Important changes

📛 Deprecated DirBuster wordlists

The dirbuster wordlists were made in 2007, and are now considered obsolete. Instead, these wordlists are recommended for testing modern web environments:

• Discovery/Web-Content/combined_words.txt
• Discovery/Web-Content/combined_directories.txt

Both of these wordlists are composed of various other wordlists in that same directory, and are automatically updated whenever one of their components is modified. For more information see the README.md for Discovery/Web-Content.

The dirbuster wordlists will remain contained in SecLists, but they now have the DirBuster-2007 prefix to highlight their age.

📛 Dangerous SQLi payloads

The SQL Injection wordlists contained in Fuzzing/Databases/SQLi are not safe to use on production environments. Many of those wordlists contain potentially destructive queries which may permanently delete data on any databases they're used on. A warning has been added to the README.md for that directory. For more information see issue #1011

New content

• ✨ feat(wordlist): Created Active Directory wordlist (PR #1224)
• ✨ feat(docs): Added "GENOVEVA" tool to readme (PR #1200)
• ✨ feat(docs): Added alternative reference to docs
• ✨ feat(docs): Added documentation for the 'cirt-net_collection.txt' wordlist
• ✨ feat(docs): Added documentation for the 'Java-Spring-Boot.txt' wordlist
• ✨ feat(docs): Added documentation for the 'xato-net-10-million-passwords' wordlists
• ✨ feat(wordlist): Added 'encryptionkeys' directory to 'common_directories.txt'
• ✨ feat(wordlist): Added /etc/apache2/.htpasswd to LFI fuzzing lists (PR #1223)
• ✨ feat(wordlist): Added a dictionary for Model Context Protocol server discovery. (PR #1216)
• ✨ feat(wordlist): Added common Spanish names and words (PR #1199)
• ✨ feat(wordlist): Added default SSH password "padmin:padmin" for IBM Power Systems (PR #1211)
• ✨ feat(wordlist): Added IANA mime-types to "web-all-content-types.txt" (PR #1204)
• ✨ feat(wordlist): Added mcp-server.txt entries to common.txt
• ✨ feat(wordlist): Added more OBEX common filenames and cleaned OBEX wordlists (PR #1249)
• ✨ feat(wordlist): Added more permutations to 'common_directories.txt'
• ✨ feat(wordlist): Added more swagger endpoints (PR #1219)
• ✨ feat(wordlist): Added new payload to 'SAP' wordlist (PR #1196)
• ✨ feat(wordlist): Added prefixes to deal with Java-Spring-Boot being behind spring-cloud-gateway (PR #1220)
• ✨ feat(wordlist): Added Quectel to default-passwords.csv + updated default-passwords.txt (PR #1208)
• ✨ feat(wordlist): Added readme.md to "Discovery/Web-Content/big.txt" (PR #1248)
• ✨ feat(wordlist): Added YYYY-MM-DD dates wordlists (PR #1217)

Other changes

• 🐛 fix(wordlist): Added 'DirBuster-2007' prefix to all DirBuster wordlists
• 🐛 fix(cicd): Removed trailing spaces from wordlist-updater_default-passwords.yml (PR #1243)
• 🐛 fix(cicd): Updated paths in the 'Wordlist Updater - Combined directories' pipeline
• 🐛 fix(docs): Updated filenames that compose 'combined_directories.txt'
• 🐛 fix(wordlist): Cleaned up '100k-most-used-passwords-NCSC.txt' (PR #1235)
• 🐛 fix(wordlist): Fixed encoding in "100k-most-used-passwords-NCSC.txt" (PR #1226)
• 🐛 fix(wordlist): Updated curl-protocols wordlist (PR #1237)
• 🔧 chore(wordlist): Moved 'curl-protocols.txt' wordlist to the 'Fuzzing' directory

