A reflected cross‑site scripting vulnerability exists in Nexus Repository 3 that permits an unauthenticated attacker to execute arbitrary JavaScript in a victim’s browser. The flaw is triggered when a victim accesses a specially crafted request; the malicious payload is reflected back and executed. Because the payload is not stored on the server, the impact is limited to the session of the victim’s browser, but it could enable cookie theft, session hijacking, or phishing attacks.

The vulnerability affects Sonatype Nexus Repository Manager, specifically versions 3.82.0 through 3.87.1 inclusive, as identified by the CNA. All releases prior to 3.88.0 lack the mitigations announced in the official 3.88.0 release notes. The affected components are the web interface that processes query parameters and renders them without proper sanitization.

The CVSS v3.1 score is 5.1, indicating moderate severity. EPSS is less than 1%, meaning the probability of exploitation is presently low, and the vulnerability is not listed in the CISA KEV catalog. The flaw requires that an attacker sends a crafted request to an unauthenticated end‑user, who must then interact with the resulting page for the script to run. No authentication or privileged access is needed, making the threat accessible to anyone with a web browser. Because the vulnerability is reflected, it does not persist on the server, but it can still be leveraged to compromise user sessions or conduct phishing attacks.