false, ctx.Context().Err()
+	case <-time.After(200 * time.Millisecond):
+		return true, nil
+	}
+}
+func (s *slowExecuter) ExecuteWithResults(ctx *scan.ScanContext) ([]*output.ResultEvent, error) {
+	return nil, nil
+}
+
+func Test_executeTemplateWithTargets_RespectsCancellation(t *testing.T) {
+	e := newTestEngine()
+	e.SetExecuterOptions(&protocols.ExecutorOptions{Logger: e.Logger, ResumeCfg: types.NewResumeCfg(), ProtocolType: tmpltypes.HTTPProtocol})
+
+	tpl := &templates.Template{}
+	tpl.Executer = &slowExecuter{}
+
+	targets := &fakeTargetProvider{values: []*contextargs.MetaInput{{Input: "a"}, {Input: "b"}, {Input: "c"}}}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	var matched atomic.Bool
+	e.executeTemplateWithTargets(ctx, tpl, targets, &matched)
+}

pkg/external/customtemplates/azure_blob.go

@@ -3,7 +3,6 @@ package customtemplates
 import (
 	"bytes"
 	"context"
-	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
@@ -30,7 +29,9 @@ func NewAzureProviders(options *types.Options) ([]*customTemplateAzureBlob, erro
 		// Establish a connection to Azure and build a client object with which to download templates from Azure Blob Storage
 		azClient, err := getAzureBlobClient(options.AzureTenantID, options.AzureClientID, options.AzureClientSecret, options.AzureServiceURL)
 		if err != nil {
-			return nil, errkit.Append(errkit.New(fmt.Sprintf("Error establishing Azure Blob client for %s", options.AzureContainerName)), err)
+			errx := errkit.FromError(err)
+			errx.Msgf("Error establishing Azure Blob client for %s", options.AzureContainerName)
+			return nil, errx
 		}
 
 		// Create a new Azure Blob Storage container object

pkg/external/customtemplates/github.go

@@ -13,6 +13,7 @@ import (
 	"github.com/projectdiscovery/gologger"
 	"github.com/projectdiscovery/nuclei/v3/pkg/catalog/config"
 	"github.com/projectdiscovery/nuclei/v3/pkg/types"
+	"github.com/projectdiscovery/utils/errkit"
 	fileutil "github.com/projectdiscovery/utils/file"
 	folderutil "github.com/projectdiscovery/utils/folder"
 	"golang.org/x/oauth2"
@@ -46,19 +47,45 @@ func (customTemplate *customTemplateGitHubRepo) Update(ctx context.Context) {
 	downloadPath := config.DefaultConfig.CustomGitHubTemplatesDirectory
 	clonePath := customTemplate.getLocalRepoClonePath(downloadPath)
 
-	// If folder does not exits then clone/download the repo
+	// If folder does not exist then clone/download the repo
 	if !fileutil.FolderExists(clonePath) {
 		customTemplate.Download(ctx)
 		return
 	}
+
+	// Attempt to pull changes and handle the result
+	customTemplate.handlePullChanges(clonePath)
+}
+
+// handlePullChanges attempts to pull changes and logs the appropriate message
+func (customTemplate *customTemplateGitHubRepo) handlePullChanges(clonePath string) {
 	err := customTemplate.pullChanges(clonePath, customTemplate.githubToken)
-	if err != nil {
+
-		gologger.Error().Msgf("%s", err)
+	switch {
-	} else {
+	case err == nil:
-		gologger.Info().Msgf("Repo %s/%s successfully pulled the changes.\n", customTemplate.owner, customTemplate.reponame)
+		customTemplate.logPullSuccess()
+	case errors.Is(err, git.NoErrAlreadyUpToDate):
+		customTemplate.logAlreadyUpToDate(err)
+	default:
+		customTemplate.logPullError(err)
 	}
 }
 
+// logPullSuccess logs a success message when changes are pulled
+func (customTemplate *customTemplateGitHubRepo) logPullSuccess() {
+	gologger.Info().Msgf("Repo %s/%s successfully pulled the changes.\n", customTemplate.owner, customTemplate.reponame)
+}
+
+// logAlreadyUpToDate logs an info message when repo is already up to date
+func (customTemplate *customTemplateGitHubRepo) logAlreadyUpToDate(err error) {
+	gologger.Info().Msgf("%s", err)
+}
+
+// logPullError logs an error message when pull fails
+func (customTemplate *customTemplateGitHubRepo) logPullError(err error) {
+	gologger.Error().Msgf("%s", err)
+}
+
 // NewGitHubProviders returns new instance of GitHub providers for downloading custom templates
 func NewGitHubProviders(options *types.Options) ([]*customTemplateGitHubRepo, error) {
 	providers := []*customTemplateGitHubRepo{}
@@ -187,7 +214,7 @@ func (ctr *customTemplateGitHubRepo) pullChanges(repoPath, githubToken string) e
 
 	err = w.Pull(pullOpts)
 	if err != nil {
-		return errors.Errorf("%s/%s: %s", ctr.owner, ctr.reponame, err.Error())
+		return errkit.Wrapf(err, "%s/%s", ctr.owner, ctr.reponame)
 	}
 
 	return nil

pkg/external/customtemplates/gitlab.go

@@ -3,7 +3,6 @@ package customtemplates
 import (
 	"context"
 	"encoding/base64"
-	"fmt"
 	"os"
 	"path/filepath"
 
@@ -29,7 +28,9 @@ func NewGitLabProviders(options *types.Options) ([]*customTemplateGitLabRepo, er
 		// Establish a connection to GitLab and build a client object with which to download templates from GitLab
 		gitLabClient, err := getGitLabClient(options.GitLabServerURL, options.GitLabToken)
 		if err != nil {
-			return nil, errkit.Append(errkit.New(fmt.Sprintf("Error establishing GitLab client for %s %s", options.GitLabServerURL, err)), err)
+			errx := errkit.FromError(err)
+			errx.Msgf("Error establishing GitLab client for %s %s", options.GitLabServerURL, err)
+			return nil, errx
 		}
 
 		// Create a new GitLab service client

pkg/external/customtemplates/s3.go

@@ -2,7 +2,6 @@ package customtemplates
 
 import (
 	"context"
-	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
@@ -65,7 +64,9 @@ func NewS3Providers(options *types.Options) ([]*customTemplateS3Bucket, error) {
 	if options.AwsBucketName != "" && !options.AwsTemplateDisableDownload {
 		s3c, err := getS3Client(context.TODO(), options.AwsAccessKey, options.AwsSecretKey, options.AwsRegion, options.AwsProfile)
 		if err != nil {
-			return nil, errkit.Append(errkit.New(fmt.Sprintf("error downloading s3 bucket %s", options.AwsBucketName)), err)
+			errx := errkit.FromError(err)
+			errx.Msgf("error downloading s3 bucket %s", options.AwsBucketName)
+			return nil, errx
 		}
 		ctBucket := &customTemplateS3Bucket{
 			bucketName: options.AwsBucketName,

pkg/external/customtemplates/templates_provider.go

@@ -38,7 +38,9 @@ func NewCustomTemplatesManager(options *types.Options) (*CustomTemplatesManager,
 	// Add GitHub providers
 	githubProviders, err := NewGitHubProviders(options)
 	if err != nil {
-		return nil, errkit.Append(errkit.New("could not create github providers for custom templates"), err)
+		errx := errkit.FromError(err)
+		errx.Msgf("could not create github providers for custom templates")
+		return nil, errx
 	}
 	for _, v := range githubProviders {
 		ctm.providers = append(ctm.providers, v)
@@ -47,7 +49,9 @@ func NewCustomTemplatesManager(options *types.Options) (*CustomTemplatesManager,
 	// Add AWS S3 providers
 	s3Providers, err := NewS3Providers(options)
 	if err != nil {
-		return nil, errkit.Append(errkit.New("could not create s3 providers for custom templates"), err)
+		errx := errkit.FromError(err)
+		errx.Msgf("could not create s3 providers for custom templates")
+		return nil, errx
 	}
 	for _, v := range s3Providers {
 		ctm.providers = append(ctm.providers, v)
@@ -56,7 +60,9 @@ func NewCustomTemplatesManager(options *types.Options) (*CustomTemplatesManager,
 	// Add Azure providers
 	azureProviders, err := NewAzureProviders(options)
 	if err != nil {
-		return nil, errkit.Append(errkit.New("could not create azure providers for custom templates"), err)
+		errx := errkit.FromError(err)
+		errx.Msgf("could not create azure providers for custom templates")
+		return nil, errx
 	}
 	for _, v := range azureProviders {
 		ctm.providers = append(ctm.providers, v)
@@ -65,7 +71,9 @@ func NewCustomTemplatesManager(options *types.Options) (*CustomTemplatesManager,
 	// Add GitLab providers
 	gitlabProviders, err := NewGitLabProviders(options)
 	if err != nil {
-		return nil, errkit.Append(errkit.New("could not create gitlab providers for custom templates"), err)
+		errx := errkit.FromError(err)
+		errx.Msgf("could not create gitlab providers for custom templates")
+		return nil, errx
 	}
 	for _, v := range gitlabProviders {
 		ctm.providers = append(ctm.providers, v)

pkg/fuzz/component/path.go

@@ -7,7 +7,6 @@ import (
 
 	"github.com/projectdiscovery/nuclei/v3/pkg/fuzz/dataformat"
 	"github.com/projectdiscovery/retryablehttp-go"
-	mapsutil "github.com/projectdiscovery/utils/maps"
 	urlutil "github.com/projectdiscovery/utils/url"
 )
 
@@ -38,12 +37,18 @@ func (q *Path) Parse(req *retryablehttp.Request) (bool, error) {
 
 	splitted := strings.Split(req.Path, "/")
 	values := make(map[string]interface{})
-	for i := range splitted {
+	for i, segment := range splitted {
-		pathTillNow := strings.Join(splitted[:i+1], "/")
+		if segment == "" && i == 0 {
-		if pathTillNow == "" {
+			// Skip the first empty segment from leading "/"
 			continue
 		}
-		values[strconv.Itoa(i)] = pathTillNow
+		if segment == "" {
+			// Skip any other empty segments
+			continue
+		}
+		// Use 1-based indexing and store individual segments
+		key := strconv.Itoa(len(values) + 1)
+		values[key] = segment
 	}
 	q.value.SetParsed(dataformat.KVMap(values), "")
 	return true, nil
@@ -64,7 +69,7 @@ func (q *Path) Iterate(callback func(key string, value interface{}) error) (err
 // SetValue sets a value in the component
 // for a key
 func (q *Path) SetValue(key string, value string) error {
-	escaped := urlutil.ParamEncode(value)
+	escaped := urlutil.PathEncode(value)
 	if !q.value.SetParsedValue(key, escaped) {
 		return ErrSetValue
 	}
@@ -82,40 +87,48 @@ func (q *Path) Delete(key string) error {
 // Rebuild returns a new request with the
 // component rebuilt
 func (q *Path) Rebuild() (*retryablehttp.Request, error) {
-	originalValues := mapsutil.Map[string, any]{}
+	// Get the original path segments
-	splitted := strings.Split(q.req.Path, "/")
+	originalSplitted := strings.Split(q.req.Path, "/")
-	for i := range splitted {
+	
-		pathTillNow := strings.Join(splitted[:i+1], "/")
+	// Create a new slice to hold the rebuilt segments
-		if pathTillNow == "" {
+	rebuiltSegments := make([]string, 0, len(originalSplitted))
-			continue
+	
-		}
+	// Add the first empty segment (from leading "/")
-		originalValues[strconv.Itoa(i)] = pathTillNow
+	if len(originalSplitted) > 0 && originalSplitted[0] == "" {
+		rebuiltSegments = append(rebuiltSegments, "")
 	}
-
+	
-	originalPath := q.req.Path
+	// Process each segment
-	lengthSplitted := len(q.value.parsed.Map)
+	segmentIndex := 1 // 1-based indexing for our stored values
-	for i := lengthSplitted; i > 0; i-- {
+	for i := 1; i < len(originalSplitted); i++ {
-		key := strconv.Itoa(i)
+		originalSegment := originalSplitted[i]
-
+		if originalSegment == "" {
-		original, ok := originalValues.GetOrDefault(key, "").(string)
+			// Skip empty segments
-		if !ok {
 			continue
 		}
-
+		
-		new, ok := q.value.parsed.Map.GetOrDefault(key, "").(string)
+		// Check if we have a replacement for this segment
-		if !ok {
+		key := strconv.Itoa(segmentIndex)
-			continue
+		if newValue, exists := q.value.parsed.Map.GetOrDefault(key, "").(string); exists && newValue != "" {
+			rebuiltSegments = append(rebuiltSegments, newValue)
+		} else {
+			rebuiltSegments = append(rebuiltSegments, originalSegment)
 		}
-
+		segmentIndex++
-		if new == original {
+	}
-			// no need to replace
+	
-			continue
+	// Join the segments back into a path
-		}
+	rebuiltPath := strings.Join(rebuiltSegments, "/")
-
+	
-		originalPath = strings.Replace(originalPath, original, new, 1)
+	if unescaped, err := urlutil.PathDecode(rebuiltPath); err == nil {
+		// this is handle the case where anyportion of path has url encoded data
+		// by default the http/request official library will escape/encode special characters in path
+		// to avoid double encoding we unescape/decode already encoded value
+		//
+		// if there is a invalid url encoded value like %99 then it will still be encoded as %2599 and not %99
+		// the only way to make sure it stays as %99 is to implement raw request and unsafe for fuzzing as well
+		rebuiltPath = unescaped
 	}
-
-	rebuiltPath := originalPath
 
