Nexus Repository 3 RCE Lets Privileged Users Execute OS Commands
Sonatype disclosed CVE-2026-10748, a high-severity remote code execution flaw in Nexus Repository 3 affecting versions before 3.92.0. The vulnerability stems from unsafe deserialization in license handling and allows an authenticated user with the nx-licensing-create privilege to upload a crafted license file and execute arbitrary operating system commands as the Nexus process user. The issue carries a CVSS 4.0 score of 8.6.
Organizations running Nexus Repository 3 are being urged to upgrade to 3.92.0 or later, apply vendor patches, and tightly restrict assignment of the nx-licensing-create privilege to reduce exposure. A separate F5 advisory also noted CVE-2026-42530 affecting the NGINX ngx_http_v3_module, but no technical synopsis was provided in the available reference.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
CVE-2026-10748 published for Nexus Repository 3 RCE flaw
A high-severity remote code execution vulnerability, CVE-2026-10748, was published affecting Sonatype Nexus Repository 3 before version 3.92.0. Sonatype indicated the flaw allows an authenticated user with the nx-licensing-create privilege to upload a crafted license file and execute arbitrary OS commands as the Nexus process user.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Sonatype Nexus Repository Flaws Enable Remote Code Execution and Database Compromise
Sonatype disclosed two high-severity vulnerabilities in **Nexus Repository Manager 3** that can lead to arbitrary code execution. **`CVE-2026-3199`** affects versions **3.22.1 through 3.90.2** and allows an authenticated user with task creation privileges to execute code through task property injection in the task management component. The flaw bypasses the `nexus.scripts.allowCreation` security control, indicating a failure in script-related policy enforcement, and has been mapped to **`CWE-502`**. A second issue, **`CVE-2026-5189`**, affects versions **3.0.0 through 3.70.5** and stems from hard-coded credentials in an internal database component. If the non-default setting `nexus.orient.binaryListenerEnabled=true` is enabled, an unauthenticated network attacker can gain read and write access to the internal database and execute operating system commands as the Nexus process user. Sonatype linked the fixes to **Nexus Repository 3.91.0** for `CVE-2026-3199` and **3.71.0** for `CVE-2026-5189`, with both issues carrying high impact across confidentiality, integrity, and availability.
Apr 15, 2026
Sonatype Nexus Repository Manager Flaws Enable XSS and Potential Code Execution
dCERT issued advisories for two vulnerabilities affecting **Sonatype Nexus Repository Manager**, warning that one flaw allows **cross-site scripting (XSS)** and another can **bypass security measures** and may lead to **potential code execution**. The issues affect a widely used artifact repository platform that often sits in software build and package distribution workflows. The paired advisories indicate risk ranging from browser-based compromise through XSS to more serious server-side impact if security controls can be circumvented. Organizations using Sonatype Nexus Repository Manager should review the relevant dCERT advisories, identify affected deployments, and prioritize vendor guidance and remediation to reduce exposure in development and supply-chain infrastructure.
May 12, 2026
NGINX Rift Rewrite Flaw Triggers Worker Crashes and Possible RCE
F5 and NGINX disclosed **CVE-2026-42945** ("**NGINX Rift**"), a critical heap buffer overflow in `ngx_http_rewrite_module` affecting **NGINX Open Source 0.6.27 through 1.30.0** and **NGINX Plus R32 through R36**. The bug is exposed when servers use a specific rewrite pattern: a `rewrite` directive with unnamed PCRE captures such as `$1` or `$2`, a replacement string containing `?`, and a following `rewrite`, `if`, or `set` directive. An unauthenticated attacker can send crafted HTTP requests to corrupt heap memory in the worker process, reliably causing crashes and restarts; code execution is considered possible in weaker environments, particularly where **ASLR is disabled**. Fixes were released in **NGINX 1.30.1**, **1.31.0**, and patched NGINX Plus builds, while Debian, AlmaLinux, and other downstream vendors began shipping updates. Public writeups and proof-of-concept code quickly drove attacker interest, and multiple reports said **VulnCheck observed exploitation attempts on canary systems** within days of disclosure. Researchers and defenders broadly agreed that denial-of-service is the most practical near-term impact, while widespread reliable RCE is less likely on hardened systems with modern memory protections enabled. Administrators were urged to patch internet-facing reverse proxies, load balancers, ingress controllers, and API gateways, audit rewrite rules for unnamed captures, and use named captures as a temporary mitigation where upgrades cannot be applied immediately. The same release cycle also addressed additional NGINX flaws including **CVE-2026-42946**, **CVE-2026-40701**, and **CVE-2026-42934**.
Jun 9, 2026