New Contributors

• @GoombaProgrammer made their first contribution in #1198
• @joseaguardia made their first contribution in #1199
• @theclayton made their first contribution in #1204
• @rtfmkiesel made their first contribution in #1208
• @DaddyBigFish made their first contribution in #1217
• @psytester made their first contribution in #1219
• @Jhayrolandero made their first contribution in #1223
• @kennystrawnmusic made their first contribution in #1224
• @liamjones made their first contribution in #1226
• @evilgensec made their first contribution in #1235
• @robinkarlberg made their first contribution in #1237
• @Sh3b0 made their first contribution in #1243
• @totobarbar made their first contribution in #1248

Full Changelog: 2025.2...2025.3

🎉 The second release of 2025! 🎉
Lead Contributor: @ItsIgnacioPortal

Highlights

🌟 Two new tools for creating and manipulating wordlists have been added to the main readme:

• CeWL
• WL

🌟 Two 10 Million+ wordlists have been added for subdomain fuzzing/discovery (contributed by @CYFARE):

• Discovery/DNS/FUZZSUBS_CYFARE_1.txt
• Discovery/DNS/FUZZSUBS_CYFARE_2.txt

🛠 All words wordlists have been moved into the directory Miscellaneous/Words/.

🌐 And many other miscellaneous fixes and improvements.

Full Changelog

🌟 New content

• 🌟 feat(wordlist): Add more keyboard walks (PR #1183) - BuildAndDestroy
• 🌟 feat(wordlist): Added 'Pipfile' entries to 'common.txt' (PR #1187) - Dominique RIGHETTO
• 🌟 feat(wordlist): Added image/jpg to web-all-content-types.txt (PR #1190) - bl13pbl03p
• 🌟 feat(wordlist): Added DNS subdomain 'take-survey' (PR #1182) - jvardikar
• 🌟 feat(wordlist): Added new combo to 'ssh-betterdefaultpasslist.txt' Implements #1180 - ItsIgnacioPortal
• 🌟 feat(wordlist): Content type application/x-httpd-php - zar3bski
• 🌟 feat(wordlist): Created 10 Million+ List For Subdomain Fuzzing/Discovery - CYFARE

🛠 Fixes & Improvements

• 🛠 fix(wordlist): Added missing terms to API Actions wordlist - ItsIgnacioPortal
• 🛠 fix(wordlist): Fixed file extension of the 'corporate_passwords' wordlist - ItsIgnacioPortal
• 🛠 fix(wordlist): Merged duplicate dutch wordlists - ItsIgnacioPortal
• 🛠 fix(wordlist): Removed religious term from wordlist (PR #1181) - Machiavelli
• 🛠 fix(wordlist): Renamed 'german_misc.txt' to 'German-words.txt' - ItsIgnacioPortal
• 🛠 fix(wordlist): Renamed 'richelieu' french passwords wordlists - ItsIgnacioPortal
• 🛠 fix(docs): Added reference to the pwdb-public project - ItsIgnacioPortal
• 🛠 fix(docs): Fixed bad formatting on Discovery/Web-Content readme - ItsIgnacioPortal
• 🛠 fix(docs): Fixed formatting on EFF-Dice documentation - ItsIgnacioPortal
• 🛠 fix(docs): Fixed wording on the 'Cook' tool description - ItsIgnacioPortal
• 🛠 fix(docs): Removed duplicate content from readme - ItsIgnacioPortal
• 🛠 fix(cicd): More descriptive workflow names - ItsIgnacioPortal
• 🛠 fix(cicd): Updated 'GITHUB_REPOSITORY' variable name - ItsIgnacioPortal
• 🛠 fix(cicd): Updated 'tj-actions/changed-files' from v34 to v45.0.7 - ItsIgnacioPortal

📖 Documentation

• 📖 feat(docs): Added 'CeWL' tool - ItsIgnacioPortal
• 📖 feat(docs): Added 'wl' tool - ItsIgnacioPortal
• 📖 feat(docs): Added 'Wordlist Tools' category to main README - ItsIgnacioPortal
• 📖 feat(docs): Added documentation for 'French-common-password-list-top-*' - ItsIgnacioPortal
• 📖 feat(docs): Added documentation for 'probable-v2-top*' - ItsIgnacioPortal
• 📖 feat(docs): Added documentation for the 'Miscellaneous/Words' directory - ItsIgnacioPortal
• 📖 feat(docs): Added link descriptions to associated projects and tools in main README - ItsIgnacioPortal
• 📖 feat(docs): Added warning to CONTRIBUTING.md about uploading data breaches - ItsIgnacioPortal
• 📖 feat(docs): Improved formatting for 'dsstorewordlist.txt' docs - ItsIgnacioPortal

🪦 Removed content

• 🪦 chore(wordlist): Removed 'UserPassCombo-Jay.txt' wordlist - ItsIgnacioPortal
• 🪦 chore(wordlist): Removed duplicate pwdb 'Frequent-Passwords' - ItsIgnacioPortal

🌐 Other changes

• 🌐 [Github Action] Automated readme update. - github-actions[bot]
• 🌐 [Github Action] Automated trickest wordlists update. - github-actions[bot]
• 🌐 [Github Action] Updated combined_directories.txt - github-actions[bot]
• 🌐 [Github Action] Updated combined_words.txt - github-actions[bot]
• 🌐 chore(wordlist): Moved 'Dutch_passwordlist.txt' into the 'Common-Credentials/Language-Specific' directory - ItsIgnacioPortal
• 🌐 chore(wordlist): Moved all words wordlists into the same directory (PR #1193) - ItsIgnacioPortal
• 🌐 chore(wordlist): Moved darkweb2017* wordlists into the Common-Credentials directory - ItsIgnacioPortal
• 🌐 chore(wordlist): Moved Dutch-words.txt into /Miscellaneous/Words/ - ItsIgnacioPortal
• 🌐 chore(wordlist): Moved EFF-Dice into /Miscellaneous/Words/ - ItsIgnacioPortal
• 🌐 chore(wordlist): Moved french passwords wordlists into the Language-Specific directory - ItsIgnacioPortal
• 🌐 chore(wordlist): Moved German-words.txt into /Miscellaneous/Words/ - ItsIgnacioPortal
• 🌐 chore(wordlist): Moved moby project files into their own directory - ItsIgnacioPortal
• 🌐 chore(wordlist): Moved Moby-Project into /Miscellaneous/Words/ - ItsIgnacioPortal
• 🌐 chore(wordlist): Moved probable-v2* wordlists into the Common-Credentials directory - ItsIgnacioPortal
• 🌐 chore(wordlist): Moved pwdb passwords wordlists into the Common-Credentials directory - ItsIgnacioPortal
• 🌐 chore(wordlist): Moved Pwdb-Public Language-Specific wordlists into the Language-Specifics directory - ItsIgnacioPortal
• 🌐 chore(wordlist): Renamed darkweb files - ItsIgnacioPortal
• 🌐 chore(wordlist): Renamed probable-v2 files - ItsIgnacioPortal
• 🌐 chore(wordlist): Renamed pwdb language-specific wordlists - ItsIgnacioPortal
• 🌐 chore(wordlist): Renamed pwdb password wordlists - ItsIgnacioPortal
• 🌐 chore(cicd): Temporarily disabled the 'wordlist-validator.yml' workflow - ItsIgnacioPortal
• 🌐 feat(cicd): Added more workflow_dispatch event triggers - ItsIgnacioPortal

Shout-out to: @MachiavelliII, @CYFARE, @BuildAndDestroy, @righettod, @bl13pbl03p, @zar3bski, and "jvardikar".

🥇 Thank you everyone <3

🎉 The first release of 2025! 🎉
Lead Contributor: @ItsIgnacioPortal

Highlights

This release adds new documentation for many wordlists. Duplicate and obsolete wordlists have been removed, and the following new wordlist has been incorporated into the project:

• 🌟 2024-200_most_used_passwords.txt

The Discovery/Web-Content/trickest-robots-disallowed-wordlists/top-10000.txt wordlist has been fixed, which caused problems when cloning the project on Windows. (#397)

The .fuzz suffix has been removed from many more wordlists, improving clarity in the wordlist filenames.

A great number of wordlists have been properly categorized, improving the overall usability of Seclists.

Full Changelog

🌟 New content

• 🌟 feat(wordlist): Add filepaths for testing Single-page applications. (#1159)
• 🌟 feat(wordlist): Add IIS default page and image files. (#1158)
• 🌟 feat(wordlist): Added '2024-200_most_used_passwords.txt' wordlist
• 🌟 feat(wordlist): Added 'daloradius' to common.txt
• 🌟 feat(wordlist): Added 'Web-Server' prefix to wordlist filenames
• 🌟 feat(wordlist): Added missing words in API 'actions' wordlists
• 🌟 feat(wordlist): Added more endpoints to common.txt
• 🌟 feat(wordlist): Added more LLM data-leakage payloads
• 🌟 feat(wordlist): Added more subdomains to 'combined_subdomains.txt'
• 🌟 feat(wordlist): Added protobuf mimetypes
• 🌟 feat(wordlist): Expanded the List-Of-Swear-Words "fr-CA-u-sd-caqc.txt" wordlist
• 🌟 feat(wordlist): Greatly improved "Amounts" wordlists
• 🌟 feat(wordlist): Update spring-boot.txt to v2.1.7

🛠 Fixes & Improvements

• 🛠 feat(docs): Improved formatting of the PR template.
• 🛠 feat(docs): Replace repository details with badges for better visibility.
• 🛠 fix(cicd): Fixed line-ending normalization on "remote-wordlists-updater.yml"
• 🛠 fix(wordlist): Fixed bad formatting in raft-* wordlists
• 🛠 chore(docs): Removed '.fuzz' from multiple wordlist filenames

📖 Documentation

• 📖 feat(docs): Added documentation for 'AdobeCQ-AEM.txt' wordlist
• 📖 feat(docs): Added documentation for 'AdobeXML.fuzz.txt' wordlist
• 📖 feat(docs): Added documentation for 'Apache-Axis.txt' wordlist
• 📖 feat(docs): Added documentation for 'Apache.fuzz.txt' wordlist
• 📖 feat(docs): Added documentation for 'ApacheTomcat.fuzz.txt' wordlist
• 📖 feat(docs): Added documentation for 'CGI-HTTP-POST-Windows.fuzz.txt' wordlist
• 📖 feat(docs): Added documentation for 'CGI-HTTP-POST.fuzz.txt' wordlist
• 📖 feat(docs): Added documentation for 'CGI-Microsoft.fuzz.txt' wordlist
• 📖 feat(docs): Added documentation for 'Frontpage.fuzz.txt' wordlist
• 📖 feat(docs): Added documentation for 'fully-qualified-java-classes.txt' wordlist
• 📖 feat(docs): Added documentation for 'IIS-POST.txt'
• 📖 feat(docs): Added documentation for 'iis-systemweb.txt' wordlist
• 📖 feat(docs): Added documentation for 'iplanet.txt' wordlist
• 📖 feat(docs): Added documentation for 'JBoss.txt' wordlist
• 📖 feat(docs): Added documentation for 'Keycloak-Identity-Access-Management.txt'
• 📖 feat(docs): Added documentation for 'Microsoft-Forefront-Identity-Manager.txt' wordlist
• 📖 feat(docs): Added documentation for 'Oracle-EBS-wordlist.txt' wordlist
• 📖 feat(docs): Added documentation for 'Oracle-WebLogic.txt'
• 📖 feat(docs): Added documentation for 'raft-*' wordlists
• 📖 feat(docs): Added documentation for 'reverse-proxy-inconsistencies.txt'
• 📖 feat(docs): Added documentation for 'Web-Server-Glassfish-Sun-Microsystems.txt' wordlist
• 📖 feat(docs): Added documentation for the 'graphql.txt' wordlist
• 📖 feat(docs): Added note about outdated contents for the 'AdobeCQ-AEM.txt' wordlist

🪦 Removed content

• 🪦 chore(wordlist): Removed 'KitchensinkDirectories.fuzz.txt' wordlist
• 🪦 chore(wordlist): Removed 'Randomfiles.fuzz.txt' wordlist
• 🪦 chore(wordlist): Removed 'tests.txt' wordlist
• 🪦 chore(wordlist): Removed 'Vignette.fuzz.txt' wordlist
• 🪦 chore(wordlist): Removed BiblePass project
• 🪦 chore(wordlist): Removed duplicate wordlist '500-worst-passwords.txt'
• 🪦 chore(wordlist): Removed duplicate wordlist 'without_spaces.txt'
• 🪦 chore(wordlist): Removed obsolete 'dirsearch.txt' wordlist
• 🪦 chore(wordlist): Removed obsolete 'IBM Lotus iNotes' wordlist
• 🪦 chore(wordlist): Removed obsolete hyperion wordlists
• 🪦 chore(wordlist): Removed obsolete IOCs wordlists
• 🪦 fix(wordlist): Removed 'FatwireCMS.fuzz.txt' wordlist
• 🪦 fix(wordlist): Removed 'fnf-fuzz.txt' wordlist
• 🪦 fix(wordlist): Removed duplicate wordlist 'iplanet.txt'
• 🪦 fix(wordlist): Removed duplicate wordlist 'jrun.txt'
• 🪦 fix(wordlist): Removed duplicate wordlist 'sunas.txt'

🌐 Other changes

• 🌐 chore(wordlist): Moved CGI wordlists into the 'LEGACY-SERVICES/CGIs' directory
• 🌐 feat(docs): Moved programming-language-specific wordlists into their own directory
• 🌐 feat(docs): Moved Web-Server wordlists into their own directory
• 🌐 feat(docs): Removed mis-categorized 'Web-Services' folder
• 🌐 feat(docs): Renamed 'axis.txt' to 'Apache-Axis.txt'
• 🌐 feat(docs): Renamed 'SVNDigger' folder to a more descriptive folder name
• 🌐 fix(cicd): Added automatic clean-up to wordlist updater
• 🌐 fix(cicd): Fixed crash on "remote-wordlists-updater.yml"
• 🌐 fix(docs): Added "Ignacio Portal" to the project credits.
• 🌐 fix(docs): Moved 'AdobeCQ-AEM.txt' into the CMS directory
• 🌐 fix(docs): Moved 'aem2.txt' into the CMS directory
• 🌐 fix(docs): Moved 'axis.txt' into the Web-Servers directory
• 🌐 fix(docs): Moved 'Confluence-Administration.txt' into the Service-Specific directory
• 🌐 fix(docs): Moved 'forefront-identity-management.txt' into the Service-Specific directory
• 🌐 fix(docs): Moved 'jboss.txt' into the Web-Servers directory
• 🌐 fix(docs): Moved 'Jenkins-Hudson.txt' into the Service-Specific directory
• 🌐 fix(docs): Moved 'nginx.txt' into the Web-Servers directory
• 🌐 fix(docs): Moved 'Oracle-EBS-wordlist.txt' into the CMS directory
• 🌐 fix(docs): Moved 'sharepoint-ennumeration.txt' into the CMS directory
• 🌐 fix(docs): Moved 'spring-boot.txt' into the Programming-Language-Specific directory
• 🌐 fix(docs): Moved 'swagger.txt' into the Service-Specific directory
• 🌐 fix(wordlist): Merged duplicate 'Apache Tomcat' wordlists
• 🌐 fix(wordlist): Merged duplicate Apache wordlists
• 🌐 fix(wordlist): Merged duplicate Microsoft Frontpage wordlists
• 🌐 fix(wordlist): Merged duplicate Oracle EBS wordlists
• 🌐 fix(wordlist): Merged duplicate Sharepoint wordlists
• 🌐 fix(wordlist): Moved 'HTTP-POST-Microsoft.fuzz.txt' into 'Web-Servers\IIS-POST.txt'
• 🌐 fix(wordlist): Moved 'pulsesecure.txt' into 'Service-Specific\PulseSecure-VPN.txt'
• 🌐 fix(wordlist): Moved 'websphere.txt' into 'Service-Specific\IBM-WebSphere-Application-Server.txt'
• 🌐 fix(wordlist): Moved *200_most_used_passwords to Common-Credentials directory
• 🌐 fix(wordlist): Removed duplicates from '2024-200_most_used_passwords.txt' wordlist
• 🌐 fix(wordlist): Removed redundant linejumps from CommonAdminBase64.txt
• 🌐 fix(wordlist): Renamed '2024-200_most_used_passwords.txt' to '2024-197_most_used_passwords.txt'
• 🌐 fix(wordlist): Renamed 'hpsmh.txt' to 'HP-System-Management-Homepage.txt'
• 🌐 fix(wordlist): Renamed 'proxy-conf.fuzz.txt' to 'Proxy-Auto-Configuration-Files.txt'
• 🌐 fix(wordlist): Renamed 'sap.txt' to 'SAP-NetWeaver.txt'
• 🌐 fix(wordlist): Renamed wordlist 'Frontpage.fuzz.txt' to 'Microsoft-Frontpage.txt'
• 🌐 fix(wordlist): Renamed wordlist 'IIS.fuzz.txt' to 'IIS.txt'
• 🌐 fix(wordlist): Renamed wordlist 'Sharepoint.fuzz.txt' to 'Sharepoint.txt'
• 🌐 fix(wordlist): Renamed wordlist 'SunAppServerGlassfish.fuzz.txt' to 'Web-Server-Glassfish-Sun-Microsystems.txt'
• 🌐 fix(wordlist): Revert "Update metadata.txt"
• 🌐 fix(wordlist): Transformed "local-ports.txt" into "Ports-1-To-65535.txt"

