Sonatype Nexus Security Advisory
Date: April 8, 2026
Affected Versions: All Sonatype Nexus Repository 3.x CE/Pro versions up to and including 3.90.x
Fixed in Version: Sonatype Nexus Repository CE/Pro version 3.91.0
Summary
A reflected cross-site scripting (XSS) vulnerability exists in Sonatype Nexus Repository that allows unauthenticated remote attackers to inject arbitrary HTML content into a victim’s browser. The vulnerability requires user interaction, where the victim must visit a specially crafted URL. The Content-Security-Policy sandbox on the affected pages contains the execution context: JavaScript runs in an isolated environment without access to the user's session cookies or other Nexus Repository resources.
This vulnerability is fixed in version 3.91.0. Customers are strongly encouraged to upgrade to the latest version.
Recommendation
Customers using Nexus Repository 3 versions 3.0.0 through 3.90.x should upgrade to version 3.91.0 or later as soon as possible. Download the latest version from https://help.sonatype.com/repomanager3/product-information/download.
Frequently Asked Questions
Q: What is the risk associated with this vulnerability?
A: An unauthenticated attacker can craft a malicious URL that, when visited by a victim, executes arbitrary JavaScript in the victim's browser. The Content-Security-Policy sandbox on the affected pages contains the execution context, preventing the script from accessing the victim's session cookies or making authenticated requests to Nexus Repository. The practical impact is limited to manipulation of the page displayed to the victim, which could be used for social engineering or UI defacement.
Q: What preconditions must be met in order to be vulnerable?
A: The vulnerability affects Nexus Repository 3 versions 3.0.0 through 3.90.x. Exploitation requires that a victim visits a specially crafted URL, for example by clicking a link sent via email or another channel. No authentication is required for the attacker to craft the malicious URL.
Q: Are there implications associated with this advisory itself?
A: Yes. Public disclosure of security vulnerabilities can enable malicious actors to develop exploits and target unpatched systems. Organizations should assess their exposure and take appropriate action by upgrading to version 3.91.0 as soon as possible.
Q: Why is Sonatype making this information available?
A: Sonatype follows responsible disclosure practices and coordinates with security researchers to ensure vulnerabilities are fixed before public disclosure. We proactively notify customers to ensure they can protect their systems before malicious actors can develop and deploy exploits.