Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
Sonatype Nexus Repository allows JavaScript execution in browser
CVE-2026-3438
Summary
Unauthenticated attackers can run malicious code in your browser if you visit a specially crafted URL. This can happen if you use Sonatype Nexus Repository versions 3.0.0 through 3.90.2. Update to a fixed version to prevent this risk.
Original title
A reflected cross-site scripting vulnerability exists in Sonatype Nexus Repository versions 3.0.0 through 3.90.2 that allows unauthenticated remote attackers to execute arbitrary JavaScript in a vi...
Original description
A reflected cross-site scripting vulnerability exists in Sonatype Nexus Repository versions 3.0.0 through 3.90.2 that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted URL. Exploitation requires user interaction.
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 8 Apr 2026 · Updated: 10 Apr 2026 · First seen: 8 Apr 2026