CVE-2026-7308

Vulnerability

Overview CVE-2026-7308 is a stored cross-site scripting (XSS) vulnerability affecting Sonatype Nexus Repository versions 3.6.0 through all versions prior to 3.92.0. An authenticated user who has upload permission to a hosted repository can store crafted content that, when any user browses that repository's directory via the HTML index page, causes arbitrary JavaScript to execute in the victim's browser [1].

Exploitation

Requirements Exploitation requires the attacker to have a valid account with upload privileges to a hosted repository. The attack does not require any additional user interaction beyond the victim simply browsing to the affected repository directory using the HTML index page. The injected script executes in the context of the victim's session on the same origin [1].

Impact

Successful exploitation allows the attacker to perform arbitrary actions in the context of the victim's authenticated session. This could include modifying repository contents, accessing sensitive data, or performing administrative actions if the victim has the victim has sufficient permissions [1].

Mitigation

Sonatype has addressed this vulnerability in version 3.92.0, released on May 7, 2026. Users are strongly advised to upgrade to version 3.92.0 or later. The vendor's release notes do not indicate any workarounds for unpatched versions [1].