VYPR
Vendor

Sonatype

Products
4
CVEs
55
Across products
67
Status
Private

Products

4

Recent CVEs

55
View all 55 CVEs →
  • CVE-2017-17717CriDec 17, 2017
    risk 0.64cvss 9.8epss 0.01

    Sonatype Nexus Repository Manager through 2.14.5 has weak password encryption with a hardcoded CMMDwoV value in the LDAP integration feature.

  • CVE-2026-3199CriApr 8, 2026
    risk 0.61cvss epss 0.00

    A vulnerability in the task management component of Sonatype Nexus Repository versions 3.22.1 through 3.90.2 allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing the nexus.scripts.allowCreation security control.

  • CVE-2026-5189CriApr 15, 2026
    risk 0.60cvss epss 0.00

    CWE-798: Use of Hard-coded Credentials in Sonatype Nexus Repository Manager versions 3.0.0 through 3.70.5 allows an unauthenticated attacker with network access to gain unauthorized read/write access to the internal database and execute arbitrary OS commands as the Nexus process…

  • CVE-2024-4956HigMay 16, 2024
    risk 0.59cvss 7.5epss 0.18

    Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Fixed in version 3.68.1.

  • CVE-2026-3329HigJun 11, 2026
    risk 0.57cvss epss 0.01

    A remote unauthenticated attacker may be able to conduct credential-guessing attacks against user accounts in Sonatype Nexus Repository via authentication endpoints.

  • CVE-2025-9868HigOct 8, 2025
    risk 0.57cvss epss 0.00

    Server-Side Request Forgery (SSRF) in the Remote Browser Plugin in Sonatype Nexus Repository 2.x up to and including 2.15.2 allows unauthenticated remote attackers to exfiltrate proxy repository credentials via crafted HTTP requests.

  • CVE-2026-10748HigJun 16, 2026
    risk 0.56cvss epss 0.00

    An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating system commands as the Nexus process user in Sonatype Nexus Repository 3 versions before 3.92.0.

  • CVE-2014-9885HigAug 6, 2016
    risk 0.51cvss 7.8epss 0.00

    Format string vulnerability in drivers/thermal/qpnp-adc-tm.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 devices allows attackers to gain privileges via a crafted application that provides format string specifiers in a name, aka Android internal bug…

  • CVE-2014-9877HigAug 6, 2016
    risk 0.51cvss 7.8epss 0.00

    drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices mishandles a user-space pointer, which allows attackers to gain privileges via a crafted application, aka Android internal…

  • CVE-2024-5082HigNov 14, 2024
    risk 0.47cvss epss 0.02

    A Remote Code Execution vulnerability has been discovered in Sonatype Nexus Repository 2.  This issue affects Nexus Repository 2 OSS/Pro versions up to and including 2.15.1.

  • CVE-2026-0600MedJan 14, 2026
    risk 0.40cvss epss 0.00

    Server-Side Request Forgery (SSRF) vulnerability in Sonatype Nexus Repository 3 versions 3.0.0 and later allows authenticated administrators to configure proxy repositories with URLs that can access unintended network destinations, potentially including cloud metadata services…

  • CVE-2018-5307MedFeb 9, 2018
    risk 0.40cvss 6.1epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus Repository Manager (aka NXRM) 2.x before 2.14.6 allow remote attackers to inject arbitrary web script or HTML via (1) the repoId or (2) format parameter to service/siesta/healthcheck/healthCheckFileDetail/.../i…

  • CVE-2018-5306MedFeb 9, 2018
    risk 0.40cvss 6.1epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus Repository Manager (aka NXRM) 3.x before 3.8 allow remote attackers to inject arbitrary web script or HTML via (1) the repoId or (2) format parameter to service/siesta/healthcheck/healthCheckFileDetail/.../inde…

  • CVE-2024-1142MedMar 21, 2024
    risk 0.35cvss 5.4epss 0.01

    Path Traversal in Sonatype IQ Server from version 143 allows remote authenticated attackers to overwrite or delete files via a specially crafted request. Version 171 fixes this issue.

  • CVE-2026-7308MedMay 11, 2026
    risk 0.33cvss epss 0.00

    An authenticated user with upload permission to a hosted repository can store content that causes arbitrary JavaScript to execute in the browser of any user who browses that repository directory via the HTML index page in Sonatype Nexus Repository versions 3.6.0 through versions…

  • CVE-2026-3048MedMay 11, 2026
    risk 0.33cvss epss 0.00

    An authenticated administrator who configures or tests LDAP connectivity in Sonatype Nexus Repository Manager versions 3.0.0 through 3.91.1 may be able to initiate unintended server-side connections when interacting with a malicious LDAP server.

  • CVE-2026-3438MedApr 8, 2026
    risk 0.33cvss epss 0.00

    A reflected cross-site scripting vulnerability exists in Sonatype Nexus Repository versions 3.0.0 through 3.90.2 that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted URL. Exploitation requires user…

  • CVE-2026-0601MedJan 14, 2026
    risk 0.33cvss epss 0.00

    A reflected cross-site scripting vulnerability exists in Nexus Repository 3 that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted request requiring user interaction.

  • CVE-2024-5083MedNov 14, 2024
    risk 0.33cvss epss 0.00

    A stored Cross-site Scripting vulnerability has been discovered in Sonatype Nexus Repository 2 This issue affects Nexus Repository 2 OSS/Pro versions up to and including 2.15.1.

  • CVE-2018-12100MedJun 11, 2018
    risk 0.31cvss 4.8epss 0.01

    Sonatype Nexus Repository Manager versions 3.x before 3.12.0 has XSS in multiple areas in the Administration UI.