CVE-2026-39399

Source
https://cve.org/CVERecord?id=CVE-2026-39399
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39399.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-39399
Aliases
  • GHSA-9r3h-v4hx-rhfr
Published
2026-04-14T23:01:38.176Z
Modified
2026-07-08T08:13:06.461184852Z
Severity
  • 9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H CVSS Calculator
Summary
NuGet Gallery: Arbitrary Blob Overwrite via Nuspec Confusion and URI Fragment Truncation
Details

NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within NuGet packages. An attacker can supply a crafted nuspec file with malicious metadata, leading to cross package metadata injection that may result in remote code execution (RCE) and/or arbitrary blob writes due to insufficient input validation. The issue is exploitable via URI fragment injection using unsanitized package identifiers, allowing an attacker to control the resolved blob path. This enables writes to arbitrary blobs within the storage container, not limited to .nupkg files, resulting in potential tampering of existing content. This issue has been patched in commit 0e80f87628349207cdcaf55358491f8a6f1ca276.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "fixed": "0e80f87628349207cdcaf55358491f8a6f1ca276"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39399.json",
    "cwe_ids": [
        "CWE-20",
        "CWE-22"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/nuget/nugetgallery

Affected ranges

Type
GIT
Repo
https://github.com/nuget/nugetgallery
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

3.*
3.0.269-r-develop-octov3-1-ApiApps
3.0.393-r-master
3.0.434-r4-master-NuGet
3.0.474-r-master-NuGet
3.0.490-r-master-NuGet
3.0.501-r-master-NuGet
3.0.506-r-master-NuGet
3.0.507-r-master-NuGet
3.0.510-r-master-NuGet
3.0.514-r-master-NuGet
3.0.524-r-master-NuGet
3.0.525-r-master-NuGet
3.0.540-r-master-NuGet
3.0.543-r-master-NuGet
3.0.554-r-master-NuGet
3.0.570-r-master-NuGet
3.0.576-r-master-NuGet
3.0.578-r-master-NuGet
3.0.601-r-master-ApiApps
3.0.606-r-master-ApiApps
3.0.608-r-master-ApiApps
3.0.610-r-master-ApiApps
3.0.621-r-master-ApiApps
3.0.623-r-master
3.0.624-r-master
Other
iters/5/qa
iters/6/qa
iters/6/start
iters/7/start
iters/zold/2012Jun04@0000
iters/zold/2013Jul19
iters/zold/1.*
iters/zold/1.8
iters/zold/2.*
iters/zold/2.0
v2016.*
v2016.12
v2017.*
v2017.01
v2017.01.17
v2017.01.27
v2017.01.30
v2017.02.24
v2017.03.22
v2017.03.27
v2017.04.28
v2017.06.14
v2017.08.14
v2017.09.01
v2017.10.19
v2017.10.31
v2017.11.27
v2018.*
v2018.01.08
v2018.01.29
v2018.02.22
v2018.03.12
v2018.04.05
v2018.04.25
v2018.05.08
v2018.05.21
v2018.07.16
v2018.08.01
v2018.08.08
v2018.08.20
v2018.09.25
v2018.10.20
v2018.11.05
v2018.11.06
v2018.11.12
v2019.*
v2019.01.14
v2019.06.24
v2020.*
v2020.06.09
v2021.*
v2021.04.08
v2022.*
v2022.10.19
v2023.*
v2023.02.27
v2023.04.25
v2024.*
v2024.05.28
v2024.12.06

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39399.json"