CVE-2026-3199
9.4
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L
Summary
A vulnerability in the task management component of Sonatype Nexus Repository versions 3.22.1 through 3.90.2 allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing the nexus.scripts.allowCreation security control.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Sonatype | Nexus Repository | 3.22.1 < 3.91.0 | affected |
Weaknesses
- CWE-502: CWE-502 Deserialization of Untrusted Data
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://help.sonatype.com/en/sonatype-nexus-repository-3-91-0-release-notes.html
- https://support.sonatype.com/hc/en-us/articles/50615414548499
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.