Sonatype Nexus Security Advisory
Date: January 13, 2026
Affected Versions: Sonatype Nexus Repository 3.82.0 through 3.87.1 (CE/Pro)
Fixed in Version: Sonatype Nexus Repository CE/Pro version 3.88.0
Summary
A reflected cross-site scripting (XSS) vulnerability exists in Nexus Repository 3 that allows unauthenticated attackers to execute arbitrary JavaScript in a victim’s browser. The vulnerability requires user interaction, where the victim must visit a malicious page or click a crafted link. Successful exploitation could allow attackers to perform actions on behalf of the victim, including privilege escalation and unauthorized configuration changes.
This vulnerability is fixed in version 3.88.0. Customers are strongly encouraged to upgrade to the latest version.
This issue was discovered and reported responsibly by Piotr Bazydlo (@chudyPB) of watchTowr and has been verified by Sonatype.
Recommendation
Customers using Nexus Repository 3 versions 3.82.0 through 3.87.1 should upgrade to version 3.88.0 or later as soon as possible. Download the latest version from https://help.sonatype.com/repomanager3/product-information/download.
Credit
This issue was discovered and reported responsibly by Piotr Bazydlo (@chudyPB) of watchTowr.
Frequently Asked Questions
Q: What is the risk associated with this vulnerability?
A: Attackers can execute arbitrary JavaScript code in the browser of authenticated users who visit a malicious page or click a crafted link. This could allow the attacker to perform actions as the victim user, steal session information, or escalate privileges by creating administrative accounts.
Q: What preconditions must be met in order to be vulnerable?
A: The vulnerability affects Nexus Repository 3 versions 3.82.0 through 3.87.1. Exploitation requires that a victim user visits a malicious website or clicks a crafted link while authenticated to a vulnerable Nexus Repository instance. No authentication is required for the attacker to craft the malicious payload.
Q: Are there implications associated with this advisory itself?
A: Yes. Public disclosure of security vulnerabilities can enable malicious actors to develop exploits and target unpatched systems. Organizations should assess their exposure and take appropriate action by upgrading to version 3.88.0 or applying temporary mitigations as soon as possible.
Q: Where can I obtain more information associated with the vulnerability?
A: Technical details are intentionally limited in this advisory to prevent exploitation. Customers requiring additional technical information for security research or defensive purposes should contact Sonatype Support at https://support.sonatype.com.
Q: Why is Sonatype making this information available?
A: Sonatype follows responsible disclosure practices and coordinates with security researchers to ensure vulnerabilities are fixed before public disclosure. We proactively notify customers to ensure they can protect their systems before malicious actors can develop and deploy exploits.