 	// Clone the request and update the path
 	cloned := q.req.Clone(context.Background())

pkg/fuzz/component/path_test.go

@@ -29,9 +29,9 @@ func TestURLComponent(t *testing.T) {
 	})
 
 	require.Equal(t, []string{"1"}, keys, "unexpected keys")
-	require.Equal(t, []string{"/testpath"}, values, "unexpected values")
+	require.Equal(t, []string{"testpath"}, values, "unexpected values")
 
-	err = urlComponent.SetValue("1", "/newpath")
+	err = urlComponent.SetValue("1", "newpath")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -61,9 +61,10 @@ func TestURLComponent_NestedPaths(t *testing.T) {
 	isSet := false
 
 	_ = path.Iterate(func(key string, value interface{}) error {
-		if !isSet && value.(string) == "/user/753" {
+		t.Logf("Key: %s, Value: %s", key, value.(string))
+		if !isSet && value.(string) == "753" {
 			isSet = true
-			if setErr := path.SetValue(key, "/user/753'"); setErr != nil {
+			if setErr := path.SetValue(key, "753'"); setErr != nil {
 				t.Fatal(setErr)
 			}
 		}
@@ -75,6 +76,54 @@ func TestURLComponent_NestedPaths(t *testing.T) {
 		t.Fatal(err)
 	}
 	if newReq.Path != "/user/753'/profile" {
-		t.Fatal("expected path to be modified")
+		t.Fatalf("expected path to be '/user/753'/profile', got '%s'", newReq.Path)
 	}
 }
+
+func TestPathComponent_SQLInjection(t *testing.T) {
+	path := NewPath()
+	req, err := retryablehttp.NewRequest(http.MethodGet, "https://example.com/user/55/profile", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	found, err := path.Parse(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !found {
+		t.Fatal("expected path to be found")
+	}
+
+	t.Logf("Original path: %s", req.Path)
+
+	// Let's see what path segments are available for fuzzing
+	err = path.Iterate(func(key string, value interface{}) error {
+		t.Logf("Key: %s, Value: %s", key, value.(string))
+		
+		// Try fuzzing the "55" segment specifically (which should be key "2")
+		if value.(string) == "55" {
+			if setErr := path.SetValue(key, "55 OR True"); setErr != nil {
+				t.Fatal(setErr)
+			}
+		}
+		return nil
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	newReq, err := path.Rebuild()
+	if err != nil {
+		t.Fatal(err)
+	}
+	
+	t.Logf("Modified path: %s", newReq.Path)
+	
+	// Now with PathEncode, spaces are preserved correctly for SQL injection
+	if newReq.Path != "/user/55 OR True/profile" {
+		t.Fatalf("expected path to be '/user/55 OR True/profile', got '%s'", newReq.Path)
+	}
+	
+	// Let's also test what the actual URL looks like
+	t.Logf("Full URL: %s", newReq.String())
+}

pkg/fuzz/dataformat/multipart.go

@@ -27,7 +27,29 @@ var (
 
 // NewMultiPartForm returns a new MultiPartForm encoder
 func NewMultiPartForm() *MultiPartForm {
-	return &MultiPartForm{}
+	return &MultiPartForm{
+		filesMetadata: make(map[string]FileMetadata),
+	}
+}
+
+// SetFileMetadata sets the file metadata for a given field name
+func (m *MultiPartForm) SetFileMetadata(fieldName string, metadata FileMetadata) {
+	if m.filesMetadata == nil {
+		m.filesMetadata = make(map[string]FileMetadata)
+	}
+
+	m.filesMetadata[fieldName] = metadata
+}
+
+// GetFileMetadata gets the file metadata for a given field name
+func (m *MultiPartForm) GetFileMetadata(fieldName string) (FileMetadata, bool) {
+	if m.filesMetadata == nil {
+		return FileMetadata{}, false
+	}
+
+	metadata, exists := m.filesMetadata[fieldName]
+
+	return metadata, exists
 }
 
 // IsType returns true if the data is MultiPartForm encoded
@@ -49,42 +71,61 @@ func (m *MultiPartForm) Encode(data KV) (string, error) {
 		var fw io.Writer
 		var err error
 
-		if filesArray, ok := value.([]interface{}); ok {
+		if fileMetadata, ok := m.filesMetadata[key]; ok {
-			fileMetadata, ok := m.filesMetadata[key]
+			if filesArray, isArray := value.([]any); isArray {
-			if !ok {
+				for _, file := range filesArray {
-				Itererr = fmt.Errorf("file metadata not found for key %s", key)
+					h := make(textproto.MIMEHeader)
-				return false
+					h.Set("Content-Disposition",
-			}
+						fmt.Sprintf(`form-data; name=%q; filename=%q`,
+							key, fileMetadata.Filename))
+					h.Set("Content-Type", fileMetadata.ContentType)
 
-			for _, file := range filesArray {
+					if fw, err = w.CreatePart(h); err != nil {
-				h := make(textproto.MIMEHeader)
+						Itererr = err
-				h.Set("Content-Disposition",
+						return false
-					fmt.Sprintf(`form-data; name=%q; filename=%q`,
+					}
-						key, fileMetadata.Filename))
-				h.Set("Content-Type", fileMetadata.ContentType)
 
-				if fw, err = w.CreatePart(h); err != nil {
+					if _, err = fw.Write([]byte(file.(string))); err != nil {
-					Itererr = err
+						Itererr = err
-					return false
+						return false
+					}
 				}
 
-				if _, err = fw.Write([]byte(file.(string))); err != nil {
+				return true
-					Itererr = err
-					return false
-				}
 			}
-			return true
 		}
 
 		// Add field
-		if fw, err = w.CreateFormField(key); err != nil {
+		var values []string
-			Itererr = err
+		switch v := value.(type) {
-			return false
+		case nil:
+			values = []string{""}
+		case string:
+			values = []string{v}
+		case []string:
+			values = v
+		case []any:
+			values = make([]string, len(v))
+			for i, item := range v {
+				if item == nil {
+					values[i] = ""
+				} else {
+					values[i] = fmt.Sprint(item)
+				}
+			}
+		default:
+			values = []string{fmt.Sprintf("%v", v)}
 		}
 
-		if _, err = fw.Write([]byte(value.(string))); err != nil {
+		for _, val := range values {
-			Itererr = err
+			if fw, err = w.CreateFormField(key); err != nil {
-			return false
+				Itererr = err
+				return false
+			}
+			if _, err = fw.Write([]byte(val)); err != nil {
+				Itererr = err
+				return false
+			}
 		}
 		return true
 	})
@@ -106,16 +147,24 @@ func (m *MultiPartForm) ParseBoundary(contentType string) error {
 	if m.boundary == "" {
 		return fmt.Errorf("no boundary found in the content type")
 	}
+
+	// NOTE(dwisiswant0): boundary cannot exceed 70 characters according to
+	// RFC-2046.
+	if len(m.boundary) > 70 {
+		return fmt.Errorf("boundary exceeds maximum length of 70 characters")
+	}
+
 	return nil
 }
 
 // Decode decodes the data from MultiPartForm format
 func (m *MultiPartForm) Decode(data string) (KV, error) {
+	if m.boundary == "" {
+		return KV{}, fmt.Errorf("boundary not set, call ParseBoundary first")
+	}
+
 	// Create a buffer from the string data
 	b := bytes.NewBufferString(data)
-	// The boundary parameter should be extracted from the Content-Type header of the HTTP request
-	// which is not available in this context, so this is a placeholder for demonstration.
-	// You will need to pass the actual boundary value to this function.
 	r := multipart.NewReader(b, m.boundary)
 
 	form, err := r.ReadForm(32 << 20) // 32MB is the max memory used to parse the form
@@ -134,30 +183,44 @@ func (m *MultiPartForm) Decode(data string) (KV, error) {
 			result.Set(key, values[0])
 		}
 	}
-	m.filesMetadata = make(map[string]FileMetadata)
+
+	if m.filesMetadata == nil {
+		m.filesMetadata = make(map[string]FileMetadata)
+	}
+
 	for key, files := range form.File {
 		fileContents := []interface{}{}
+		var fileMetadataList []FileMetadata
+
 		for _, fileHeader := range files {
 			file, err := fileHeader.Open()
 			if err != nil {
 				return KV{}, err
 			}
-			defer func() {
-				_ = file.Close()
-			}()
 
 			buffer := new(bytes.Buffer)
 			if _, err := buffer.ReadFrom(file); err != nil {
+				_ = file.Close()
+
 				return KV{}, err
 			}
+			_ = file.Close()
+
 			fileContents = append(fileContents, buffer.String())
 
-			m.filesMetadata[key] = FileMetadata{
+			fileMetadataList = append(fileMetadataList, FileMetadata{
 				ContentType: fileHeader.Header.Get("Content-Type"),
 				Filename:    fileHeader.Filename,
-			}
+			})
 		}
+
 		result.Set(key, fileContents)
+
+		// NOTE(dwisiswant0): store the first file's metadata instead of the
+		// last one
+		if len(fileMetadataList) > 0 {
+			m.filesMetadata[key] = fileMetadataList[0]
+		}
 	}
 	return KVOrderedMap(&result), nil
 }

