{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39399", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T22:06:40.516Z", "datePublished": "2026-04-14T23:01:38.176Z", "dateUpdated": "2026-04-15T14:42:02.662Z"}, "containers": {"cna": {"title": "NuGet Gallery: Arbitrary Blob Overwrite via Nuspec Confusion and URI Fragment Truncation", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/NuGet/NuGetGallery/security/advisories/GHSA-9r3h-v4hx-rhfr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/NuGet/NuGetGallery/security/advisories/GHSA-9r3h-v4hx-rhfr"}, {"name": "https://github.com/NuGet/NuGetGallery/commit/0e80f87628349207cdcaf55358491f8a6f1ca276", "tags": ["x_refsource_MISC"], "url": "https://github.com/NuGet/NuGetGallery/commit/0e80f87628349207cdcaf55358491f8a6f1ca276"}], "affected": [{"vendor": "NuGet", "product": "NuGetGallery", "versions": [{"version": "< 0e80f87628349207cdcaf55358491f8a6f1ca276", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T23:01:38.176Z"}, "descriptions": [{"lang": "en", "value": "NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job\u2019s handling of .nuspec files within NuGet packages. An attacker can supply a crafted nuspec file with malicious metadata, leading to cross package metadata injection that may result in remote code execution (RCE) and/or arbitrary blob writes due to insufficient input validation. The issue is exploitable via URI fragment injection using unsanitized package identifiers, allowing an attacker to control the resolved blob path. This enables writes to arbitrary blobs within the storage container, not limited to .nupkg files, resulting in potential tampering of existing content. This issue has been patched in commit 0e80f87628349207cdcaf55358491f8a6f1ca276."}], "source": {"advisory": "GHSA-9r3h-v4hx-rhfr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T14:41:44.304732Z", "id": "CVE-2026-39399", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T14:42:02.662Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39399", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T14:41:44.304732Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T14:41:53.269Z"}}], "cna": {"title": "NuGet Gallery: Arbitrary Blob Overwrite via Nuspec Confusion and URI Fragment Truncation", "source": {"advisory": "GHSA-9r3h-v4hx-rhfr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "NuGet", "product": "NuGetGallery", "versions": [{"status": "affected", "version": "< 0e80f87628349207cdcaf55358491f8a6f1ca276"}]}], "references": [{"url": "https://github.com/NuGet/NuGetGallery/security/advisories/GHSA-9r3h-v4hx-rhfr", "name": "https://github.com/NuGet/NuGetGallery/security/advisories/GHSA-9r3h-v4hx-rhfr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/NuGet/NuGetGallery/commit/0e80f87628349207cdcaf55358491f8a6f1ca276", "name": "https://github.com/NuGet/NuGetGallery/commit/0e80f87628349207cdcaf55358491f8a6f1ca276", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job\u2019s handling of .nuspec files within NuGet packages. An attacker can supply a crafted nuspec file with malicious metadata, leading to cross package metadata injection that may result in remote code execution (RCE) and/or arbitrary blob writes due to insufficient input validation. The issue is exploitable via URI fragment injection using unsanitized package identifiers, allowing an attacker to control the resolved blob path. This enables writes to arbitrary blobs within the storage container, not limited to .nupkg files, resulting in potential tampering of existing content. This issue has been patched in commit 0e80f87628349207cdcaf55358491f8a6f1ca276."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T23:01:38.176Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39399", "state": "PUBLISHED", "dateUpdated": "2026-04-15T14:42:02.662Z", "dateReserved": "2026-04-06T22:06:40.516Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-14T23:01:38.176Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job\u2019s handling of .nuspec files within NuGet packages. An attacker can supply a crafted nuspec file with malicious metadata, leading to cross package metadata injection that may result in remote code execution (RCE) and/or arbitrary blob writes due to insufficient input validation. The issue is exploitable via URI fragment injection using unsanitized package identifiers, allowing an attacker to control the resolved blob path. This enables writes to arbitrary blobs within the storage container, not limited to .nupkg files, resulting in potential tampering of existing content. This issue has been patched in commit 0e80f87628349207cdcaf55358491f8a6f1ca276."}], "id": "CVE-2026-39399", "lastModified": "2026-04-14T23:16:29.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T23:16:29.460", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/NuGet/NuGetGallery/commit/0e80f87628349207cdcaf55358491f8a6f1ca276"}, {"source": "security-advisories@github.com", "url": "https://github.com/NuGet/NuGetGallery/security/advisories/GHSA-9r3h-v4hx-rhfr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0,0e80f87628349207cdcaf55358491f8a6f1ca276)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "NuGetGallery", "source": "cna", "vendor": "NuGet"}, "product": "nugetgallery", "vendor": "nuget"}], "analysis": {"en": {"generated_at": "2026-04-15T00:21:25.795265+00:00", "value": {"mitigation_remediation": ["Update NuGetGallery to a version that includes the patch from commit 0e80f87628349207cdcaf55358491f8a6f1ca276.", "If an upgrade cannot be performed immediately, disable or tightly restrict the backend job that processes .nuspec files and quarantine any packages with suspicious metadata.", "Implement write\u2011segmentation on the storage container to restrict write access only to the necessary automation accounts and enable detailed logging so that any unauthorized blob changes are detected and alerted on."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vendor is NuGet and the product is NuGetGallery. Every instance of NuGetGallery that has not been updated to include the patch in commit 0e80f87628349207cdcaf55358491f8a6f1ca276 is vulnerable. No specific product version range is supplied, so all unpatched deployments are at risk.", "description_and_impact": "NuGet Gallery powers nuget.org and handles .nuspec files in its backend jobs. A crafted .nuspec file with malicious metadata can cause cross\u2011package metadata injection, leading to remote code execution and arbitrary blob writes due to insufficient input validation. The attacker can control the resolved blob path and overwrite any blob in the storage container, potentially tampering existing content or injecting executable code.", "risk_and_exploitability": "The CVSS score is 9.6, indicating a critical risk. The EPSS score is unavailable and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting it has not yet been detected as an actively exploited flaw. Exploitation requires an attacker to supply a malicious .nuspec file and trigger the backend job, which can be done by uploading a package or invoking the job directly. Unsanitized package identifiers are interpreted as URI fragments, allowing the attacker to set arbitrary blob paths and perform writes to any object in the storage container. Successful exploitation can grant remote code execution and arbitrary data tampering."}}}}, "created": "2026-04-15T13:48:23.613447+00:00", "updated": "2026-04-15T14:28:41.086047+00:00", "vendors": ["nuget", "nuget$PRODUCT$nugetgallery"]}