### Critical Vulnerability Information #### Known Issues - **NuGet Search Issue**: In Sonatype Nexus Repository 3.88.0, NuGet client search requests may fail when the application runs on an embedded H2 database. If your setup relies on this functionality and uses an embedded H2 database, do not upgrade to version 3.88.0 until a resolution is available. #### Security Updates - **CVE-2026-0601**: Fixed a cross-site scripting (XSS) vulnerability affecting Sonatype Nexus Repository versions 3.82.0 to 3.87.1. This vulnerability allows unauthenticated attackers to execute arbitrary JavaScript in victims' browsers, potentially leading to privilege escalation or unauthorized configuration changes. For more details, see the [CVE-2026-0601 Vulnerability Baseline Article](#). ### Other Important Updates - **SQL Search**: Starting with Nexus Repository 3.88.0, all search operations now execute directly against the underlying SQL database, replacing the previous Elasticsearch-based approach. - **PostgreSQL Users**: Must install the `pg_trgm` module. - **Search Now API**: Added `GET /v1/capabilities/types` to retrieve available capability types and their metadata. - **Cleanup Management Tasks**: Introduced new management tasks and capabilities for cleaning up browse trees. - **Configuration Encryption Settings**: Added new properties to configure PBKDF2 encryption iteration counts. - **URL Validation**: Added optional URL validation to protect against Server-Side Request Forgeries (SSRF), blocking outgoing connections to private network addresses. - **Updated SAML Library**: Enhanced security and compatibility. - **Crawler Access Restrictions**: Set `nexus.proxy.allowPrivateNetworks=false` to prevent crawlers from accessing private networks.