CVE-2026-0601
Description
A reflected cross-site scripting vulnerability exists in Nexus Repository 3 that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted request requiring user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reflected XSS vulnerability in Nexus Repository 3 allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser through a crafted link, requiring user interaction.
A reflected cross-site scripting (XSS) vulnerability exists in Sonatype Nexus Repository 3 versions 3.82.0 through 3.87.1 (CE/Pro). The flaw allows an unauthenticated attacker to inject arbitrary JavaScript into a page via a specially crafted request, as the application fails to properly sanitize user input [2].
Exploitation requires user interaction: the victim must visit a malicious page or click a crafted link while authenticated to a vulnerable Nexus Repository instance. The attacker does not need any authentication [2].
If exploited, the attacker can execute arbitrary JavaScript in the victim's browser, potentially performing actions on behalf of the victim. This could lead to privilege escalation (e.g., creating administrative accounts), session hijacking, or unauthorized configuration changes [2].
The vulnerability is fixed in Nexus Repository version 3.88.0, released on January 13, 2026. Users running affected versions should upgrade immediately. No workarounds have been provided [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <3.88.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.