pkg/fuzz/dataformat/multipart_test.go

@@ -0,0 +1,370 @@
+package dataformat
+
+import (
+	"testing"
+
+	mapsutil "github.com/projectdiscovery/utils/maps"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestMultiPartFormEncode(t *testing.T) {
+	tests := []struct {
+		name     string
+		fields   map[string]any
+		wantErr  bool
+		expected map[string]any
+	}{
+		{
+			name: "duplicate fields ([]string) - checkbox scenario",
+			fields: map[string]any{
+				"interests": []string{"sports", "music", "reading"},
+				"colors":    []string{"red", "blue"},
+			},
+			expected: map[string]any{
+				"interests": []string{"sports", "music", "reading"},
+				"colors":    []string{"red", "blue"},
+			},
+		},
+		{
+			name: "single string fields - backward compatibility",
+			fields: map[string]any{
+				"username": "john",
+				"email":    "john@example.com",
+			},
+			expected: map[string]any{
+				"username": "john",
+				"email":    "john@example.com",
+			},
+		},
+		{
+			name: "mixed types",
+			fields: map[string]any{
+				"string":     "text",
+				"array":      []string{"item1", "item2"},
+				"number":     42,                            // tests fmt.Sprint fallback
+				"float":      3.14,                          // tests float conversion
+				"boolean":    true,                          // tests boolean conversion
+				"zero":       0,                             // tests zero value
+				"emptyStr":   "",                            // tests empty string
+				"negative":   -123,                          // tests negative number
+				"nil":        nil,                           // tests nil value
+				"mixedArray": []any{"str", 123, false, nil}, // tests mixed type array
+			},
+			expected: map[string]any{
+				"string":     "text",
+				"array":      []string{"item1", "item2"},
+				"number":     "42",                                // numbers are converted to strings in multipart
+				"float":      "3.14",                              // floats are converted to strings
+				"boolean":    "true",                              // booleans are converted to strings
+				"zero":       "0",                                 // zero value converted to string
+				"emptyStr":   "",                                  // empty string remains empty
+				"negative":   "-123",                              // negative numbers converted to strings
+				"nil":        "",                                  // nil values converted to "" string
+				"mixedArray": []string{"str", "123", "false", ""}, // mixed array converted to string array
+			},
+		},
+		{
+			name: "empty array - should not appear in output",
+			fields: map[string]any{
+				"emptyArray":  []string{},
+				"normalField": "value",
+			},
+			expected: map[string]any{
+				"normalField": "value",
+				// emptyArray should not appear in decoded output
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			defer func() {
+				if r := recover(); r != nil {
+					t.Errorf("Test panicked: %v", r)
+				}
+			}()
+
+			form := NewMultiPartForm()
+			form.boundary = "----WebKitFormBoundary7MA4YWxkTrZu0gW"
+
+			kv := mapsutil.NewOrderedMap[string, any]()
+			for k, v := range tt.fields {
+				kv.Set(k, v)
+			}
+
+			encoded, err := form.Encode(KVOrderedMap(&kv))
+
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err)
+
+			// Decode the encoded multipart data
+			decoded, err := form.Decode(encoded)
+			require.NoError(t, err)
+
+			// Compare decoded values with expected values
+			for expectedKey, expectedValue := range tt.expected {
+				actualValue := decoded.Get(expectedKey)
+				switch expected := expectedValue.(type) {
+				case []string:
+					actual, ok := actualValue.([]string)
+					require.True(t, ok, "Expected []string for key %s, got %T", expectedKey, actualValue)
+					assert.ElementsMatch(t, expected, actual, "Values mismatch for key %s", expectedKey)
+				case []any:
+					actual, ok := actualValue.([]any)
+					require.True(t, ok, "Expected []any for key %s, got %T", expectedKey, actualValue)
+					assert.ElementsMatch(t, expected, actual, "Values mismatch for key %s", expectedKey)
+				case string:
+					actual, ok := actualValue.(string)
+					require.True(t, ok, "Expected string for key %s, got %T", expectedKey, actualValue)
+					assert.Equal(t, expected, actual, "Values mismatch for key %s", expectedKey)
+				default:
+					assert.Equal(t, expected, actualValue, "Values mismatch for key %s", expectedKey)
+				}
+			}
+
+			// Ensure no unexpected keys are present in decoded output
+			decoded.Iterate(func(key string, value any) bool {
+				_, exists := tt.expected[key]
+				assert.True(t, exists, "Unexpected key %s found in decoded output", key)
+				return true
+			})
+
+			t.Logf("Encoded output:\n%s", encoded)
+		})
+	}
+}
+
+func TestMultiPartFormRoundTrip(t *testing.T) {
+	defer func() {
+		if r := recover(); r != nil {
+			t.Errorf("Test panicked: %v", r)
+		}
+	}()
+
+	form := NewMultiPartForm()
+	form.boundary = "----WebKitFormBoundary7MA4YWxkTrZu0gW"
+
+	original := mapsutil.NewOrderedMap[string, any]()
+	original.Set("username", "john")
+	original.Set("interests", []string{"sports", "music", "reading"})
+
+	encoded, err := form.Encode(KVOrderedMap(&original))
+	require.NoError(t, err)
+
+	decoded, err := form.Decode(encoded)
+	require.NoError(t, err)
+
+	assert.Equal(t, "john", decoded.Get("username"))
+	assert.ElementsMatch(t, []string{"sports", "music", "reading"}, decoded.Get("interests"))
+
+	t.Logf("Encoded output:\n%s", encoded)
+}
+
+func TestMultiPartFormFileUpload(t *testing.T) {
+	defer func() {
+		if r := recover(); r != nil {
+			t.Errorf("Test panicked: %v", r)
+		}
+	}()
+
+	// Test decoding of a manually crafted multipart form with files
+	form := NewMultiPartForm()
+	form.boundary = "----WebKitFormBoundaryFileUploadTest"
+
+	// Manually craft a multipart form with file uploads
+	multipartData := `------WebKitFormBoundaryFileUploadTest
+Content-Disposition: form-data; name="name"
+
+John Doe
+------WebKitFormBoundaryFileUploadTest
+Content-Disposition: form-data; name="email"
+
+john@example.com
+------WebKitFormBoundaryFileUploadTest
+Content-Disposition: form-data; name="profile_picture"; filename="profile.jpg"
+Content-Type: image/jpeg
+
+fake_jpeg_binary_data_here
+------WebKitFormBoundaryFileUploadTest
+Content-Disposition: form-data; name="documents"; filename="resume.pdf"
+Content-Type: application/pdf
+
+fake_pdf_content_1
+------WebKitFormBoundaryFileUploadTest
+Content-Disposition: form-data; name="documents"; filename="cover_letter.pdf"
+Content-Type: application/pdf
+
+fake_pdf_content_2
+------WebKitFormBoundaryFileUploadTest
+Content-Disposition: form-data; name="skills"
+
+Go
+------WebKitFormBoundaryFileUploadTest
+Content-Disposition: form-data; name="skills"
+
+JavaScript
+------WebKitFormBoundaryFileUploadTest
+Content-Disposition: form-data; name="skills"
+
+Python
+------WebKitFormBoundaryFileUploadTest--
+`
+
+	// Test decoding
+	decoded, err := form.Decode(multipartData)
+	require.NoError(t, err)
+
+	// Verify regular fields
+	assert.Equal(t, "John Doe", decoded.Get("name"))
+	assert.Equal(t, "john@example.com", decoded.Get("email"))
+	assert.Equal(t, []string{"Go", "JavaScript", "Python"}, decoded.Get("skills"))
+
+	// Verify file fields
+	profilePicture := decoded.Get("profile_picture")
+	require.NotNil(t, profilePicture)
+	profileArray, ok := profilePicture.([]interface{})
+	require.True(t, ok, "Expected []interface{} for profile_picture")
+	require.Len(t, profileArray, 1)
+	assert.Equal(t, "fake_jpeg_binary_data_here", profileArray[0])
+
+	documents := decoded.Get("documents")
+	require.NotNil(t, documents)
+	documentsArray, ok := documents.([]interface{})
+	require.True(t, ok, "Expected []interface{} for documents")
+	require.Len(t, documentsArray, 2)
+	assert.Contains(t, documentsArray, "fake_pdf_content_1")
+	assert.Contains(t, documentsArray, "fake_pdf_content_2")
+}
+
+func TestMultiPartForm_SetGetFileMetadata(t *testing.T) {
+	form := NewMultiPartForm()
+	metadata := FileMetadata{
+		ContentType: "image/jpeg",
+		Filename:    "test.jpg",
+	}
+	form.SetFileMetadata("avatar", metadata)
+
+	// Test GetFileMetadata for existing field
+	retrievedMetadata, exists := form.GetFileMetadata("avatar")
+	assert.True(t, exists)
+	assert.Equal(t, metadata.ContentType, retrievedMetadata.ContentType)
+	assert.Equal(t, metadata.Filename, retrievedMetadata.Filename)
+
+	// Test GetFileMetadata for non-existing field
+	_, exists = form.GetFileMetadata("nonexistent")
+	assert.False(t, exists)
+}
+
+func TestMultiPartForm_FilesMetadataInitialization(t *testing.T) {
+	form := NewMultiPartForm()
+	assert.NotNil(t, form.filesMetadata)
+
+	metadata := FileMetadata{
+		ContentType: "text/plain",
+		Filename:    "test.txt",
+	}
+	form.SetFileMetadata("file", metadata)
+
+	retrievedMetadata, exists := form.GetFileMetadata("file")
+	assert.True(t, exists)
+	assert.Equal(t, metadata, retrievedMetadata)
+}
+
+func TestMultiPartForm_BoundaryValidation(t *testing.T) {
+	form := NewMultiPartForm()
+
+	// Test valid boundary
+	err := form.ParseBoundary("multipart/form-data; boundary=testboundary")
+	assert.NoError(t, err)
+	assert.Equal(t, "testboundary", form.boundary)
+
+	// Test missing boundary
+	err = form.ParseBoundary("multipart/form-data")
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "no boundary found")
+
+	// Test boundary too long (over 70 characters)
+	longBoundary := "multipart/form-data; boundary=" + string(make([]byte, 71))
+	for i := range longBoundary[len("multipart/form-data; boundary="):] {
+		longBoundary = longBoundary[:len("multipart/form-data; boundary=")+i] + "a" + longBoundary[len("multipart/form-data; boundary=")+i+1:]
+	}
+
+	err = form.ParseBoundary(longBoundary)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "boundary exceeds maximum length")
+}
+
+func TestMultiPartForm_DecodeRequiresBoundary(t *testing.T) {
+	form := NewMultiPartForm()
+
+	// Decode should fail if boundary is not set
+	_, err := form.Decode("some data")
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "boundary not set")
+}
+
+func TestMultiPartForm_MultipleFilesMetadata(t *testing.T) {
+	form := NewMultiPartForm()
+	form.boundary = "----WebKitFormBoundaryMultiFileTest"
+
+	// Test with multiple files having the same field name
+	multipartData := `------WebKitFormBoundaryMultiFileTest
+Content-Disposition: form-data; name="documents"; filename="file1.txt"
+Content-Type: text/plain
+
+content1
+------WebKitFormBoundaryMultiFileTest
+Content-Disposition: form-data; name="documents"; filename="file2.txt"
+Content-Type: text/plain
+
+content2
+------WebKitFormBoundaryMultiFileTest--
+`
+
+	decoded, err := form.Decode(multipartData)
+	require.NoError(t, err)
+
+	// Verify files are decoded correctly
+	documents := decoded.Get("documents")
+	require.NotNil(t, documents)
+	documentsArray, ok := documents.([]interface{})
+	require.True(t, ok)
+	require.Len(t, documentsArray, 2)
+	assert.Contains(t, documentsArray, "content1")
+	assert.Contains(t, documentsArray, "content2")
+
+	// Verify metadata for the field exists (should be from the first file)
+	metadata, exists := form.GetFileMetadata("documents")
+	assert.True(t, exists)
+	assert.Equal(t, "text/plain", metadata.ContentType)
+	assert.Equal(t, "file1.txt", metadata.Filename) // Should be from first file, not last
+}
+
+func TestMultiPartForm_SetFileMetadataWithNilMap(t *testing.T) {
+	form := &MultiPartForm{}
+
+	// SetFileMetadata should handle nil filesMetadata
+	metadata := FileMetadata{
+		ContentType: "application/pdf",
+		Filename:    "document.pdf",
+	}
+	form.SetFileMetadata("doc", metadata)
+
+	// Should be able to retrieve the metadata
+	retrievedMetadata, exists := form.GetFileMetadata("doc")
+	assert.True(t, exists)
+	assert.Equal(t, metadata, retrievedMetadata)
+}
+
+func TestMultiPartForm_GetFileMetadataWithNilMap(t *testing.T) {
+	form := &MultiPartForm{}
+
+	// GetFileMetadata should handle nil filesMetadata gracefully
+	_, exists := form.GetFileMetadata("anything")
+	assert.False(t, exists)
+}

pkg/fuzz/execute.go

@@ -23,10 +23,9 @@ import (
 	urlutil "github.com/projectdiscovery/utils/url"
 )
 
-// ErrRuleNotApplicable returns a rule not applicable error
+var (
-func ErrRuleNotApplicable(reason interface{}) error {
+	ErrRuleNotApplicable = errkit.New("rule not applicable")
-	return errkit.New(fmt.Sprintf("rule not applicable: %v", reason)).Build()
+)
-}
 
 // IsErrRuleNotApplicable checks if an error is due to rule not applicable
 func IsErrRuleNotApplicable(err error) bool {
@@ -90,10 +89,10 @@ type GeneratedRequest struct {
 // goroutines.
 func (rule *Rule) Execute(input *ExecuteRuleInput) (err error) {
 	if !rule.isInputURLValid(input.Input) {
-		return ErrRuleNotApplicable(fmt.Sprintf("invalid input url: %v", input.Input.MetaInput.Input))
+		return errkit.Newf("rule not applicable: invalid input url: %v", input.Input.MetaInput.Input)
 	}
 	if input.BaseRequest == nil && input.Input.MetaInput.ReqResp == nil {
-		return ErrRuleNotApplicable(fmt.Sprintf("both base request and reqresp are nil for %v", input.Input.MetaInput.Input))
+		return errkit.Newf("rule not applicable: both base request and reqresp are nil for %v", input.Input.MetaInput.Input)
 	}
 
 	var finalComponentList []component.Component
@@ -145,7 +144,7 @@ func (rule *Rule) Execute(input *ExecuteRuleInput) (err error) {
 	}
 
 	if len(finalComponentList) == 0 {
-		return ErrRuleNotApplicable("no component matched on this rule")
+		return errkit.Newf("rule not applicable: no component matched on this rule")
 	}
 
 	baseValues := input.Values

pkg/input/formats/formats.go

@@ -28,6 +28,12 @@ type InputFormatOptions struct {
 	// RequiredOnly only uses required fields when generating requests
 	// instead of all fields
 	RequiredOnly bool
+	// VarsTextTemplating uses Variables and inject it into the input
+	// this is used for text templating of variables based on carvel ytt
+	// Only available for Yaml formats
+	VarsTextTemplating bool
+	// VarsFilePaths is the path to the file containing variables
+	VarsFilePaths []string
 }
 
