Deserialization in Sonatype Nexus Repository
CVE-2026-10748
An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating system commands as the Nexus process user in Sonatype Nexus Repository 3 versions before 3.92.0.
Vulnerability class: Insecure Deserialization
Affected products
- Sonatype Nexus Repository — versions 3.0.0
Weakness classification (CWE)
References
- 103e4ec9-0a87-450b-af77-479448ddef11 (patch)
- 103e4ec9-0a87-450b-af77-479448ddef11 (vendor-advisory)