CVE-2026-39399

Name of the Vulnerable Software and Affected Versions NuGet Gallery (affected versions not specified)

Description A flaw exists in the NuGetGallery backend job regarding the handling of .nuspec files within NuGet packages. Due to insufficient input validation, an attacker can provide a crafted .nuspec file containing malicious metadata. This leads to cross package metadata injection via URI fragment injection using unsanitized package identifiers, allowing an attacker to control the resolved blob path. Consequently, this can result in remote code execution (RCE) and arbitrary blob writes within the storage container, enabling the tampering of existing content beyond .nupkg files.

Recommendations Apply the fix provided in commit 0e80f87628349207cdcaf55358491f8a6f1ca276.