Unauthorized Command Execution in Sonatype Nexus Repository by Authenticated Users
CVE-2026-10748

8.6HIGH

Key Information:

Vendor: Sonatype
Status: Nexus Repository
Vendor: CVE Published:; 16 June 2026

What is CVE-2026-10748?

Sonatype Nexus Repository 3 versions prior to 3.92.0 possess a security vulnerability that enables an authenticated user with the nx-licensing-create permission to upload a maliciously crafted license file. This file can trigger the execution of arbitrary operating system commands under the context of the Nexus process user, potentially compromising the system’s integrity and security. Organizations using affected versions should prioritize upgrading to patch this vulnerability to mitigate risks.

Affected Version(s)

Nexus Repository 3.0.0 < 3.92.0

References

https://help.sonatype.com/en/sonatype-nexus-repository-3-...

patch

https://support.sonatype.com/hc/en-us/articles/5233576603...

vendor-advisory

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2026
Vulnerability Reserved
Jun 3, 2026

Credit

Rahul Maini with Hacktron AI

CVE-2026-10748 Data

JSON