Cross-site scripting in Nexus Repository Manager - CVE-2026-7308

 

Cross-site scripting in Nexus Repository Manager - CVE-2026-7308

Published: May 12, 2026


Vulnerability identifier: #VU131132
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-7308
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Sonatype Inc.
Affected software:
Nexus Repository Manager

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in the browser of another user and perform actions in the context of the victim's session.

The vulnerability exists due to stored cross-site scripting in the HTML index page for hosted repository directory browsing when rendering uploaded content. A remote user can upload crafted content to a hosted repository to execute arbitrary JavaScript in the browser of another user and perform actions in the context of the victim's session.

User interaction is required, as a separate user must browse the repository contents via the built-in HTML index page.


How to mitigate CVE-2026-7308

Install security update from vendor's website.

Sources