Cross-Site Scripting Vulnerability in Sonatype Nexus Repository
CVE-2026-7308

5.1MEDIUM

Key Information:

Vendor: Sonatype
Status: Nexus Repository
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-7308?

An authenticated user with upload privileges on a hosted repository in Sonatype Nexus Repository can exploit a vulnerability that allows them to store malicious content. This malicious content can execute arbitrary JavaScript in the web browser of any user accessing the affected repository directory through the HTML index page. The vulnerability affects versions from 3.6.0 to just before 3.92.0, potentially allowing an attacker to perform actions within the session context of the victim, leading to sensitive data exposure or account compromise.

Affected Version(s)

Nexus Repository 3.6.0 < 3.92.0

References

https://help.sonatype.com/en/sonatype-nexus-repository-3-...

patch

https://support.sonatype.com/hc/en-us/articles/5159206598...

vendor-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 28, 2026

Credit

Ky0toFu

CVE-2026-7308 Data

JSON