 // Format is an interface implemented by all input formats

pkg/input/formats/openapi/generator.go

@@ -395,7 +395,7 @@ func generateRequestsFromOp(opts *generateReqOptions) error {
 func GetGlobalParamsForSecurityRequirement(schema *openapi3.T, requirement *openapi3.SecurityRequirements) ([]*openapi3.ParameterRef, error) {
 	globalParams := openapi3.NewParameters()
 	if len(schema.Components.SecuritySchemes) == 0 {
-		return nil, errkit.New(fmt.Sprintf("openapi: security requirements (%+v) without any security schemes found in openapi file", schema.Security)).Build()
+		return nil, errkit.Newf("security requirements (%+v) without any security schemes found in openapi file", schema.Security)
 	}
 	found := false
 	// this api is protected for each security scheme pull its corresponding scheme
@@ -415,11 +415,11 @@ schemaLabel:
 		}
 		if !found && len(security) > 1 {
 			// if this is case then both security schemes are required
-			return nil, errkit.New(fmt.Sprintf("openapi: security requirement (%+v) not found in openapi file", security)).Build()
+			return nil, errkit.Newf("security requirement (%+v) not found in openapi file", security)
 		}
 	}
 	if !found {
-		return nil, errkit.New(fmt.Sprintf("openapi: security requirement (%+v) not found in openapi file", requirement)).Build()
+		return nil, errkit.Newf("security requirement (%+v) not found in openapi file", requirement)
 	}
 
 	return globalParams, nil
@@ -428,12 +428,12 @@ schemaLabel:
 // GenerateParameterFromSecurityScheme generates an example from a schema object
 func GenerateParameterFromSecurityScheme(scheme *openapi3.SecuritySchemeRef) (*openapi3.Parameter, error) {
 	if !generic.EqualsAny(scheme.Value.Type, "http", "apiKey") {
-		return nil, errkit.New(fmt.Sprintf("openapi: unsupported security scheme type (%s) found in openapi file", scheme.Value.Type)).Build()
+		return nil, errkit.Newf("unsupported security scheme type (%s) found in openapi file", scheme.Value.Type)
 	}
 	if scheme.Value.Type == "http" {
 		// check scheme
 		if !generic.EqualsAny(scheme.Value.Scheme, "basic", "bearer") {
-			return nil, errkit.New(fmt.Sprintf("openapi: unsupported security scheme (%s) found in openapi file", scheme.Value.Scheme)).Build()
+			return nil, errkit.Newf("unsupported security scheme (%s) found in openapi file", scheme.Value.Scheme)
 		}
 		// HTTP authentication schemes basic or bearer use the Authorization header
 		headerName := scheme.Value.Name
@@ -458,10 +458,10 @@ func GenerateParameterFromSecurityScheme(scheme *openapi3.SecuritySchemeRef) (*o
 	if scheme.Value.Type == "apiKey" {
 		// validate name and in
 		if scheme.Value.Name == "" {
-			return nil, errkit.New(fmt.Sprintf("openapi: security scheme (%s) name is empty", scheme.Value.Type)).Build()
+			return nil, errkit.Newf("security scheme (%s) name is empty", scheme.Value.Type)
 		}
 		if !generic.EqualsAny(scheme.Value.In, "query", "header", "cookie") {
-			return nil, errkit.New(fmt.Sprintf("openapi: unsupported security scheme (%s) in (%s) found in openapi file", scheme.Value.Type, scheme.Value.In)).Build()
+			return nil, errkit.Newf("unsupported security scheme (%s) in (%s) found in openapi file", scheme.Value.Type, scheme.Value.In)
 		}
 		// create parameters using the scheme
 		switch scheme.Value.In {
@@ -482,5 +482,5 @@ func GenerateParameterFromSecurityScheme(scheme *openapi3.SecuritySchemeRef) (*o
 			return c, nil
 		}
 	}
-	return nil, errkit.New(fmt.Sprintf("openapi: unsupported security scheme type (%s) found in openapi file", scheme.Value.Type)).Build()
+	return nil, errkit.Newf("unsupported security scheme type (%s) found in openapi file", scheme.Value.Type)
 }

pkg/input/formats/testdata/ytt/ginandjuice.ytt.yaml

@@ -0,0 +1,25 @@
+#@ load("@ytt:data", "data")
+#@ load("@ytt:json", "json")
+
+#@ def get_value(key, default=""):
+#@   if hasattr(data.values, key):
+#@     return str(getattr(data.values, key))
+#@   else:
+#@     return default
+#@   end
+#@ end
+
+timestamp: 2024-02-20T19:24:13+05:32
+url: https://ginandjuice.shop/users/3
+request:
+  #@yaml/text-templated-strings
+  raw: |+
+    POST /users/3 HTTP/1.1
+    Host: ginandjuice.shop
+    Authorization: Bearer (@= get_value("token", "3x4mpl3t0k3n") @)
+    Accept-Encoding: gzip
+    Content-Type: application/x-www-form-urlencoded
+    Connection: close
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
+
+    foo=(@= json.encode(data.values.foo) @)&bar=(@= get_value("bar") @)&debug=(@= get_value("debug", "false") @)

pkg/input/formats/testdata/ytt/ytt-profile.yaml

@@ -0,0 +1,11 @@
+list: pkg/input/formats/testdata/ytt/ginandjuice.ytt.yaml
+input-mode: yaml
+templates: 
+  - integration_tests/fuzz/fuzz-body.yaml
+var:
+  - debug=true
+  - bar=bar
+vars-text-templating: true
+var-file-paths:
+  - pkg/input/formats/testdata/ytt/ytt-vars.yaml
+dast: true 

pkg/input/formats/testdata/ytt/ytt-vars.yaml

@@ -0,0 +1,3 @@
+token: foobar 
+foo: 
+  bar: baz

pkg/input/formats/yaml/multidoc.go

@@ -1,8 +1,8 @@
 package yaml
 
 import (
+	"bytes"
 	"io"
-	"strings"
 
 	"github.com/pkg/errors"
 	"github.com/projectdiscovery/gologger"
@@ -46,23 +46,41 @@ func (j *YamlMultiDocFormat) SetOptions(options formats.InputFormatOptions) {
 // Parse parses the input and calls the provided callback
 // function for each RawRequest it discovers.
 func (j *YamlMultiDocFormat) Parse(input io.Reader, resultsCb formats.ParseReqRespCallback, filePath string) error {
-	decoder := YamlUtil.NewDecoder(input)
+	finalInput := input
+
+	// Apply text templating if enabled
+	if j.opts.VarsTextTemplating {
+		data, err := io.ReadAll(input)
+		if err != nil {
+			return errors.Wrap(err, "could not read input")
+		}
+		tpl := []string{string(data)}
+		dvs := mapToKeyValueSlice(j.opts.Variables)
+		finalData, err := ytt(tpl, dvs, j.opts.VarsFilePaths)
+		if err != nil {
+			return errors.Wrap(err, "could not apply ytt templating")
+		}
+		finalInput = bytes.NewReader(finalData)
+	}
+
+	decoder := YamlUtil.NewDecoder(finalInput)
 	for {
 		var request proxifyRequest
-		err := decoder.Decode(&request)
+		if err := decoder.Decode(&request); err != nil {
-		if err == io.EOF {
+			if err == io.EOF {
-			break
+				break
+			}
+			return errors.Wrap(err, "could not decode yaml file")
 		}
-		if err != nil {
+
-			return errors.Wrap(err, "could not decode json file")
+		raw := request.Request.Raw
-		}
+		if raw == "" {
-		if strings.TrimSpace(request.Request.Raw) == "" {
 			continue
 		}
 
-		rawRequest, err := types.ParseRawRequestWithURL(request.Request.Raw, request.URL)
+		rawRequest, err := types.ParseRawRequestWithURL(raw, request.URL)
 		if err != nil {
-			gologger.Warning().Msgf("multidoc-yaml: Could not parse raw request %s: %s\n", request.URL, err)
+			gologger.Warning().Msgf("multidoc-yaml: Could not parse raw request %s: %s", request.URL, err)
 			continue
 		}
 		resultsCb(rawRequest)

pkg/input/formats/yaml/multidoc_test.go

@@ -2,8 +2,10 @@ package yaml
 
 import (
 	"os"
+	"strings"
 	"testing"
 
+	"github.com/projectdiscovery/nuclei/v3/pkg/input/formats"
 	"github.com/projectdiscovery/nuclei/v3/pkg/input/types"
 	"github.com/stretchr/testify/require"
 )
@@ -33,3 +35,48 @@ func TestYamlFormatterParse(t *testing.T) {
 	require.Len(t, urls, len(expectedUrls), "invalid number of urls")
 	require.ElementsMatch(t, urls, expectedUrls, "invalid urls")
 }
+
+func TestYamlFormatterParseWithVariables(t *testing.T) {
+	format := New()
+	proxifyYttFile := "../testdata/ytt/ginandjuice.ytt.yaml"
+
+	expectedUrls := []string{
+		"https://ginandjuice.shop/users/3",
+	}
+
+	format.SetOptions(formats.InputFormatOptions{
+		VarsTextTemplating: true,
+		Variables: map[string]interface{}{
+			"foo": "catalog",
+			"bar": "product",
+		},
+	})
+	file, err := os.Open(proxifyYttFile)
+	require.Nilf(t, err, "error opening proxify ytt input file: %v", err)
+	defer func() {
+		_ = file.Close()
+	}()
+
+	var urls []string
+	err = format.Parse(file, func(request *types.RequestResponse) bool {
+		urls = append(urls, request.URL.String())
+		expectedRaw := `POST /users/3 HTTP/1.1
+Host: ginandjuice.shop
+Authorization: Bearer 3x4mpl3t0k3n
+Accept-Encoding: gzip
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
+
+foo="catalog"&bar=product&debug=false`
+		normalised := strings.ReplaceAll(request.Request.Raw, "\r\n", "\n")
+		require.Equal(t, expectedRaw, strings.TrimSuffix(normalised, "\n"), "request raw does not match expected value")
+
+		return false
+	}, proxifyYttFile)
+
+	require.Nilf(t, err, "error parsing yaml file: %v", err)
+	require.Len(t, urls, len(expectedUrls), "invalid number of urls")
+	require.ElementsMatch(t, urls, expectedUrls, "invalid urls")
+
+}

pkg/input/formats/yaml/ytt.go

@@ -0,0 +1,70 @@
+package yaml
+
+import (
+	"fmt"
+	"strings"
+
+	yttcmd "carvel.dev/ytt/pkg/cmd/template"
+	yttui "carvel.dev/ytt/pkg/cmd/ui"
+	yttfiles "carvel.dev/ytt/pkg/files"
+	"gopkg.in/yaml.v2"
+)
+
+func ytt(tpl, dvs []string, varFiles []string) ([]byte, error) {
+	// create and invoke ytt "template" command
+	templatingOptions := yttcmd.NewOptions()
+
+	input, err := templatesAsInput(tpl...)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(varFiles) > 0 {
+		// Load vaarFiles into the templating options.
+		templatingOptions.DataValuesFlags.FromFiles = varFiles
+	}
+
+	// equivalent to `--data-value-yaml`
+	templatingOptions.DataValuesFlags.KVsFromYAML = dvs
+
+	// for in-memory use, pipe output to "/dev/null"
+	noopUI := yttui.NewCustomWriterTTY(false, noopWriter{}, noopWriter{})
+
+	// Evaluate the template given the configured data values...
+	output := templatingOptions.RunWithFiles(input, noopUI)
+	if output.Err != nil {
+		return nil, output.Err
+	}
+
+	return output.DocSet.AsBytes()
+}
+
+// templatesAsInput conveniently wraps one or more strings, each in a files.File, into a template.Input.
+func templatesAsInput(tpl ...string) (yttcmd.Input, error) {
+	var files []*yttfiles.File
+	for i, t := range tpl {
+		// to make this less brittle, you'll probably want to use well-defined names for `path`, here, for each input.
+		// this matters when you're processing errors which report based on these paths.
+		file, err := yttfiles.NewFileFromSource(yttfiles.NewBytesSource(fmt.Sprintf("tpl%d.yml", i), []byte(t)))
+		if err != nil {
+			return yttcmd.Input{}, err
+		}
+
+		files = append(files, file)
+	}
+
+	return yttcmd.Input{Files: files}, nil
+}
+
+func mapToKeyValueSlice(m map[string]interface{}) []string {
+	var result []string
+	for k, v := range m {
+		y, _ := yaml.Marshal(v)
+		result = append(result, fmt.Sprintf("%s=%s", k, strings.TrimSpace(string(y))))
+	}
+	return result
+}
+
+type noopWriter struct{}
+
+func (w noopWriter) Write(data []byte) (int, error) { return len(data), nil }

pkg/input/provider/interface.go

@@ -18,14 +18,10 @@ import (
 )
 
 var (
-	ErrInactiveInput = fmt.Errorf("input is inactive")
+	ErrNotImplemented = errkit.New("provider does not implement method")
+	ErrInactiveInput  = fmt.Errorf("input is inactive")
 )
 
-// ErrNotImplemented returns an error when a provider does not implement a method
-func ErrNotImplemented(provider, method string) error {
-	return errkit.New(fmt.Sprintf("provider %s does not implement %s", provider, method)).Build()
-}
-
 const (
 	MultiFormatInputProvider = "MultiFormatInputProvider"
 	ListInputProvider        = "ListInputProvider"
@@ -120,6 +116,8 @@ func NewInputProvider(opts InputOptions) (InputProvider, error) {
 				Variables:            generators.MergeMaps(extraVars, opts.Options.Vars.AsMap()),
 				SkipFormatValidation: opts.Options.SkipFormatValidation,
 				RequiredOnly:         opts.Options.FormatUseRequiredOnly,
+				VarsTextTemplating:   opts.Options.VarsTextTemplating,
+				VarsFilePaths:        opts.Options.VarsFilePaths,
 			},
 		})
 	}

pkg/installer/template.go

@@ -80,7 +80,7 @@ func (t *TemplateManager) FreshInstallIfNotExists() error {
 	}
 	gologger.Info().Msgf("nuclei-templates are not installed, installing...")
 	if err := t.installTemplatesAt(config.DefaultConfig.TemplatesDirectory); err != nil {
-		return errkit.Append(errkit.New(fmt.Sprintf("failed to install templates at %s", config.DefaultConfig.TemplatesDirectory)), err)
+		return errkit.Wrapf(err, "failed to install templates at %s", config.DefaultConfig.TemplatesDirectory)
 	}
 	if t.CustomTemplates != nil {
 		t.CustomTemplates.Download(context.TODO())
@@ -121,7 +121,7 @@ func (t *TemplateManager) UpdateIfOutdated() error {
 func (t *TemplateManager) installTemplatesAt(dir string) error {
 	if !fileutil.FolderExists(dir) {
 		if err := fileutil.CreateFolder(dir); err != nil {
-			return errkit.Append(errkit.New(fmt.Sprintf("failed to create directory at %s", dir)), err)
+			return errkit.Wrapf(err, "failed to create directory at %s", dir)
 		}
 	}
 	if t.DisablePublicTemplates {
@@ -130,12 +130,12 @@ func (t *TemplateManager) installTemplatesAt(dir string) error {
 	}
 	ghrd, err := updateutils.NewghReleaseDownloader(config.OfficialNucleiTemplatesRepoName)
 	if err != nil {
-		return errkit.Append(errkit.New(fmt.Sprintf("failed to install templates at %s", dir)), err)
+		return errkit.Wrapf(err, "failed to install templates at %s", dir)
 	}
 
 	// write templates to disk
 	if err := t.writeTemplatesToDisk(ghrd, dir); err != nil {
-		return errkit.Append(errkit.New(fmt.Sprintf("failed to write templates to disk at %s", dir)), err)
+		return errkit.Wrapf(err, "failed to write templates to disk at %s", dir)
 	}
 	gologger.Info().Msgf("Successfully installed nuclei-templates at %s", dir)
 	return nil
@@ -156,7 +156,7 @@ func (t *TemplateManager) updateTemplatesAt(dir string) error {
 
 	ghrd, err := updateutils.NewghReleaseDownloader(config.OfficialNucleiTemplatesRepoName)
 	if err != nil {
-		return errkit.Append(errkit.New(fmt.Sprintf("failed to install templates at %s", dir)), err)
+		return errkit.Wrapf(err, "failed to install templates at %s", dir)
 	}
 
 	latestVersion := ghrd.Latest.GetTagName()
@@ -177,7 +177,7 @@ func (t *TemplateManager) updateTemplatesAt(dir string) error {
 	newchecksums, err := t.getChecksumFromDir(dir)
 	if err != nil {
 		// unlikely this case will happen
-		return errkit.Append(errkit.New(fmt.Sprintf("failed to get checksums from %s after update", dir)), err)
+		return errkit.Wrapf(err, "failed to get checksums from %s after update", dir)
 	}
 
 	// summarize all changes
@@ -299,7 +299,7 @@ func (t *TemplateManager) writeTemplatesToDisk(ghrd *updateutils.GHReleaseDownlo
 		bin, err := io.ReadAll(r)
 		if err != nil {
 			// if error occurs, iteration also stops
-			return errkit.Append(errkit.New(fmt.Sprintf("failed to read file %s", uri)), err)
+			return errkit.Wrapf(err, "failed to read file %s", uri)
 		}
 		// TODO: It might be better to just download index file from nuclei templates repo
 		// instead of creating it from scratch
@@ -310,7 +310,7 @@ func (t *TemplateManager) writeTemplatesToDisk(ghrd *updateutils.GHReleaseDownlo
 				if oldPath != writePath {
 					// write new template at a new path and delete old template
 					if err := os.WriteFile(writePath, bin, f.Mode()); err != nil {
-						return errkit.Append(errkit.New(fmt.Sprintf("failed to write file %s", uri)), err)
+						return errkit.Wrapf(err, "failed to write file %s", uri)
 					}
 					// after successful write, remove old template
 					if err := os.Remove(oldPath); err != nil {
@@ -325,20 +325,20 @@ func (t *TemplateManager) writeTemplatesToDisk(ghrd *updateutils.GHReleaseDownlo
 	}
 	err = ghrd.DownloadSourceWithCallback(!HideProgressBar, callbackFunc)
 	if err != nil {
-		return errkit.Append(errkit.New("failed to download templates"), err)
+		return errkit.Wrap(err, "failed to download templates")
 	}
 
 	if err := config.DefaultConfig.WriteTemplatesConfig(); err != nil {
-		return errkit.Append(errkit.New("failed to write templates config"), err)
+		return errkit.Wrap(err, "failed to write templates config")
 	}
 	// update ignore hash after writing new templates
 	if err := config.DefaultConfig.UpdateNucleiIgnoreHash(); err != nil {
-		return errkit.Append(errkit.New("failed to update nuclei ignore hash"), err)
+		return errkit.Wrap(err, "failed to update nuclei ignore hash")
 	}
 
 	// update templates version in config file
 	if err := config.DefaultConfig.SetTemplatesVersion(ghrd.Latest.GetTagName()); err != nil {
-		return errkit.Append(errkit.New("failed to update templates version"), err)
+		return errkit.Wrap(err, "failed to update templates version")
 	}
 
 	PurgeEmptyDirectories(dir)
@@ -348,11 +348,11 @@ func (t *TemplateManager) writeTemplatesToDisk(ghrd *updateutils.GHReleaseDownlo
 
 	index, err := config.GetNucleiTemplatesIndex()
 	if err != nil {
-		return errkit.Append(errkit.New("failed to get nuclei templates index"), err)
+		return errkit.Wrap(err, "failed to get nuclei templates index")
 	}
 
 	if err = config.DefaultConfig.WriteTemplatesIndex(index); err != nil {
-		return errkit.Append(errkit.New("failed to write nuclei templates index"), err)
+		return errkit.Wrap(err, "failed to write nuclei templates index")
 	}
 
 	if !HideReleaseNotes {
@@ -448,8 +448,5 @@ func (t *TemplateManager) calculateChecksumMap(dir string) (map[string]string, e
 		}
 		return nil
 	})
-	if err != nil {
+	return checksumMap, errkit.Wrap(err, "failed to calculate checksums of templates")
-		return nil, errkit.Append(errkit.New("failed to calculate checksums of templates"), err)
-	}
-	return checksumMap, nil
 }

pkg/installer/util.go

@@ -52,7 +52,7 @@ func getNewAdditionsFileFromGitHub(version string) ([]string, error) {
 		return nil, err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return nil, errkit.New("version not found").Build()
+		return nil, errkit.New("version not found")
 	}
 	data, err := io.ReadAll(resp.Body)
 	if err != nil {

pkg/js/devtools/tsgen/scrape.go

@@ -21,17 +21,17 @@ func (p *EntityParser) scrapeAndCreate(typeName string) error {
 	// get package
 	pkg, ok := p.imports[pkgName]
 	if !ok {
-		return errkit.New(fmt.Sprintf("package %v for type %v not found", pkgName, typeName)).Build()
+		return errkit.Newf("package %v for type %v not found", pkgName, typeName)
 	}
 	// get type
 	obj := pkg.Types.Scope().Lookup(baseTypeName)
 	if obj == nil {
-		return errkit.New(fmt.Sprintf("type %v not found in package %+v", typeName, pkg)).Build()
+		return errkit.Newf("type %v not found in package %+v", typeName, pkg)
 	}
 	// Ensure the object is a type name
 	typeNameObj, ok := obj.(*types.TypeName)
 	if !ok {
-		return errkit.New(fmt.Sprintf("%v is not a type name", typeName)).Build()
+		return errkit.Newf("%v is not a type name", typeName)
 	}
 	// Ensure the type is a named struct type
 	namedStruct, ok := typeNameObj.Type().Underlying().(*types.Struct)

pkg/js/generated/go/liboracle/oracle.go

@@ -15,12 +15,12 @@ func init() {
 	module.Set(
 		gojs.Objects{
 			// Functions
-			"IsOracle": lib_oracle.IsOracle,
 
 			// Var and consts
 
 			// Objects / Classes
 			"IsOracleResponse": gojs.GetClassConstructor[lib_oracle.IsOracleResponse](&lib_oracle.IsOracleResponse{}),
+			"OracleClient":     gojs.GetClassConstructor[lib_oracle.OracleClient](&lib_oracle.OracleClient{}),
 		},
 	).Register()
 }

pkg/js/generated/go/librdp/rdp.go

@@ -15,14 +15,16 @@ func init() {
 	module.Set(
 		gojs.Objects{
 			// Functions
-			"CheckRDPAuth": lib_rdp.CheckRDPAuth,
+			"CheckRDPAuth":       lib_rdp.CheckRDPAuth,
-			"IsRDP":        lib_rdp.IsRDP,
+			"CheckRDPEncryption": lib_rdp.CheckRDPEncryption,
+			"IsRDP":              lib_rdp.IsRDP,
 
 			// Var and consts
 
 			// Objects / Classes
-			"CheckRDPAuthResponse": gojs.GetClassConstructor[lib_rdp.CheckRDPAuthResponse](&lib_rdp.CheckRDPAuthResponse{}),
+			"CheckRDPAuthResponse":       gojs.GetClassConstructor[lib_rdp.CheckRDPAuthResponse](&lib_rdp.CheckRDPAuthResponse{}),
-			"IsRDPResponse":        gojs.GetClassConstructor[lib_rdp.IsRDPResponse](&lib_rdp.IsRDPResponse{}),
+			"CheckRDPEncryptionResponse": gojs.GetClassConstructor[lib_rdp.RDPEncryptionResponse](&lib_rdp.RDPEncryptionResponse{}),
+			"IsRDPResponse":              gojs.GetClassConstructor[lib_rdp.IsRDPResponse](&lib_rdp.IsRDPResponse{}),
 		},
 	).Register()
 }

pkg/js/generated/go/libvnc/vnc.go

@@ -21,6 +21,7 @@ func init() {
 
 			// Objects / Classes
 			"IsVNCResponse": gojs.GetClassConstructor[lib_vnc.IsVNCResponse](&lib_vnc.IsVNCResponse{}),
+			"VNCClient":     gojs.GetClassConstructor[lib_vnc.VNCClient](&lib_vnc.VNCClient{}),
 		},
 	).Register()
 }

pkg/js/generated/ts/oracle.ts

@@ -1,33 +1,106 @@
 
 
-/**
- * IsOracle checks if a host is running an Oracle server
- * @example
- * ```javascript
- * const oracle = require('nuclei/oracle');
- * const isOracle = oracle.IsOracle('acme.com', 1521);
- * log(toJSON(isOracle));
- * ```
- */
-export function IsOracle(host: string, port: number): IsOracleResponse | null {
-    return null;
-}
-
-
-
 /**
  * IsOracleResponse is the response from the IsOracle function.
  * this is returned by IsOracle function.
  * @example
  * ```javascript
  * const oracle = require('nuclei/oracle');
- * const isOracle = oracle.IsOracle('acme.com', 1521);
+ * const client = new oracle.OracleClient();
+ * const isOracle = client.IsOracle('acme.com', 1521);
  * ```
  */
 export interface IsOracleResponse {
-    
     IsOracle?: boolean,
-    
     Banner?: string,
 }
 
