Primary

Context

NuGet Gallery Remote Code Execution and Arbitrary Blob Write Vulnerability via Malicious Nuspec Files

Vulnerability

A critical vulnerability has been identified in the NuGet Gallery backend's processing of .nuspec files within NuGet packages. This issue allows an attacker to inject malicious metadata into the nuspec file, leading to cross-package metadata injection. The vulnerability arises from inadequate input validation, enabling remote code execution (RCE) and/or arbitrary writes to blobs in the storage container. The exploitation involves URI fragment injection using unsanitized package identifiers, which can manipulate the resolved blob path and overwrite existing content. This vulnerability has been patched in the NuGet Gallery repository.

Impact

Exploitation of this vulnerability could lead to remote code execution on the server or unauthorized modification of blob storage, allowing for potential tampering of existing content.

Remediation

Users are advised to update to the patched version available in the NuGet Gallery repository.

Added: Apr 14, 2026, 11:24 PM

Updated: Apr 14, 2026, 11:24 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

7.5

exploitability

5.9

remediation

0.0

relevance

5.9

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

7.5

exploitability

5.9

remediation

0.0

relevance

5.9

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NuGet Gallery Remote Code Execution and Arbitrary Blob Write Vulnerability via Malicious Nuspec Files

Vulnerability

Impact

Remediation

Affected Products

NuGetGallery

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating