Sonatype · Sonatype Nexus Repository · CVE-2026-3199
**Name of the Vulnerable Software and Affected Versions**
Sonatype Nexus Repository versions 3.22.1 through 3.90.2
**Description**
A flaw in the task management component allows an authenticated attacker with task creation permissions to execute arbitrary code. This is achieved through task property injection, which bypasses the `nexus.scripts.allowCreation` security control.
**Recommendations**
Update to a version later than 3.90.2.
As a temporary mitigation, restrict task creation permissions to trusted users only.