+/**
+ * Client is a client for Oracle database.
+ * Internally client uses go-ora driver.
+ * @example
+ * ```javascript
+ * const oracle = require('nuclei/oracle');
+ * const client = new oracle.OracleClient();
+ * ```
+ */
+export class OracleClient {
+    // Constructor of OracleClient
+    constructor() {}
+
+    /**
+     * Connect connects to an Oracle database
+     * @example
+     * ```javascript
+     * const oracle = require('nuclei/oracle');
+     * const client = new oracle.OracleClient();
+     * client.Connect('acme.com', 1521, 'XE', 'user', 'password');
+     * ```
+     */
+    public Connect(host: string, port: number, serviceName: string, username: string, password: string): boolean | null {
+        return null;
+    }
+
+    /**
+     * ConnectWithDSN connects to an Oracle database using a DSN string
+     * @example
+     * ```javascript
+     * const oracle = require('nuclei/oracle');
+     * const client = new oracle.OracleClient();
+     * client.ConnectWithDSN('oracle://user:password@host:port/service', 'SELECT @@version');
+     * ```
+     */
+    public ConnectWithDSN(dsn: string): boolean | null {
+        return null;
+    }
+
+    /**
+     * IsOracle checks if a host is running an Oracle server
+     * @example
+     * ```javascript
+     * const oracle = require('nuclei/oracle');
+     * const isOracle = oracle.IsOracle('acme.com', 1521);
+     * ```
+     */
+    public IsOracle(host: string, port: number): IsOracleResponse | null {
+        return null;
+    }
+
+    /**
+     * ExecuteQuery connects to Oracle database using given credentials and executes a query.
+     * It returns the results of the query or an error if something goes wrong.
+     * @example
+     * ```javascript
+     * const oracle = require('nuclei/oracle');
+     * const client = new oracle.OracleClient();
+     * const result = client.ExecuteQuery('acme.com', 1521, 'username', 'password', 'XE', 'SELECT * FROM dual');
+     * log(to_json(result));
+     * ```
+     */
+    public ExecuteQuery(host: string, port: number, username: string, password: string, dbName: string, query: string): SQLResult | null {
+        return null;
+    }
+
+    /**
+     * ExecuteQueryWithDSN executes a query on an Oracle database using a DSN
+     * @example
+     * ```javascript
+     * const oracle = require('nuclei/oracle');
+     * const client = new oracle.OracleClient();
+     * const result = client.ExecuteQueryWithDSN('oracle://user:password@host:port/service', 'SELECT * FROM dual');
+     * log(to_json(result));
+     * ```
+     */
+    public ExecuteQueryWithDSN(dsn: string, query: string): SQLResult | null {
+        return null;
+    }
+}
+
+/**
+ * SQLResult Interface
+ */
+export interface SQLResult {
+    Count?: number,
+    Columns?: string[],
+    Rows?: any[],
+}

pkg/js/generated/ts/rdp.ts

@@ -1,5 +1,3 @@
-
-
 /**
  * CheckRDPAuth checks if the given host and port are running rdp server
  * with authentication and returns their metadata.
@@ -15,7 +13,19 @@ export function CheckRDPAuth(host: string, port: number): CheckRDPAuthResponse |
     return null;
 }
 
-
+/**
+ * CheckRDPEncryption checks the RDP server's supported security layers and encryption levels.
+ * It tests different protocols and ciphers to determine what is supported.
+ * @example
+ * ```javascript
+ * const rdp = require('nuclei/rdp');
+ * const encryption = rdp.CheckRDPEncryption('acme.com', 3389);
+ * log(toJSON(encryption));
+ * ```
+ */
+export function CheckRDPEncryption(host: string, port: number): RDPEncryptionResponse | null {
+    return null;
+}
 
 /**
  * IsRDP checks if the given host and port are running rdp server.
@@ -33,8 +43,6 @@ export function IsRDP(host: string, port: number): IsRDPResponse | null {
     return null;
 }
 
-
-
 /**
  * CheckRDPAuthResponse is the response from the CheckRDPAuth function.
  * this is returned by CheckRDPAuth function.
@@ -52,7 +60,30 @@ export interface CheckRDPAuthResponse {
     Auth?: boolean,
 }
 
-
+/**
+ * RDPEncryptionResponse is the response from the CheckRDPEncryption function.
+ * This is returned by CheckRDPEncryption function.
+ * @example
+ * ```javascript
+ * const rdp = require('nuclei/rdp');
+ * const encryption = rdp.CheckRDPEncryption('acme.com', 3389);
+ * log(toJSON(encryption));
+ * ```
+ */
+export interface RDPEncryptionResponse {
+    // Security Layer Protocols
+    NativeRDP: boolean;
+    SSL: boolean;
+    CredSSP: boolean;
+    RDSTLS: boolean;
+    CredSSPWithEarlyUserAuth: boolean;
+    
+    // Encryption Levels
+    RC4_40bit: boolean;
+    RC4_56bit: boolean;
+    RC4_128bit: boolean;
+    FIPS140_1: boolean;
+}
 
 /**
  * IsRDPResponse is the response from the IsRDP function.
@@ -71,8 +102,6 @@ export interface IsRDPResponse {
     OS?: string,
 }
 
-
-
 /**
  * ServiceRDP Interface
  */

pkg/js/generated/ts/vnc.ts

@@ -33,3 +33,34 @@ export interface IsVNCResponse {
     Banner?: string,
 }
 
+/**
+ * VNCClient is a client for VNC servers.
+ * @example
+ * ```javascript
+ * const vnc = require('nuclei/vnc');
+ * const client = new vnc.VNCClient();
+ * ```
+ */
+export class VNCClient {
+    
+
+    // Constructor of VNCClient
+    constructor() {}
+    
+    /**
+    * Connect connects to VNC server using given password.
+    * If connection and authentication is successful, it returns true.
+    * If connection or authentication is unsuccessful, it returns false and error.
+    * The connection is closed after the function returns.
+    * @example
+    * ```javascript
+    * const vnc = require('nuclei/vnc');
+    * const client = new vnc.VNCClient();
+    * const connected = client.Connect('acme.com', 5900, 'password');
+    * ```
+    */
+    public Connect(host: string, port: number, password: string): boolean | null {
+        return null;
+    }
+}
+

pkg/js/global/scripts.go

@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"context"
 	"embed"
-	"fmt"
 	"math/rand"
 	"net"
 	"reflect"
@@ -257,7 +256,7 @@ func RegisterNativeScripts(runtime *goja.Runtime) error {
 	// import default modules
 	_, err = runtime.RunString(defaultImports)
 	if err != nil {
-		return errkit.Append(errkit.New(fmt.Sprintf("could not import default modules %v", defaultImports)), err)
+		return errkit.Wrapf(err, "could not import default modules %v", defaultImports)
 	}
 
 	return nil

pkg/js/gojs/gojs.go

@@ -59,7 +59,7 @@ func wrapModuleFunc(runtime *goja.Runtime, fn interface{}) interface{} {
 	}
 
 	// Only wrap if first parameter is context.Context
-	if fnType.NumIn() == 0 || fnType.In(0) != reflect.TypeOf((*context.Context)(nil)).Elem() {
+	if fnType.NumIn() == 0 || fnType.In(0) != reflect.TypeFor[context.Context]() {
 		return fn // Return original function unchanged if it doesn't have context.Context as first arg
 	}
 

pkg/js/gojs/set.go

@@ -2,7 +2,6 @@ package gojs
 
 import (
 	"context"
-	"fmt"
 	"reflect"
 
 	"github.com/Mzack9999/goja"
@@ -10,8 +9,8 @@ import (
 )
 
 var (
-	ErrInvalidFuncOpts = errkit.New("invalid function options: %v").Build()
+	ErrInvalidFuncOpts = errkit.New("invalid function options")
-	ErrNilRuntime      = errkit.New("runtime is nil").Build()
+	ErrNilRuntime      = errkit.New("runtime is nil")
 )
 
 type FuncOpts struct {
@@ -35,7 +34,7 @@ func wrapWithContext(runtime *goja.Runtime, fn interface{}) interface{} {
 	}
 
 	// Only wrap if first parameter is context.Context
-	if fnType.NumIn() == 0 || fnType.In(0) != reflect.TypeOf((*context.Context)(nil)).Elem() {
+	if fnType.NumIn() == 0 || fnType.In(0) != reflect.TypeFor[context.Context]() {
 		return fn // Return original function unchanged if it doesn't have context.Context as first arg
 	}
 
@@ -84,7 +83,7 @@ func RegisterFuncWithSignature(runtime *goja.Runtime, opts FuncOpts) error {
 		return ErrNilRuntime
 	}
 	if !opts.valid() {
-		return errkit.New(fmt.Sprintf("invalid function options: name: %s, signatures: %v, description: %s", opts.Name, opts.Signatures, opts.Description)).Build()
+		return errkit.Newf("invalid function options: name: %s, signatures: %v, description: %s", opts.Name, opts.Signatures, opts.Description)
 	}
 
 	// Wrap the function with context injection

pkg/js/libs/mssql/mssql.go

@@ -63,7 +63,7 @@ func connect(executionId string, host string, port int, username string, passwor
 	}
 	if !protocolstate.IsHostAllowed(executionId, host) {
 		// host is not valid according to network policy
-		return false, protocolstate.ErrHostDenied(host)
+		return false, protocolstate.ErrHostDenied.Msgf(host)
 	}
 
 	target := net.JoinHostPort(host, fmt.Sprintf("%d", port))
@@ -118,7 +118,7 @@ func (c *MSSQLClient) IsMssql(ctx context.Context, host string, port int) (bool,
 func isMssql(executionId string, host string, port int) (bool, error) {
 	if !protocolstate.IsHostAllowed(executionId, host) {
 		// host is not valid according to network policy
-		return false, protocolstate.ErrHostDenied(host)
+		return false, protocolstate.ErrHostDenied.Msgf(host)
 	}
 
 	dialer := protocolstate.GetDialersWithId(executionId)
@@ -162,7 +162,7 @@ func (c *MSSQLClient) ExecuteQuery(ctx context.Context, host string, port int, u
 	}
 	if !protocolstate.IsHostAllowed(executionId, host) {
 		// host is not valid according to network policy
-		return nil, protocolstate.ErrHostDenied(host)
+		return nil, protocolstate.ErrHostDenied.Msgf(host)
 	}
 
 	target := net.JoinHostPort(host, fmt.Sprintf("%d", port))

pkg/js/libs/mysql/mysql.go

@@ -45,7 +45,7 @@ func (c *MySQLClient) IsMySQL(ctx context.Context, host string, port int) (bool,
 func isMySQL(executionId string, host string, port int) (bool, error) {
 	if !protocolstate.IsHostAllowed(executionId, host) {
 		// host is not valid according to network policy
-		return false, protocolstate.ErrHostDenied(host)
+		return false, protocolstate.ErrHostDenied.Msgf(host)
 	}
 	dialer := protocolstate.GetDialersWithId(executionId)
 	if dialer == nil {
@@ -85,7 +85,7 @@ func (c *MySQLClient) Connect(ctx context.Context, host string, port int, userna
 	executionId := ctx.Value("executionId").(string)
 	if !protocolstate.IsHostAllowed(executionId, host) {
 		// host is not valid according to network policy
-		return false, protocolstate.ErrHostDenied(host)
+		return false, protocolstate.ErrHostDenied.Msgf(host)
 	}
 
 	// executing queries implies the remote mysql service
@@ -144,7 +144,7 @@ func fingerprintMySQL(executionId string, host string, port int) (MySQLInfo, err
 	info := MySQLInfo{}
 	if !protocolstate.IsHostAllowed(executionId, host) {
 		// host is not valid according to network policy
-		return info, protocolstate.ErrHostDenied(host)
+		return info, protocolstate.ErrHostDenied.Msgf(host)
 	}
 	dialer := protocolstate.GetDialersWithId(executionId)
 	if dialer == nil {
@@ -209,7 +209,7 @@ func (c *MySQLClient) ExecuteQueryWithOpts(ctx context.Context, opts MySQLOption
 	executionId := ctx.Value("executionId").(string)
 	if !protocolstate.IsHostAllowed(executionId, opts.Host) {
 		// host is not valid according to network policy
-		return nil, protocolstate.ErrHostDenied(opts.Host)
+		return nil, protocolstate.ErrHostDenied.Msgf(opts.Host)
 	}
 
 	// executing queries implies the remote mysql service

pkg/js/libs/net/net.go

@@ -201,7 +201,7 @@ func (c *NetConn) RecvFull(N int) ([]byte, error) {
 	}
 	bin, err := reader.ConnReadNWithTimeout(c.conn, int64(N), c.timeout)
 	if err != nil {
-		return []byte{}, errkit.Append(errkit.New(fmt.Sprintf("failed to read %d bytes", N)), err)
+		return []byte{}, errkit.Wrapf(err, "failed to read %d bytes", N)
 	}
 	return bin, nil
 }
@@ -226,7 +226,7 @@ func (c *NetConn) Recv(N int) ([]byte, error) {
 	b := make([]byte, N)
 	n, err := c.conn.Read(b)
 	if err != nil {
-		return []byte{}, errkit.Append(errkit.New(fmt.Sprintf("failed to read %d bytes", N)), err)
+		return []byte{}, errkit.Wrapf(err, "failed to read %d bytes", N)
 	}
 	return b[:n], nil
 }

pkg/js/libs/oracle/oracle.go

@@ -2,6 +2,7 @@ package oracle
 
 import (
 	"context"
+	"database/sql"
 	"fmt"
 	"net"
 	"strconv"
@@ -9,7 +10,9 @@ import (
 
 	"github.com/praetorian-inc/fingerprintx/pkg/plugins"
 	"github.com/praetorian-inc/fingerprintx/pkg/plugins/services/oracledb"
+	"github.com/projectdiscovery/nuclei/v3/pkg/js/utils"
 	"github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/protocolstate"
+	goora "github.com/sijms/go-ora/v2"
 )
 
 type (
@@ -24,6 +27,16 @@ type (
 		IsOracle bool
 		Banner   string
 	}
+	// Client is a client for Oracle database.
+	// Internally client uses oracle/godror driver.
+	// @example
+	// ```javascript
+	// const oracle = require('nuclei/oracle');
+	// const client = new oracle.OracleClient();
+	// ```
+	OracleClient struct {
+		connector *goora.OracleConnector
+	}
 )
 
 // IsOracle checks if a host is running an Oracle server
@@ -33,7 +46,7 @@ type (
 // const isOracle = oracle.IsOracle('acme.com', 1521);
 // log(toJSON(isOracle));
 // ```
-func IsOracle(ctx context.Context, host string, port int) (IsOracleResponse, error) {
+func (c *OracleClient) IsOracle(ctx context.Context, host string, port int) (IsOracleResponse, error) {
 	executionId := ctx.Value("executionId").(string)
 	return memoizedisOracle(executionId, host, port)
 }
@@ -69,3 +82,129 @@ func isOracle(executionId string, host string, port int) (IsOracleResponse, erro
 	resp.IsOracle = true
 	return resp, nil
 }
+
+func (c *OracleClient) oracleDbInstance(connStr string, executionId string) (*goora.OracleConnector, error) {
+	if c.connector != nil {
+		return c.connector, nil
+	}
+
+	connector := goora.NewConnector(connStr)
+	oraConnector, ok := connector.(*goora.OracleConnector)
+	if !ok {
+		return nil, fmt.Errorf("failed to cast connector to OracleConnector")
+	}
+
+	// Create custom dialer wrapper
+	customDialer := &oracleCustomDialer{
+		executionId: executionId,
+	}
+
+	oraConnector.Dialer(customDialer)
+
+	c.connector = oraConnector
+
+	return oraConnector, nil
+}
+
+// Connect connects to an Oracle database
+// @example
+// ```javascript
+// const oracle = require('nuclei/oracle');
+// const client = new oracle.OracleClient;
+// client.Connect('acme.com', 1521, 'XE', 'user', 'password');
+// ```
+func (c *OracleClient) Connect(ctx context.Context, host string, port int, serviceName string, username string, password string) (bool, error) {
+	connStr := goora.BuildUrl(host, port, serviceName, username, password, nil)
+
+	return c.ConnectWithDSN(ctx, connStr)
+}
+
+func (c *OracleClient) ConnectWithDSN(ctx context.Context, dsn string) (bool, error) {
+	executionId := ctx.Value("executionId").(string)
+
+	connector, err := c.oracleDbInstance(dsn, executionId)
+	if err != nil {
+		return false, err
+	}
+
+	db := sql.OpenDB(connector)
+	defer func() {
+		_ = db.Close()
+	}()
+
+	db.SetMaxOpenConns(1)
+	db.SetMaxIdleConns(0)
+
+	// Test the connection
+	err = db.Ping()
+	if err != nil {
+		return false, err
+	}
+
+	return true, nil
+}
+
+// ExecuteQuery connects to MS SQL database using given credentials and executes a query.
+// It returns the results of the query or an error if something goes wrong.
+// @example
+// ```javascript
+// const oracle = require('nuclei/oracle');
+// const client = new oracle.OracleClient;
+// const result = client.ExecuteQuery('acme.com', 1521, 'username', 'password', 'XE', 'SELECT @@version');
+// log(to_json(result));
+// ```
+func (c *OracleClient) ExecuteQuery(ctx context.Context, host string, port int, username, password, dbName, query string) (*utils.SQLResult, error) {
+	if host == "" || port <= 0 {
+		return nil, fmt.Errorf("invalid host or port")
+	}
+
+	isOracleResp, err := c.IsOracle(ctx, host, port)
+	if err != nil {
+		return nil, err
+	}
+	if !isOracleResp.IsOracle {
+		return nil, fmt.Errorf("not a oracle service")
+	}
+
+	connStr := goora.BuildUrl(host, port, dbName, username, password, nil)
+
+	return c.ExecuteQueryWithDSN(ctx, connStr, query)
+}
+
+// ExecuteQueryWithDSN executes a query on an Oracle database using a DSN
+// @example
+// ```javascript
+// const oracle = require('nuclei/oracle');
+// const client = new oracle.OracleClient;
+// const result = client.ExecuteQueryWithDSN('oracle://user:password@host:port/service', 'SELECT @@version');
+// log(to_json(result));
+// ```
+func (c *OracleClient) ExecuteQueryWithDSN(ctx context.Context, dsn string, query string) (*utils.SQLResult, error) {
+	executionId := ctx.Value("executionId").(string)
+
+	connector, err := c.oracleDbInstance(dsn, executionId)
+	if err != nil {
+		return nil, err
+	}
+	db := sql.OpenDB(connector)
+	defer func() {
+		_ = db.Close()
+	}()
+
+	db.SetMaxOpenConns(1)
+	db.SetMaxIdleConns(0)
+
+	rows, err := db.Query(query)
+	if err != nil {
+		return nil, err
+	}
+
+	data, err := utils.UnmarshalSQLRows(rows)
+	if err != nil {
+		if data != nil && len(data.Rows) > 0 {
+			return data, nil
+		}
+		return nil, err
+	}
+	return data, nil
+}

pkg/js/libs/oracle/oracledialer.go

@@ -0,0 +1,42 @@
+package oracle
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"time"
+
+	"github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/protocolstate"
+)
+
+// oracleCustomDialer implements the dialer interface expected by go-ora
+type oracleCustomDialer struct {
+	executionId string
+}
+
+func (o *oracleCustomDialer) dialWithCtx(ctx context.Context, network, address string) (net.Conn, error) {
+	dialers := protocolstate.GetDialersWithId(o.executionId)
+	if dialers == nil {
+		return nil, fmt.Errorf("dialers not initialized for %s", o.executionId)
+	}
+	if !protocolstate.IsHostAllowed(o.executionId, address) {
+		// host is not valid according to network policy
+		return nil, protocolstate.ErrHostDenied.Msgf(address)
+	}
+	return dialers.Fastdialer.Dial(ctx, network, address)
+}
+
+func (o *oracleCustomDialer) Dial(network, address string) (net.Conn, error) {
+	return o.dialWithCtx(context.TODO(), network, address)
+}
+
+func (o *oracleCustomDialer) DialTimeout(network, address string, timeout time.Duration) (net.Conn, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	return o.dialWithCtx(ctx, network, address)
+}
+
+func (o *oracleCustomDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
+	return o.dialWithCtx(ctx, network, address)
+}

pkg/js/libs/postgres/postgres.go

@@ -122,7 +122,7 @@ func (c *PGClient) ExecuteQuery(ctx context.Context, host string, port int, user
 func executeQuery(executionId string, host string, port int, username string, password string, dbName string, query string) (*utils.SQLResult, error) {
 	if !protocolstate.IsHostAllowed(executionId, host) {
 		// host is not valid according to network policy
-		return nil, protocolstate.ErrHostDenied(host)
+		return nil, protocolstate.ErrHostDenied.Msgf(host)
 	}
 
 	target := net.JoinHostPort(host, fmt.Sprintf("%d", port))
@@ -179,7 +179,7 @@ func connect(executionId string, host string, port int, username string, passwor
 
 	if !protocolstate.IsHostAllowed(executionId, host) {
 		// host is not valid according to network policy
-		return false, protocolstate.ErrHostDenied(host)
+		return false, protocolstate.ErrHostDenied.Msgf(host)
 	}
 
 	target := net.JoinHostPort(host, fmt.Sprintf("%d", port))

pkg/js/libs/rdp/memo.rdp.go

@@ -39,3 +39,19 @@ func memoizedcheckRDPAuth(executionId string, host string, port int) (CheckRDPAu
 
 	return CheckRDPAuthResponse{}, errors.New("could not convert cached result")
 }
+
+func memoizedcheckRDPEncryption(executionId string, host string, port int) (RDPEncryptionResponse, error) {
+	hash := "checkRDPEncryption" + ":" + fmt.Sprint(host) + ":" + fmt.Sprint(port)
+
+	v, err, _ := protocolstate.Memoizer.Do(hash, func() (interface{}, error) {
+		return checkRDPEncryption(executionId, host, port)
+	})
+	if err != nil {
+		return RDPEncryptionResponse{}, err
+	}
+	if value, ok := v.(RDPEncryptionResponse); ok {
+		return value, nil
+	}
+
+	return RDPEncryptionResponse{}, errors.New("could not convert cached result")
+}

pkg/js/libs/rdp/rdp.go

@@ -3,6 +3,8 @@ package rdp
 import (
 	"context"
 	"fmt"
+	"net"
+	"strconv"
 	"time"
 
 	"github.com/praetorian-inc/fingerprintx/pkg/plugins"
@@ -127,3 +129,211 @@ func checkRDPAuth(executionId string, host string, port int) (CheckRDPAuthRespon
 	resp.PluginInfo = pluginInfo
 	return resp, nil
 }
+
+type (
+	SecurityLayer string
+)
+
+const (
+	SecurityLayerNativeRDP                = "NativeRDP"
+	SecurityLayerSSL                      = "SSL"
+	SecurityLayerCredSSP                  = "CredSSP"
+	SecurityLayerRDSTLS                   = "RDSTLS"
+	SecurityLayerCredSSPWithEarlyUserAuth = "CredSSPWithEarlyUserAuth"
+)
+
+type (
+	EncryptionLevel string
+)
+
+const (
+	EncryptionLevelRC4_40bit  = "RC4_40bit"
+	EncryptionLevelRC4_56bit  = "RC4_56bit"
+	EncryptionLevelRC4_128bit = "RC4_128bit"
+	EncryptionLevelFIPS140_1  = "FIPS140_1"
+)
+
+type (
+	// RDPEncryptionResponse is the response from the CheckRDPEncryption function.
+	// This is returned by CheckRDPEncryption function.
+	// @example
+	// ```javascript
+	// const rdp = require('nuclei/rdp');
+	// const encryption = rdp.CheckRDPEncryption('acme.com', 3389);
+	// log(toJSON(encryption));
+	// ```
+	RDPEncryptionResponse struct {
+		// Protocols
+		NativeRDP                bool
+		SSL                      bool
+		CredSSP                  bool
+		RDSTLS                   bool
+		CredSSPWithEarlyUserAuth bool
+
+		// EncryptionLevels
+		RC4_40bit  bool
+		RC4_56bit  bool
+		RC4_128bit bool
+		FIPS140_1  bool
+	}
+)
+
+// CheckRDPEncryption checks the RDP server's supported security layers and encryption levels.
+// It tests different protocols and ciphers to determine what is supported.
+// @example
+// ```javascript
+// const rdp = require('nuclei/rdp');
+// const encryption = rdp.CheckRDPEncryption('acme.com', 3389);
+// log(toJSON(encryption));
+// ```
+func CheckRDPEncryption(ctx context.Context, host string, port int) (RDPEncryptionResponse, error) {
+	executionId := ctx.Value("executionId").(string)
+	return memoizedcheckRDPEncryption(executionId, host, port)
+}
+
+// @memo
+func checkRDPEncryption(executionId string, host string, port int) (RDPEncryptionResponse, error) {
+	dialer := protocolstate.GetDialersWithId(executionId)
+	if dialer == nil {
+		return RDPEncryptionResponse{}, fmt.Errorf("dialers not initialized for %s", executionId)
+	}
+	resp := RDPEncryptionResponse{}
+	defaultTimeout := 5 * time.Second
+
+	// Test different security protocols
+	protocols := map[SecurityLayer]int{
+		SecurityLayerNativeRDP:                0,
+		SecurityLayerSSL:                      1,
+		SecurityLayerCredSSP:                  3,
+		SecurityLayerRDSTLS:                   4,
+		SecurityLayerCredSSPWithEarlyUserAuth: 8,
+	}
+
+	for name, value := range protocols {
+		ctx, cancel := context.WithTimeout(context.Background(), defaultTimeout)
+		defer cancel()
+		conn, err := dialer.Fastdialer.Dial(ctx, "tcp", net.JoinHostPort(host, strconv.Itoa(port)))
+		if err != nil {
+			continue
+		}
+		defer func() {
+			_ = conn.Close()
+		}()
+
+		// Test protocol
+		isRDP, err := testRDPProtocol(conn, value)
+		if err == nil && isRDP {
+			switch SecurityLayer(name) {
+			case SecurityLayerNativeRDP:
+				resp.NativeRDP = true
+			case SecurityLayerSSL:
+				resp.SSL = true
+			case SecurityLayerCredSSP:
+				resp.CredSSP = true
+			case SecurityLayerRDSTLS:
+				resp.RDSTLS = true
+			case SecurityLayerCredSSPWithEarlyUserAuth:
+				resp.CredSSPWithEarlyUserAuth = true
+			}
+		}
+	}
+
+	// Test different encryption levels
+	ciphers := map[EncryptionLevel]int{
+		EncryptionLevelRC4_40bit:  1,
+		EncryptionLevelRC4_56bit:  8,
+		EncryptionLevelRC4_128bit: 2,
+		EncryptionLevelFIPS140_1:  16,
+	}
+
+	for encryptionLevel, value := range ciphers {
+		ctx, cancel := context.WithTimeout(context.Background(), defaultTimeout)
+		defer cancel()
+		conn, err := dialer.Fastdialer.Dial(ctx, "tcp", net.JoinHostPort(host, strconv.Itoa(port)))
+		if err != nil {
+			continue
+		}
+		defer func() {
+			_ = conn.Close()
+		}()
+
+		// Test cipher
+		isRDP, err := testRDPCipher(conn, value)
+		if err == nil && isRDP {
+			switch encryptionLevel {
+			case EncryptionLevelRC4_40bit:
+				resp.RC4_40bit = true
+			case EncryptionLevelRC4_56bit:
+				resp.RC4_56bit = true
+			case EncryptionLevelRC4_128bit:
+				resp.RC4_128bit = true
+			case EncryptionLevelFIPS140_1:
+				resp.FIPS140_1 = true
+			}
+		}
+	}
+
+	return resp, nil
+}
+
+// testRDPProtocol tests RDP with a specific security protocol
+func testRDPProtocol(conn net.Conn, protocol int) (bool, error) {
+	// Send RDP connection request with specific protocol
+	// This is a simplified version - in reality you'd need to implement the full RDP protocol
+	// including the negotiation phase with the specified protocol
+	_, err := conn.Write([]byte{0x03, 0x00, 0x00, 0x13, 0x0e, 0xe0, 0x00, 0x00, 0x00, 0x00, 0x00, byte(protocol), 0x00, 0x08, 0x00, 0x03, 0x00, 0x00, 0x00})
+	if err != nil {
+		return false, err
+	}
+
+	// Read response
+	buf := make([]byte, 1024)
+	n, err := conn.Read(buf)
+	if err != nil {
+		return false, err
+	}
+
+	// Check if response indicates RDP
+	if n >= 19 && buf[0] == 0x03 && buf[1] == 0x00 && buf[2] == 0x00 {
+		// For CredSSP and CredSSP with Early User Auth, we need to check for NLA support
+		if protocol == 3 || protocol == 8 {
+			// Check for NLA support in the response
+			if n >= 19 && buf[18]&0x01 != 0 {
+				return true, nil
+			}
+			return false, nil
+		}
+		return true, nil
+	}
+
+	return false, nil
+}
+
+// testRDPCipher tests RDP with a specific encryption level
+func testRDPCipher(conn net.Conn, cipher int) (bool, error) {
+	// Send RDP connection request with specific cipher
+	// This is a simplified version - in reality you'd need to implement the full RDP protocol
+	// including the negotiation phase with the specified cipher
+	_, err := conn.Write([]byte{0x03, 0x00, 0x00, 0x13, 0x0e, 0xe0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x08, byte(cipher), 0x03, 0x00, 0x00, 0x00})
+	if err != nil {
+		return false, err
+	}
+
+	// Read response
+	buf := make([]byte, 1024)
+	n, err := conn.Read(buf)
+	if err != nil {
+		return false, err
+	}
+
+	// Check if response indicates RDP
+	if n >= 19 && buf[0] == 0x03 && buf[1] == 0x00 && buf[2] == 0x00 {
+		// Check for encryption level support in the response
+		if n >= 19 && buf[18]&byte(cipher) != 0 {
+			return true, nil
+		}
+		return false, nil
+	}
+
+	return false, nil
+}

