Reflected XSS in Sonatype Nexus Repo 3.0.0-3.90.2 via Craft URL
CVE-2026-3438 Published on April 8, 2026

Nexus Repository 3 - Reflected Cross-Site Scripting (XSS) in ?describe Pages
A reflected cross-site scripting vulnerability exists in Sonatype Nexus Repository versions 3.0.0 through 3.90.2 that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted URL. Exploitation requires user interaction.

Vendor Advisory NVD

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2026-3438 has been classified to as a XSS vulnerability or weakness.

Products Associated with CVE-2026-3438

Want to know whenever a new CVE is published for Sonatype Nexus Repository Manager? stack.watch will email you.

Sonatype Nexus Repository Manager

Affected Versions

Sonatype Nexus Repository:

Version 3.0.0 and below 3.91.0 is affected.

Reflected XSS in Sonatype Nexus Repo 3.0.0-3.90.2 via Craft URLCVE-2026-3438 Published on April 8, 2026

Weakness Type

What is a XSS Vulnerability?

Products Associated with CVE-2026-3438

Affected Versions

Reflected XSS in Sonatype Nexus Repo 3.0.0-3.90.2 via Craft URL
CVE-2026-3438 Published on April 8, 2026