Nexus Repository Manager OSS/Pro
by Sonatype
CVEs (34)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-5306 | Med | 0.40 | 6.1 | 0.01 | Feb 9, 2018 | Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus Repository Manager (aka NXRM) 3.x before 3.8 allow remote attackers to inject arbitrary web script or HTML via (1) the repoId or (2) format parameter to service/siesta/healthcheck/healthCheckFileDetail/.../inde… | ||
| CVE-2021-37152 | Med | 0.37 | 5.4 | 0.24 | Aug 10, 2021 | Multiple XSS issues exist in Sonatype Nexus Repository Manager 3 before 3.33.0. An authenticated attacker with the ability to add HTML files to a repository could redirect users to Nexus Repository Manager’s pages with code modifications. | ||
| CVE-2021-30635 | Med | 0.35 | 5.3 | 0.02 | Apr 27, 2021 | Sonatype Nexus Repository Manager 3.x before 3.30.1 allows a remote attacker to get a list of files and directories that exist in a UI-related folder via directory traversal (no customer-specific data is exposed). | ||
| CVE-2020-15869 | Med | 0.35 | 5.4 | 0.01 | Jul 31, 2020 | Sonatype Nexus Repository Manager OSS/Pro versions before 3.25.1 allow XSS (issue 1 of 2). | ||
| CVE-2019-14469 | Med | 0.35 | 5.4 | 0.01 | Aug 22, 2019 | In Nexus Repository Manager before 3.18.0, users with elevated privileges can create stored XSS. | ||
| CVE-2021-29158 | Med | 0.32 | 4.9 | 0.01 | Apr 23, 2021 | Sonatype Nexus Repository Manager 3 Pro up to and including 3.30.0 has Incorrect Access Control. | ||
| CVE-2020-11415 | Med | 0.32 | 4.9 | 0.01 | Apr 27, 2020 | An issue was discovered in Sonatype Nexus Repository Manager 2.x before 2.14.17 and 3.x before 3.22.1. Admin users can retrieve the LDAP server system username/password (as configured in nxrm) in cleartext. | ||
| CVE-2018-12100 | Med | 0.31 | 4.8 | 0.01 | Jun 11, 2018 | Sonatype Nexus Repository Manager versions 3.x before 3.12.0 has XSS in multiple areas in the Administration UI. | ||
| CVE-2022-27907 | Med | 0.28 | 4.3 | 0.01 | Mar 30, 2022 | Sonatype Nexus Repository Manager 3.x before 3.38.0 allows SSRF. | ||
| CVE-2021-43961 | Med | 0.28 | 4.3 | 0.01 | Mar 17, 2022 | Sonatype Nexus Repository Manager 3.36.0 allows HTML Injection. | ||
| CVE-2021-43293 | Med | 0.28 | 4.3 | 0.01 | Nov 4, 2021 | Sonatype Nexus Repository Manager 3.x before 3.36.0 allows a remote authenticated attacker to potentially perform network enumeration via Server Side Request Forgery (SSRF). | ||
| CVE-2021-42568 | Med | 0.28 | 4.3 | 0.00 | Nov 2, 2021 | Sonatype Nexus Repository Manager 3.x through 3.35.0 allows attackers to access the SSL Certificates Loading function via a low-privileged account. | ||
| CVE-2021-34553 | Med | 0.28 | 4.3 | 0.04 | Jun 18, 2021 | Sonatype Nexus Repository Manager 3.x before 3.31.0 allows a remote authenticated attacker to get a list of blob files and read the content of a blob file (via a GET request) without having been granted access. | ||
| CVE-2026-10741 | 0.00 | — | 0.00 | Jun 17, 2026 | Sonatype Nexus Repository Manager before 3.93.0 contains an authorization vulnerability in the proxy repository configuration that allows a delegated repository administrator to disclose stored upstream proxy credentials. |
- risk 0.40cvss 6.1epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus Repository Manager (aka NXRM) 3.x before 3.8 allow remote attackers to inject arbitrary web script or HTML via (1) the repoId or (2) format parameter to service/siesta/healthcheck/healthCheckFileDetail/.../inde…
- risk 0.37cvss 5.4epss 0.24
Multiple XSS issues exist in Sonatype Nexus Repository Manager 3 before 3.33.0. An authenticated attacker with the ability to add HTML files to a repository could redirect users to Nexus Repository Manager’s pages with code modifications.
- risk 0.35cvss 5.3epss 0.02
Sonatype Nexus Repository Manager 3.x before 3.30.1 allows a remote attacker to get a list of files and directories that exist in a UI-related folder via directory traversal (no customer-specific data is exposed).
- risk 0.35cvss 5.4epss 0.01
Sonatype Nexus Repository Manager OSS/Pro versions before 3.25.1 allow XSS (issue 1 of 2).
- risk 0.35cvss 5.4epss 0.01
In Nexus Repository Manager before 3.18.0, users with elevated privileges can create stored XSS.
- risk 0.32cvss 4.9epss 0.01
Sonatype Nexus Repository Manager 3 Pro up to and including 3.30.0 has Incorrect Access Control.
- risk 0.32cvss 4.9epss 0.01
An issue was discovered in Sonatype Nexus Repository Manager 2.x before 2.14.17 and 3.x before 3.22.1. Admin users can retrieve the LDAP server system username/password (as configured in nxrm) in cleartext.
- risk 0.31cvss 4.8epss 0.01
Sonatype Nexus Repository Manager versions 3.x before 3.12.0 has XSS in multiple areas in the Administration UI.
- risk 0.28cvss 4.3epss 0.01
Sonatype Nexus Repository Manager 3.x before 3.38.0 allows SSRF.
- risk 0.28cvss 4.3epss 0.01
Sonatype Nexus Repository Manager 3.36.0 allows HTML Injection.
- risk 0.28cvss 4.3epss 0.01
Sonatype Nexus Repository Manager 3.x before 3.36.0 allows a remote authenticated attacker to potentially perform network enumeration via Server Side Request Forgery (SSRF).
- risk 0.28cvss 4.3epss 0.00
Sonatype Nexus Repository Manager 3.x through 3.35.0 allows attackers to access the SSL Certificates Loading function via a low-privileged account.
- risk 0.28cvss 4.3epss 0.04
Sonatype Nexus Repository Manager 3.x before 3.31.0 allows a remote authenticated attacker to get a list of blob files and read the content of a blob file (via a GET request) without having been granted access.
- CVE-2026-10741Jun 17, 2026risk 0.00cvss —epss 0.00
Sonatype Nexus Repository Manager before 3.93.0 contains an authorization vulnerability in the proxy repository configuration that allows a delegated repository administrator to disclose stored upstream proxy credentials.
Page 2 of 2