Primary

Context

Sonatype Nexus Repository Task Management Component Authenticated Remote Code Execution Vulnerability

Vulnerability

Patched

A remote code execution vulnerability has been identified in the task management component of Sonatype Nexus Repository versions 3.22.1 prior to 3.90.2. This vulnerability allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing the nexus.scripts.allowCreation security control. Successful exploitation leads to a full compromise of the Nexus server and its contents.

Impact

Exploitation of this vulnerability allows for authenticated remote code execution on the Nexus Repository server, with full compromise of the server and its contents.

Remediation

Users are advised to upgrade to Sonatype Nexus Repository version 3.91.0 or later. The latest version can be downloaded from the Sonatype Nexus Repository Downloads page.

Added: Apr 9, 2026, 12:24 AM

Updated: Apr 9, 2026, 12:24 AM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

7.5

exploitability

5.2

remediation

7.7

relevance

5.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

7.5

exploitability

5.2

remediation

7.7

relevance

5.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Sonatype Nexus Repository Task Management Component Authenticated Remote Code Execution Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Sonatype Nexus Repository

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating