Sonatype Sonatype

  1. Vendors
  2. Sonatype

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Sonatype product.

RSS Feeds for Sonatype security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Sonatype products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Sonatype Sorted by Most Security Vulnerabilities since 2018

Sonatype Nexus Repository Manager37 vulnerabilities

Sonatype Nexus7 vulnerabilities

Sonatype Nexus Repository Manager 33 vulnerabilities

Sonatype Nexus Iq Server1 vulnerability

Known Exploited Sonatype Vulnerabilities

The following Sonatype vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Sonatype Nexus Repository Manager Incorrect Access Control Vulnerability Sonatype Nexus Repository Manager before 3.15.0 has an incorrect access control vulnerability. Exploitation allows for remote code execution.
CVE-2019-7238 Exploit Probability: 76.5% 		December 10, 2021
Nexus Repository Manager 3 Remote Code Execution Vulnerability Sonatype Nexus Repository before 3.21.2 allows JavaEL Injection (issue 1 of 2).
CVE-2020-10199 Exploit Probability: 99.1% 		November 3, 2021

Of the known exploited vulnerabilities above, 2 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 10 vulnerabilities in Sonatype. Last year, in 2025 Sonatype had 2 security vulnerabilities published. That is, 8 more vulnerabilities have already been reported in 2026 as compared to last year.




Year Vulnerabilities Average Score
2026 10 0.00
2025 2 0.00
2024 1 6.50
2023 0 0.00
2022 2 4.30
2021 8 5.35
2020 9 6.80
2019 9 7.72
2018 6 6.30

It may take a day or so for new Sonatype vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Sonatype Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-10741 Jun 17, 2026
Nexus Repo Manager <=3.92: proxy creds disclosure via auth bypass Sonatype Nexus Repository Manager before 3.93.0 contains an authorization vulnerability in the proxy repository configuration that allows a delegated repository administrator to disclose stored upstream proxy credentials.
Nexus Repository Manager
CVE-2026-10748 Jun 16, 2026
NX-Licensing upload RCE in Sonatype Nexus Repository <3.92.0 An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating system commands as the Nexus process user in Sonatype Nexus Repository 3 versions before 3.92.0.
Nexus Repository Manager
CVE-2026-3329 Jun 11, 2026
Credential-guessing via authenticated endpoints in Sonatype Nexus Repository A remote unauthenticated attacker may be able to conduct credential-guessing attacks against user accounts in Sonatype Nexus Repository via authentication endpoints.
Nexus Repository Manager
CVE-2026-7308 May 11, 2026
XSS via Repository HTML Index in Nexus Repository 3.6.0-3.92.0 An authenticated user with upload permission to a hosted repository can store content that causes arbitrary JavaScript to execute in the browser of any user who browses that repository directory via the HTML index page in Sonatype Nexus Repository versions 3.6.0 through versions before 3.92.0. This could allow the attacker to perform actions in the context of the victim's session.
Nexus Repository Manager
CVE-2026-3048 May 11, 2026
Server-Side Connection Initiation in Nexus Repository Manager 3.x via LDAP Admin An authenticated administrator who configures or tests LDAP connectivity in Sonatype Nexus Repository Manager versions 3.0.0 through 3.91.1 may be able to initiate unintended server-side connections when interacting with a malicious LDAP server.
Nexus Repository Manager
CVE-2026-5189 Apr 15, 2026
Hard-Coded Credentials in Nexus Repository Manager 3.0.0-3.70.5 Allow Unauth OS Cmds CWE-798: Use of Hard-coded Credentials in Sonatype Nexus Repository Manager versions 3.0.0 through 3.70.5 allows an unauthenticated attacker with network access to gain unauthorized read/write access to the internal database and execute arbitrary OS commands as the Nexus process user. Exploitation requires the non-default nexus.orient.binaryListenerEnabled=true configuration to be enabled.
Nexus Repository Manager
CVE-2026-3199 Apr 08, 2026
Sonatype Nexus 3.22.1-3.90.2 Task Exec perm bypassing nexus.scripts.allowCreation A vulnerability in the task management component of Sonatype Nexus Repository versions 3.22.1 through 3.90.2 allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing the nexus.scripts.allowCreation security control.
Nexus Repository Manager
CVE-2026-3438 Apr 08, 2026
Reflected XSS in Sonatype Nexus Repo 3.0.0-3.90.2 via Craft URL A reflected cross-site scripting vulnerability exists in Sonatype Nexus Repository versions 3.0.0 through 3.90.2 that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted URL. Exploitation requires user interaction.
Nexus Repository Manager
CVE-2026-0600 Jan 14, 2026
Nexus Repository 3 SSRF via Proxy Repo URL (v3.0.0+; fixed 3.88.0+) Server-Side Request Forgery (SSRF) vulnerability in Sonatype Nexus Repository 3 versions 3.0.0 and later allows authenticated administrators to configure proxy repositories with URLs that can access unintended network destinations, potentially including cloud metadata services and internal network resources. A workaround configuration is available starting in version 3.88.0, but the product remains vulnerable by default.
Nexus Repository Manager
CVE-2026-0601 Jan 14, 2026
CVE-2026-0601: Reflected XSS in Nexus Repository 3 via Unsanitized Input A reflected cross-site scripting vulnerability exists in Nexus Repository 3 that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted request requiring user interaction.
Nexus Repository Manager
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.