CVE-2026-39399
Received Received - Intake
Cross Package Metadata Injection in NuGetGallery Enables RCE

Publication date: 2026-04-14

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within NuGet packages. An attacker can supply a crafted nuspec file with malicious metadata, leading to cross package metadata injection that may result in remote code execution (RCE) and/or arbitrary blob writes due to insufficient input validation. The issue is exploitable via URI fragment injection using unsanitized package identifiers, allowing an attacker to control the resolved blob path. This enables writes to arbitrary blobs within the storage container, not limited to .nupkg files, resulting in potential tampering of existing content. This issue has been patched in commit 0e80f87628349207cdcaf55358491f8a6f1ca276.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39399
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nuget nuget_gallery to 0e80f87628349207cdcaf55358491f8a6f1ca276 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the NuGetGallery backend job's handling of .nuspec files within NuGet packages. An attacker can supply a specially crafted nuspec file containing malicious metadata, which leads to cross package metadata injection. This injection can result in remote code execution (RCE) and/or arbitrary blob writes because the input validation is insufficient.

The attack exploits URI fragment injection using unsanitized package identifiers, allowing the attacker to control the resolved blob path. This means the attacker can write to arbitrary blobs within the storage container, not just .nupkg files, potentially tampering with existing content.

The vulnerability has been patched in a specific commit to fix this issue.

Impact Analysis

This vulnerability can have severe impacts including remote code execution (RCE), which allows an attacker to run arbitrary code on the server hosting the NuGetGallery backend.

Additionally, the attacker can perform arbitrary blob writes within the storage container, potentially tampering with existing package content or other stored data.

Such impacts can compromise the integrity and availability of the package repository, leading to trust issues and possible disruption of software supply chains.

Mitigation Strategies

The vulnerability has been patched in commit 0e80f87628349207cdcaf55358491f8a6f1ca276. Immediate mitigation steps include applying this patch to the NuGetGallery backend job to ensure proper input validation of .nuspec files and prevent cross package metadata injection.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39399. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart