Stored Cross-Site Scripting Vulnerability in Sonatype Nexus Repository
CVE-2025-13488

5.1MEDIUM

Key Information:

Vendor: Sonatype
Status: Nexus Repository
Vendor: CVE Published:; 4 December 2025

What is CVE-2025-13488?

A regression in version 3.83.0 of Sonatype Nexus Repository has resulted in the omission of a crucial security header for certain user-uploaded content. This vulnerability allows an authenticated attacker, who possesses repository upload privileges, to exploit a stored cross-site scripting (XSS) flaw that operates in the context of users. Successful exploitation may compromise user data and lead to further attacks. Users are advised to review the provided resources and apply necessary patches to ensure their repository remains secure.

Affected Version(s)

Nexus Repository 3.83.0 <= 3.86.2

References

https://help.sonatype.com/en/sonatype-nexus-repository-3-...

patch

https://support.sonatype.com/hc/en-us/articles/4689614276...

vendor-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 4, 2025
Vulnerability Reserved
Nov 20, 2025

Credit

Seif Elsallamy / @0x21SAFE

JSON