CVE-2026-3438 MEDIUM

CVE-2026-3438: Nexus Repository 3 - Reflected Cross-Site Scripting (XSS) in ?describe Pages

Vendor Sonatype

Product Nexus Repository

Weakness CWE-79 · XSS

Published April 8, 2026

Last update April 9, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

What the vulnerability does

01Description

A reflected cross-site scripting vulnerability exists in Sonatype Nexus Repository versions 3.0.0 through 3.90.2 that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted URL. Exploitation requires user interaction.

Key dates

02Disclosure timeline

April 8, 2026 CVE published

April 9, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-3438

Related vulnerabilities

04Related CVE

CVE-2025-49304 WordPress Search with Typesense plugin <= 2.0.10 - Cross Site Scripting (XSS) Vulnerability CVE-2026-31906 Apache OFBiz: Reflected XSS via Improper HTML Attribute Escaping in Layered-Modal Dialog Parameters CVE-2026-5217 Optimole <= 4.2.2 - Unauthenticated Stored Cross-Site Scripting via Srcset Descriptor Parameter CVE-2026-7596 nextlevelbuilder ui-ux-pro-max-skill Slide Generator generate-slide.py data.get cross site scripting CVE-2023-41728 WordPress Rescue Shortcodes Plugin <= 2.5 is vulnerable to Cross Site Scripting (XSS)