PatchSiren cyber security CVE debrief
CVE-2026-10748 Sonatype CVE debrief
CVE-2026-10748 is a high-severity vulnerability in Sonatype Nexus Repository 3, with a CVSS score of 8.6. An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating system commands as the Nexus process user in versions before 3.92.0.
- Vendor
- Sonatype
- Product
- Nexus Repository
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-17
Who should care
Users of Sonatype Nexus Repository 3, especially those with nx-licensing-create privileges, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
CVE-2026-10748 is a vulnerability in Sonatype Nexus Repository 3 that allows authenticated users with the nx-licensing-create privilege to execute arbitrary OS commands by uploading a specially crafted license file.
Defensive priority
High
Recommended defensive actions
- Upgrade to Sonatype Nexus Repository 3 version 3.92.0 or later.
- Restrict nx-licensing-create privileges to only necessary users.
- Monitor for suspicious activity and implement additional security measures as needed.
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, including its CVSS score and affected versions.
Official resources
-
CVE-2026-10748 CVE record
CVE.org
-
CVE-2026-10748 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
103e4ec9-0a87-450b-af77-479448ddef11
-
Source reference
103e4ec9-0a87-450b-af77-479448ddef11
CVE-2026-10748 was published on 2026-06-16T19:16:30.607Z and modified on 2026-06-16T20:46:47.250Z.