Cross Package Metadata Injection in NuGet Gallery by Microsoft
CVE-2026-39399

9.6CRITICAL

Key Information:

Vendor: Nuget
Status: Nugetgallery
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-39399?

A security flaw in the backend of NuGet Gallery allows attackers to exploit .nuspec files in NuGet packages. By submitting a specially crafted .nuspec file containing malicious metadata, an attacker can carry out cross package metadata injection. This vulnerability leads to potential remote code execution and arbitrary blob writes, stemming from inadequate input validation. The exploit leverages URI fragment injection through unsanitized package identifiers, enabling control over blob paths within the storage container. This vulnerability can result in the tampering of existing content beyond just .nupkg files. The issue has been addressed in recent patches.

Affected Version(s)

NuGetGallery < 0e80f87628349207cdcaf55358491f8a6f1ca276

References

https://github.com/NuGet/NuGetGallery/security/advisories...

x_refsource_CONFIRM

https://github.com/NuGet/NuGetGallery/commit/0e80f8762834...

x_refsource_MISC

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39399 Data

JSON

Nuget

What is CVE-2026-39399?

Affected Version(s)

References

CVSS V3.1

Timeline