Browse all 4 CVE security advisories affecting NuGet. AI-powered Chinese analysis, POCs, and references for each vulnerability.
NuGet serves as the primary package manager for .NET development, enabling developers to integrate pre-built libraries into their applications. Historically, common vulnerabilities include remote code execution through malicious packages, cross-site scripting flaws in package metadata, and privilege escalation via compromised build processes. The platform has faced security incidents where attackers uploaded malicious packages with names similar to legitimate ones, leading to supply chain attacks. While NuGet has implemented features like package verification and mandatory TLS, the 4 CVEs on record highlight ongoing risks in dependency management, particularly around package integrity and secure build practices.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-39399 | NuGet Gallery: Arbitrary Blob Overwrite via Nuspec Confusion and URI Fragment Truncation — NuGetGalleryCWE-20 | 9.6 | Critical | 2026-04-14 |
| CVE-2024-54138 | XSS Vulnerability in NuGetGallery's Markdown Autolinks Processing — NuGetGalleryCWE-79 | 5.4 | - | 2024-12-06 |
| CVE-2024-47604 | XSS vulnerability in NuGetGallery HTML attributes handling — NuGetGalleryCWE-79 | 8.2 | High | 2024-10-01 |
| CVE-2024-37304 | NuGetGallery's Markdown Autolinks Processing Vulnerable to Cross-site Scripting — NuGetGalleryCWE-79 | 6.1 | Medium | 2024-06-12 |
This page lists every published CVE security advisory associated with NuGet. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.