CVE-2026-7308 Overview
CVE-2026-7308 is a stored cross-site scripting (XSS) vulnerability in Sonatype Nexus Repository versions 3.6.0 through versions before 3.92.0. An authenticated user with upload permission to a hosted repository can store content that triggers arbitrary JavaScript execution. The script runs in the browser of any user who browses the affected repository directory via the HTML index page. Successful exploitation allows the attacker to perform actions in the context of the victim's session, including session token theft, request forgery against the Nexus UI, and unauthorized repository operations. The flaw is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Authenticated attackers with upload rights can execute arbitrary JavaScript in the browser sessions of users who browse the repository's HTML index page, enabling session abuse and repository tampering.
Affected Products
- Sonatype Nexus Repository 3.6.0 through versions before 3.92.0
- Hosted repositories with upload permission enabled
- Deployments exposing the HTML repository index page to users
Discovery Timeline
- 2026-05-11 - CVE-2026-7308 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-7308
Vulnerability Analysis
The vulnerability resides in the HTML index page that Sonatype Nexus Repository generates for hosted repository directories. When an authenticated user uploads content with attacker-controlled file or path metadata, that metadata is rendered into the directory listing without proper output encoding. A second user who later browses the directory loads the malicious markup, and the embedded JavaScript executes in their authenticated session.
Because the payload is persisted in repository storage, this is a stored XSS rather than reflected. Each visitor to the affected directory re-triggers execution until administrators remove the offending content. Exploitation requires victim interaction in the form of navigating to the repository's HTML index.
Root Cause
The HTML index generator fails to neutralize special characters in repository-controlled content before inserting it into the response page. User-supplied identifiers reach the rendered DOM as active markup instead of inert text, which matches the CWE-79 pattern of improper neutralization during web page generation.
Attack Vector
An attacker first authenticates to Nexus Repository with an account that holds upload permission on a hosted repository. The attacker then uploads an artifact whose name or path includes an HTML or JavaScript payload. When another authenticated user, such as a developer or administrator, browses the directory index of that repository, the payload renders and executes in their browser. The attacker can then exfiltrate session cookies, invoke Nexus REST endpoints on behalf of the victim, or modify repository content. See the Sonatype Support Article for vendor confirmation of the attack path.
Detection Methods for CVE-2026-7308
Indicators of Compromise
- Uploaded artifacts or directory paths in hosted repositories containing characters such as <, >, ", or script tags in their names
- Outbound HTTP requests from administrator or developer browsers to unfamiliar domains immediately after viewing a repository index page
- Unexpected Nexus REST API calls authenticated as a legitimate user with no corresponding UI activity in audit logs
- Newly created repository tokens, user accounts, or permission grants following a user's visit to a hosted repository index
Detection Strategies
- Audit existing hosted repository contents for filenames or path components containing HTML tags or JavaScript event handlers such as onerror= or onload=.
- Correlate Nexus access logs for repository index page requests with subsequent privileged API calls from the same session.
- Monitor browser content security policy violation reports if CSP headers are configured in front of Nexus.
Monitoring Recommendations
- Forward Nexus Repository request logs and audit logs to a centralized SIEM for retention and alerting.
- Alert on uploads to hosted repositories where artifact names or coordinates contain HTML special characters.
- Track version drift across Nexus Repository instances to confirm no host remains on a pre-3.92.0 release.
How to Mitigate CVE-2026-7308
Immediate Actions Required
- Upgrade Sonatype Nexus Repository to version 3.92.0 or later as documented in the Sonatype Nexus Release Notes.
- Review hosted repositories for previously uploaded artifacts whose names or paths contain HTML or script content, and remove or rename them.
- Restrict upload permissions on hosted repositories to the minimum set of trusted accounts and service principals.
- Rotate session tokens and API credentials for any user who may have browsed an affected repository index during the exposure window.
Patch Information
Sonatype addressed CVE-2026-7308 in Nexus Repository 3.92.0. The fix is described in the Sonatype Nexus 3.92.0 Release Notes and the corresponding Sonatype Support Article. Administrators should apply the upgrade following Sonatype's documented procedure and verify the running version after restart.
Workarounds
- Disable or restrict access to the HTML index page for hosted repositories where directory browsing is not required.
- Limit upload permissions to a small, audited set of service accounts until the upgrade is applied.
- Place a reverse proxy in front of Nexus that injects a strict Content-Security-Policy header to block inline script execution as a defense-in-depth measure.
# Configuration example: verify the installed Nexus Repository version
curl -u admin:<password> \
-H "Accept: application/json" \
https://nexus.example.com/service/rest/v1/status
# Expected: version field reports 3.92.0 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