Shout-out to: @curiv, @emmanuelgautier, @goosvorbook, @guillermodotn, @eltociear, @ivan-sincek, @jorelpaddick, @jthack, @NihaoKangkang, @mtremr, @napz99, @ola456, @onurkarasalihoglu, @cosad3s, and @V0idSeek3r

🥇 Thank you everyone <3

Fourth (and final) release of 2024!
🎉 This release includes multiple updates from the community =)
🥇 Thank you everyone <3

Shout-out to: @Dec0y-jb, @BRAVO68WEB, @ItsIgnacioPortal, @newyork167, @domai-tb, @YouFoundAlpha, @ctflearner, @righettod, @pwnter, @josemlwdf, @StepSisStuck and @napz99

Third release of 2024!
🎉 This release includes multiple updates from the community =)
🥇 Thank you everyone <3

Shout-out to: @ItsIgnacioPortal , @righettod , @PhHitachi, @freyxfi , @nu11pointer , @7h30th3r0n3 , @molangning & @johnjhacking

Second release of 2024!
🎉 This release includes multiple updates from the community =)
🥇 Thank you everyone <3

Shout-out to: @molangning, @ashtonhogan, @Sevada797, @emmanuel-londono, @exploide, @emmanuelgautier, @riramar, @ItsIgnacioPortal, @0xjv, @YouFoundAlpha, @danielmiessler, @righettod, @adeadfed, @spaze, @CodeVIP123 & @BrandonW6000

First release of 2024!
🎉 This release includes multiple updates from the community =)
🥇 Thank you everyone <3

Shout-out to: @cosad3s, @molangning, @barisbogdan, @righettod, @davidmcduffie001, @legik, @StellarSand, @zerbaliy3v, @jhaddix, @emmanuel-londono, @Ghoreish , @denandz and @ErdemOzgen.

Fourth (and final) release of 2023!
🎉 This release includes multiple updates from the community =)
🥇 Thank you everyone <3

Shout-out to: @sonatagreen, @DeveloperOl, @adilnbabras, @nekonugget, @stefanman125, @Souravvvv123, @CountablyInfinite, @ThomasBucaioni, @DmytroKashchuk, @righettod, @ItsIgnacioPortal, @cosad3s, @olizimmermann, @zyairelai and @molangning

Third release of 2023!
🎉 This release includes multiple updates from the community =)
🥇 Thank you everyone <3

Shout-out to: @dylleb, @righettod, @tomtastic, @NicolasCARPi, @Xhoenix, @denandz & @cosad3s

Second release of 2023!
🎉 This release includes multiple updates from the community =)
🥇 Thank you everyone <3

Shout-out to: @ItsIgnacioPortal, @ClutchReboot , @ivan-sincek, @strayfade & @righettod