pkg/js/libs/redis/redis.go

@@ -27,7 +27,7 @@ func GetServerInfo(ctx context.Context, host string, port int) (string, error) {
 func getServerInfo(executionId string, host string, port int) (string, error) {
 	if !protocolstate.IsHostAllowed(executionId, host) {
 		// host is not valid according to network policy
-		return "", protocolstate.ErrHostDenied(host)
+		return "", protocolstate.ErrHostDenied.Msgf(host)
 	}
 	// create a new client
 	client := redis.NewClient(&redis.Options{
@@ -69,7 +69,7 @@ func Connect(ctx context.Context, host string, port int, password string) (bool,
 func connect(executionId string, host string, port int, password string) (bool, error) {
 	if !protocolstate.IsHostAllowed(executionId, host) {
 		// host is not valid according to network policy
-		return false, protocolstate.ErrHostDenied(host)
+		return false, protocolstate.ErrHostDenied.Msgf(host)
 	}
 	// create a new client
 	client := redis.NewClient(&redis.Options{
@@ -109,7 +109,7 @@ func GetServerInfoAuth(ctx context.Context, host string, port int, password stri
 func getServerInfoAuth(executionId string, host string, port int, password string) (string, error) {
 	if !protocolstate.IsHostAllowed(executionId, host) {
 		// host is not valid according to network policy
-		return "", protocolstate.ErrHostDenied(host)
+		return "", protocolstate.ErrHostDenied.Msgf(host)
 	}
 	// create a new client
 	client := redis.NewClient(&redis.Options{
@@ -181,7 +181,7 @@ func RunLuaScript(ctx context.Context, host string, port int, password string, s
 	executionId := ctx.Value("executionId").(string)
 	if !protocolstate.IsHostAllowed(executionId, host) {
 		// host is not valid according to network policy
-		return false, protocolstate.ErrHostDenied(host)
+		return false, protocolstate.ErrHostDenied.Msgf(host)
 	}
 	// create a new client
 	client := redis.NewClient(&redis.Options{

pkg/js/libs/smb/smb.go

@@ -43,7 +43,7 @@ func (c *SMBClient) ConnectSMBInfoMode(ctx context.Context, host string, port in
 func connectSMBInfoMode(executionId string, host string, port int) (*smb.SMBLog, error) {
 	if !protocolstate.IsHostAllowed(executionId, host) {
 		// host is not valid according to network policy
-		return nil, protocolstate.ErrHostDenied(host)
+		return nil, protocolstate.ErrHostDenied.Msgf(host)
 	}
 	dialer := protocolstate.GetDialersWithId(executionId)
 	if dialer == nil {
@@ -90,7 +90,7 @@ func (c *SMBClient) ListSMBv2Metadata(ctx context.Context, host string, port int
 	executionId := ctx.Value("executionId").(string)
 	if !protocolstate.IsHostAllowed(executionId, host) {
 		// host is not valid according to network policy
-		return nil, protocolstate.ErrHostDenied(host)
+		return nil, protocolstate.ErrHostDenied.Msgf(host)
 	}
 	return memoizedcollectSMBv2Metadata(executionId, host, port, 5*time.Second)
 }
@@ -119,7 +119,7 @@ func (c *SMBClient) ListShares(ctx context.Context, host string, port int, user,
 func listShares(executionId string, host string, port int, user string, password string) ([]string, error) {
 	if !protocolstate.IsHostAllowed(executionId, host) {
 		// host is not valid according to network policy
-		return nil, protocolstate.ErrHostDenied(host)
+		return nil, protocolstate.ErrHostDenied.Msgf(host)
 	}
 	dialer := protocolstate.GetDialersWithId(executionId)
 	if dialer == nil {

pkg/js/libs/smb/smbghost.go

@@ -35,7 +35,7 @@ func (c *SMBClient) DetectSMBGhost(ctx context.Context, host string, port int) (
 func detectSMBGhost(executionId string, host string, port int) (bool, error) {
 	if !protocolstate.IsHostAllowed(executionId, host) {
 		// host is not valid according to network policy
-		return false, protocolstate.ErrHostDenied(host)
+		return false, protocolstate.ErrHostDenied.Msgf(host)
 	}
 	addr := net.JoinHostPort(host, strconv.Itoa(port))
 	dialer := protocolstate.GetDialersWithId(executionId)

pkg/js/libs/smtp/smtp.go

@@ -68,7 +68,7 @@ func NewSMTPClient(call goja.ConstructorCall, runtime *goja.Runtime) *goja.Objec
 	executionId := c.nj.ExecutionId()
 
 	// check if this is allowed address
-	c.nj.Require(protocolstate.IsHostAllowed(executionId, host+":"+port), protocolstate.ErrHostDenied(host+":"+port).Error())
+	c.nj.Require(protocolstate.IsHostAllowed(executionId, host+":"+port), protocolstate.ErrHostDenied.Msgf(host+":"+port).Error())
 
 	// Link Constructor to Client and return
 	return utils.LinkConstructor(call, runtime, c)

pkg/js/libs/ssh/ssh.go

@@ -129,7 +129,7 @@ func (c *SSHClient) ConnectSSHInfoMode(ctx context.Context, host string, port in
 // ```
 func (c *SSHClient) Run(cmd string) (string, error) {
 	if c.connection == nil {
-		return "", errkit.New("no connection").Build()
+		return "", errkit.New("no connection")
 	}
 	session, err := c.connection.NewSession()
 	if err != nil {
@@ -177,14 +177,14 @@ type connectOptions struct {
 
 func (c *connectOptions) validate() error {
 	if c.Host == "" {
-		return errkit.New("host is required").Build()
+		return errkit.New("host is required")
 	}
 	if c.Port <= 0 {
-		return errkit.New("port is required").Build()
+		return errkit.New("port is required")
 	}
 	if !protocolstate.IsHostAllowed(c.ExecutionId, c.Host) {
 		// host is not valid according to network policy
-		return protocolstate.ErrHostDenied(c.Host)
+		return protocolstate.ErrHostDenied.Msgf(c.Host)
 	}
 	if c.Timeout == 0 {
 		c.Timeout = 10 * time.Second

pkg/js/libs/vnc/vnc.go

@@ -7,9 +7,11 @@ import (
 	"strconv"
 	"time"
 
+	vnclib "github.com/alexsnet/go-vnc"
 	"github.com/praetorian-inc/fingerprintx/pkg/plugins"
-	"github.com/praetorian-inc/fingerprintx/pkg/plugins/services/vnc"
+	vncplugin "github.com/praetorian-inc/fingerprintx/pkg/plugins/services/vnc"
 	"github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/protocolstate"
+	stringsutil "github.com/projectdiscovery/utils/strings"
 )
 
 type (
@@ -24,8 +26,89 @@ type (
 		IsVNC  bool
 		Banner string
 	}
+
+	// VNCClient is a client for VNC servers.
+	// @example
+	// ```javascript
+	// const vnc = require('nuclei/vnc');
+	// const client = new vnc.VNCClient();
+	// const connected = client.Connect('acme.com', 5900, 'password');
+	// log(toJSON(connected));
+	// ```
+	VNCClient struct{}
 )
 
+// Connect connects to VNC server using given password.
+// If connection and authentication is successful, it returns true.
+// If connection or authentication is unsuccessful, it returns false and error.
+// The connection is closed after the function returns.
+// @example
+// ```javascript
+// const vnc = require('nuclei/vnc');
+// const client = new vnc.VNCClient();
+// const connected = client.Connect('acme.com', 5900, 'password');
+// ```
+func (c *VNCClient) Connect(ctx context.Context, host string, port int, password string) (bool, error) {
+	executionId := ctx.Value("executionId").(string)
+	return connect(executionId, host, port, password)
+}
+
+// connect attempts to authenticate with a VNC server using the given password
+func connect(executionId string, host string, port int, password string) (bool, error) {
+	if host == "" || port <= 0 {
+		return false, fmt.Errorf("invalid host or port")
+	}
+	if !protocolstate.IsHostAllowed(executionId, host) {
+		// host is not valid according to network policy
+		return false, protocolstate.ErrHostDenied.Msgf(host)
+	}
+
+	dialer := protocolstate.GetDialersWithId(executionId)
+	if dialer == nil {
+		return false, fmt.Errorf("dialers not initialized for %s", executionId)
+	}
+
+	conn, err := dialer.Fastdialer.Dial(context.TODO(), "tcp", net.JoinHostPort(host, strconv.Itoa(port)))
+	if err != nil {
+		return false, err
+	}
+	defer func() {
+		_ = conn.Close()
+	}()
+
+	// Set connection timeout
+	_ = conn.SetDeadline(time.Now().Add(10 * time.Second))
+
+	// Create VNC client config with password
+	vncConfig := vnclib.NewClientConfig(password)
+
+	// Attempt to connect and authenticate
+	c, err := vnclib.Connect(context.TODO(), conn, vncConfig)
+	if err != nil {
+		// Check for specific authentication errors
+		if isAuthError(err) {
+			return false, nil // Authentication failed, but connection succeeded
+		}
+		return false, err // Connection or other error
+	}
+	if c != nil {
+		_ = c.Close()
+	}
+
+	return true, nil
+}
+
+// isAuthError checks if the error is an authentication failure
+func isAuthError(err error) bool {
+	if err == nil {
+		return false
+	}
+
+	// Check for common VNC authentication error messages
+	errStr := err.Error()
+	return stringsutil.ContainsAnyI(errStr, "authentication", "auth", "password", "invalid", "failed")
+}
+
 // IsVNC checks if a host is running a VNC server.
 // It returns a boolean indicating if the host is running a VNC server
 // and the banner of the VNC server.
@@ -57,7 +140,7 @@ func isVNC(executionId string, host string, port int) (IsVNCResponse, error) {
 		_ = conn.Close()
 	}()
 
-	vncPlugin := vnc.VNCPlugin{}
+	vncPlugin := vncplugin.VNCPlugin{}
 	service, err := vncPlugin.Run(conn, timeout, plugins.Target{Host: host})
 	if err != nil {
 		return resp, err