CVE-2026-39399 — CRITICAL (9.6)

Vulnerability Description

NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within NuGet packages. An attacker can supply a crafted nuspec file with malicious metadata, leading to cross package metadata injection that may result in remote code execution (RCE) and/or arbitrary blob writes due to insufficient input validation. The issue is exploitable via URI fragment injection using unsanitized package identifiers, allowing an attacker to control the resolved blob path. This enables writes to arbitrary blobs within the storage container, not limited to .nupkg files, resulting in potential tampering of existing content. This issue has been patched in commit 0e80f87628349207cdcaf55358491f8a6f1ca276.

CVSS Score

9.6

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

HIGH

Related Weaknesses (CWE)

CWE-20 CWE-22

References

FAQ

What is CVE-2026-39399?

CVE-2026-39399 is a vulnerability with a CVSS score of 9.6 (CRITICAL). NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within NuGet packages. An attacker can supply a...

How severe is CVE-2026-39399?

CVE-2026-39399 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-39399?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.