PT-2026-39723 · Sonatype · Nexus Repository

Ky0Tofu

·

Published

2026-05-11

·

Updated

2026-05-11

·

CVE-2026-7308

CVSS v4.0

5.1

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Name of the Vulnerable Software and Affected Versions Sonatype Nexus Repository versions 3.6.0 through 3.91.0
Description An authenticated user with upload permissions to a hosted repository can store content that triggers arbitrary JavaScript execution in the browser of any user viewing that repository directory through the HTML index page. This allows an attacker to perform actions within the context of the victim's session.
Recommendations Update to version 3.92.0 or later.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-7308

Affected Products

Nexus Repository