CVE-2026-3199
CRITICALNexus Repository 3 - Authenticated Remote Code Execution via Task Property Injection
Title source: cnaDescription
A vulnerability in the task management component of Sonatype Nexus Repository versions 3.22.1 through 3.90.2 allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing the nexus.scripts.allowCreation security control.
Scores
CVSS v4
9.4
EPSS
0.0008
EPSS Percentile
24.0%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L
Details
CWE
CWE-502
Status
published
Products (1)
Sonatype/Nexus Repository
3.22.1 - 3.91.0
Published
Apr 08, 2026
Tracked Since
Apr 09, 2026