EUVD-2026-20756
GHSA-4685-c5cp-vp95
GHSA-48wf-g7cp-gr3m
GHSA-5f9p-f3w2-fwch
GHSA-6f6j-wx9w-ff4j
GHSA-cfvj-7rx7-fc7c
GHSA-fg3m-vhrr-8gj6
GHSA-gw85-xp4q-5gp9
GHSA-mqr9-vqhq-3jxw
GHSA-q399-23r3-hfx4
GHSA-w2wq-7mq5-mvww
GHSA-wm8r-w8pf-2v6w
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Tags
Description
A vulnerability in the task management component of Sonatype Nexus Repository versions 3.22.1 through 3.90.2 allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing the nexus.scripts.allowCreation security control.
Analysis
Remote code execution in Sonatype Nexus Repository 3.22.1-3.90.2 allows authenticated attackers with task creation permissions to execute arbitrary code via unsafe deserialization in the task management component. Exploitation bypasses the nexus.scripts.allowCreation security control, granting unauthorized code execution on the server. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Nexus Repository instances running versions 3.22.1-3.90.2 and document task creation permission assignments. Restrict task creation permissions to essential personnel only and disable if unused. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today