XSS via Repository HTML Index in Nexus Repository 3.6.0-3.92.0
CVE-2026-7308 Published on May 11, 2026
Nexus Repository 3 - Stored Cross-Site Scripting (XSS) via HTML Browse Page
An authenticated user with upload permission to a hosted repository can store content that causes arbitrary JavaScript to execute in the browser of any user who browses that repository directory via the HTML index page in Sonatype Nexus Repository versions 3.6.0 through versions before 3.92.0. This could allow the attacker to perform actions in the context of the victim's session.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-7308 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-7308
Want to know whenever a new CVE is published for Sonatype Nexus Repository Manager? stack.watch will email you.
Affected Versions
Sonatype Nexus Repository:- Version 3.6.0 and below 3.92.0 is affected.