Severity: medium to high

Briefing

When using ffuf, multiple wordlists can be used and the output can be saved in various formats. When multiple keywords are used, the allocation from the keyword to the value is incorrect for csv and html reports. For csv, some values from one wordlist appear in the column for another wordlist, while for html two whole columns are swapped.

Expected Result:

When using multiple wordlists, all values are allocated to their respective wordlists in the report.

Actual Result:

For csv, some values from one wordlist appear in the column for another wordlist, while for html two whole columns are swapped.

Steps to reproduce:

Precondition: a fuzzable test target is available

1. Execute ffuf against the test target using multiple wordlists and choose the csv/html output
   I.e.: ffuf -u http://10.10.10.5/DIR/SUB/FILE -w testdata/dirs.txt:DIR -w testdata/subs.txt:SUB -w testdata/files.txt:FILE -mc 404 -of html -o reports/report.html -s
2. Open the report and observe the columns for the keywords
   --> The values are not allocated to their respective wordlist.

Testdata

dirs.txt:
dir1
dir2
dir3

subs.txt:
subdir1
subdir2
subdir3

files.txt:
file1
file2
file3

Environment

Device: Virtual Box VM
OS: Kali Linux 2025.2
Version: v2.1.0-dev

Attachments

csv:

report.csv

html: