CVE-2026-39399 - Vulnerability Analysis
CriticalCVSS: 9.6Last Updated: April 14, 2026
NuGet Gallery - Stored XSS & Remote Code Execution
Published: April 14, 2026Updated: April 14, 2026Remote Exploitable
Overview
NuGet Gallery contains a stored XSS caused by insufficient input validation of crafted .nuspec file metadata in backend jobs, letting attackers perform remote code execution and arbitrary blob writes via URI fragment injection, exploit requires crafted package identifiers.
Severity & Score
Severity: Critical
CVSS Score: 9.6
Impact
Attackers can execute remote code and write arbitrary blobs, potentially leading to full system compromise and data tampering.
Mitigation
Apply the patch from commit 0e80f87628349207cdcaf55358491f8a6f1ca276 or update to the latest version.
References
Related Resources
Details
- CVE ID
- CVE-2026-39399
- Severity
- Critical
- CVSS Score
- 9.6
- Type
- stored_xss
- Status
- new
CWE
- CWE-20
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H