CVE-2025-13488 MEDIUM

CVE-2025-13488: Nexus Repository 3 - Stored Cross-Site Scripting (XSS)

Vendor Sonatype
Product Nexus Repository
Weakness CWE-79 · XSS
Published December 4, 2025
Last update December 4, 2025

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Due to a regression introduced in version 3.83.0, a security header is no longer applied to certain user-uploaded content served from repositories. This may allow an authenticated attacker with repository upload privileges to exploit a stored cross-site scripting (XSS) vulnerability with user context.

Key dates

02Disclosure timeline

December 4, 2025 CVE published
December 4, 2025 Record updated

Related vulnerabilities

04Related CVE