Skip to main content

Sonatype Nexus Repository EUVDEUVD-2026-20757

| CVE-2026-3438 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 103e4ec9-0a87-450b-af77-479448ddef11 GHSA-mx59-6f7x-f5f2
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
3.91.0
EUVD ID Assigned
Apr 08, 2026 - 23:24 euvd
EUVD-2026-20757
Analysis Generated
Apr 08, 2026 - 23:24 vuln.today
CVE Published
Apr 08, 2026 - 23:16 nvd
MEDIUM 5.1

DescriptionCVE.org

A reflected cross-site scripting vulnerability exists in Sonatype Nexus Repository versions 3.0.0 through 3.90.2 that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted URL. Exploitation requires user interaction.

AnalysisAI

Reflected cross-site scripting in Sonatype Nexus Repository 3.0.0 through 3.90.2 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a specially crafted URL, requiring user interaction to trigger the attack. With a CVSS 4.0 score of 5.1 and limited technical impact (session integrity only), this vulnerability poses a moderate risk to organizations using affected versions; no public exploit code or active exploitation has been identified.

Technical ContextAI

The vulnerability is a reflected XSS flaw (CWE-79) in Nexus Repository's input handling. Reflected XSS occurs when user-supplied input is not properly sanitized before being returned in HTTP responses, allowing an attacker to inject malicious scripts that execute in the context of a victim's browser session. The vulnerability affects the Nexus Repository product line across versions 3.0.0 through 3.90.2, as confirmed by EUVD data. The attack vector is network-based with low attack complexity, and while it requires user interaction (UI:A per CVSS 4.0 vector), no authentication is needed (PR:N), making it broadly accessible to unauthenticated threat actors who can craft and distribute malicious URLs.

RemediationAI

Upgrade Sonatype Nexus Repository to version 3.91.0 or later, which addresses this reflected XSS vulnerability. Refer to the official Sonatype Nexus Repository 3.91.0 release notes (https://help.sonatype.com/en/sonatype-nexus-repository-3-91-0-release-notes.html) and support article (https://support.sonatype.com/hc/en-us/articles/50609137161363) for upgrade procedures and additional security details. Until patching is possible, limit access to Nexus Repository to trusted networks and educate users to avoid clicking on untrusted links pointing to Nexus instances, though this provides only partial risk reduction for a reflected XSS vulnerability.

Share

EUVD-2026-20757 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy