Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A reflected cross-site scripting vulnerability exists in Sonatype Nexus Repository versions 3.0.0 through 3.90.2 that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted URL. Exploitation requires user interaction.
AnalysisAI
Reflected cross-site scripting in Sonatype Nexus Repository 3.0.0 through 3.90.2 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a specially crafted URL, requiring user interaction to trigger the attack. With a CVSS 4.0 score of 5.1 and limited technical impact (session integrity only), this vulnerability poses a moderate risk to organizations using affected versions; no public exploit code or active exploitation has been identified.
Technical ContextAI
The vulnerability is a reflected XSS flaw (CWE-79) in Nexus Repository's input handling. Reflected XSS occurs when user-supplied input is not properly sanitized before being returned in HTTP responses, allowing an attacker to inject malicious scripts that execute in the context of a victim's browser session. The vulnerability affects the Nexus Repository product line across versions 3.0.0 through 3.90.2, as confirmed by EUVD data. The attack vector is network-based with low attack complexity, and while it requires user interaction (UI:A per CVSS 4.0 vector), no authentication is needed (PR:N), making it broadly accessible to unauthenticated threat actors who can craft and distribute malicious URLs.
RemediationAI
Upgrade Sonatype Nexus Repository to version 3.91.0 or later, which addresses this reflected XSS vulnerability. Refer to the official Sonatype Nexus Repository 3.91.0 release notes (https://help.sonatype.com/en/sonatype-nexus-repository-3-91-0-release-notes.html) and support article (https://support.sonatype.com/hc/en-us/articles/50609137161363) for upgrade procedures and additional security details. Until patching is possible, limit access to Nexus Repository to trusted networks and educate users to avoid clicking on untrusted links pointing to Nexus instances, though this provides only partial risk reduction for a reflected XSS vulnerability.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20757
GHSA-mx59-6f7x-f5f2