CVE-2026-7308 MEDIUM

CVE-2026-7308: Nexus Repository 3 - Stored Cross-Site Scripting (XSS) via HTML Browse Page

Vendor Sonatype

Product Nexus Repository

Weakness CWE-79 · XSS

Published May 11, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

An authenticated user with upload permission to a hosted repository can store content that causes arbitrary JavaScript to execute in the browser of any user who browses that repository directory via the HTML index page in Sonatype Nexus Repository versions 3.6.0 through versions before 3.92.0. This could allow the attacker to perform actions in the context of the victim's session.

Key dates

02Disclosure timeline

May 11, 2026 CVE published

May 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-7308

Related vulnerabilities

CVE-2026-7308: Nexus Repository 3 - Stored Cross-Site Scripting (XSS) via HTML Browse Page

01Description

02Disclosure timeline

03References

04Related CVE