Skip to main content

Invicti Standard release notes

RSS feed

This document highlights the new features, improvements, and fixed issues introduced in Invicti Standard across recent releases. Each update focuses on enhancing usability, security coverage, and integration capabilities for security teams.

2026

This section summarizes all releases, features, improvements, and fixes for 2026 as they're added.

Release v26.6.0

Release date: 16 June 2026

New features

  • Pre-scan authentication validation for NTLM, Basic, and Kerberos: Scans can now be configured to fail immediately if credentials are invalid, preventing unauthenticated scans from running silently.

Improvements

  • Scans now fail immediately when the first response returns HTTP 502: Previously, a 502 Bad Gateway response on the first request did not stop the scan. The scanner now fails the scan immediately in this scenario, surfacing the problem at the earliest opportunity and avoiding misleading results from a scan that should never have run.

  • Boolean MongoDB injection engine updated to reduce false positives: The Boolean MongoDB injection engine now produces more accurate results, reducing incorrect vulnerability reports on non-MongoDB targets.

Resolved issues

  • Custom policy severity settings no longer reset after a product update: User-configured severity levels in custom report policies are now preserved across upgrades.

Security checks

  • Imported scripts, including JavaScript source map detection.

Release v26.5.0

Release date: 12 May 2026

Improvements

  • Single browser scan setting: Single browser mode is now controlled from the scan policy under Browser settings, so you can switch between single-browser and multi-browser scanning per policy instead of toggling it globally.

Resolved issues

  • Smart card and Microsoft login authentication: Certificate-based (Smart Card) authentication now works again in the Invicti Standard embedded browser, so Microsoft login flows that depend on client certificates no longer fail with a protocol error mid-redirect.
  • User-edited report policy sections preserved on upgrade: Your customizations to CWE values and vulnerability template sections in report policies are no longer overwritten during version upgrades, so you don't lose tuning work each time you upgrade.
  • Crawl and Wait pauses for manual crawling: When "Crawl and wait" is enabled, the scan now pauses after the crawl phase and exposes a Manual crawling & proxy action, so you can complete manual crawling before the attack phase begins.

Release v26.4.1

Release date: 28 April 2026

Resolved issues

  • Login & logout verification: The "Verify login and logout" button has been fixed, ensuring you can validate your authentication settings without interruption.

Release v26.4.0

Release date: 14 April 2026

Resolved issues

  • Auth verification & script editor stability: Authentication verification and the custom script editor no longer freeze during operation, so scans run without unexpected UI hang-ups.
  • Report policy management: You can now rename or delete report policies without errors, giving you full control over your reporting configuration.

Release v26.3.1

Release date: 31 March 2026

Improvements to existing features

  • Passive engine proxy stability: Scans that use a custom web proxy now run more reliably, so your targets are scanned without unexpected timeouts or interruptions.

Bug fixes

  • Smart card scan reliability: Scans that use smart card authentication now start and run without freezing, so you can complete secure scans smoothly and on time.
  • OAuth scan export reliability: Scans that use OAuth settings now export successfully, so your scan data is complete and available without errors.

Release v26.3.0

Release date: 10 March 2026

New features

  • Added OWASP Top 10 2025 classification and reporting support
  • Implemented OWASP Top 10 2025 classification in Report Policies

Improvements

  • Implemented VDB update for auth verifier agent
  • Improved Web Cache Deception detection accuracy and refined the response validation logic to handle authentication edge cases

Resolved issues

  • Improved the generation of preference files for client certificate usage in the browser
  • Fixed an issue that occurred when exporting scan data from Invicti Standard to Invicti Enterprise while OAuth was enabled
  • Fixed an issue where some nodes were missing in the Knowledge Base under specific scan conditions

Release v26.2.1

Release date: 24 February 2026

Improvements

  • "Use HTTP Client" is now a scan policy setting and no longer requires account-level activation
  • Updated Requester details in the Form Authentication API documentation

Resolved issues

  • Fixed an issue preventing scans with OAuth2 settings from starting
  • Fixed malformed masked URL usage in a scan

Release v26.2.0

Release date: 10 February 2026

New features

  • Added SEM integration support with Client Certificate authentication
  • Added support to use secrets in the OAuth2 tab
  • Added .har file download on Authentication Verification

Improvements

  • Updated Node to v20.20.0 for Invicti.Common.Browser.Driver
  • Upgraded Shark.Java package from version 20 to version 21
  • Improved login fail notification
  • Incremental Scan now correctly detects new and modified pages and performs no action when there are no changes
  • Improved DOM XSS simulation

Resolved issues

  • Fixed an issue that impacted “Detailed Scan Report” generation
  • Fixed an issue on creating Knowledge Base items.
  • Updated information panel of Secrets section

Release v26.1.0

Release date: 13 January 2026

New feature

  • Added Browser Network and Console logs to the verification log area

Resolved issues

  • Fixed TempPath-dependent errors when the path contains whitespace
  • Fixed OAuth2 3-legged Authorization code issue
  • Fixed sitemap issue causing URLs with /#/ to be missing
  • Fixed retest scan launch failure
  • An issue after the paused and resumed has been fixed
  • Fixed scan data archiving error

2025

This section summarizes all releases, features, improvements, and fixes for 2025 as they're added.

Release v25.12.0

Release date: 10 December 2025

Improvements

  • Relocated the InterceptDocumentOnly setting from Advanced settings to Scan policy for improved accessibility
  • Upgraded the underlying engine to Chromium 137.0.7151.68, delivering critical security patches, improved stability, and better performance

Resolved issues

  • Fixed an issue where excluded cookies were incorrectly appearing in reports ‍

Release v25.11.2-Hot fix

Release date: 5 December 2025

New security checks

Release v25.11.0

Release date: 11 November 2025

Improvements

  • Improved the "SameSite Cookie Not Implemented" security check
  • Improved the "JWT Signature isn't Verified" security check

Resolved issues

  • Fixed login failures due to issues with loading authentication profiles
  • Fixed an issue where Linux/cloud agents couldn't parse secrets pre-request query parameters
  • Improved the application's launch time ‍

Release v25.10.0

Release date: 14 October 2025

New feature

  • Added WebLogic support for JAVA Shark sensor

Resolved issues

  • Corrected a typo in the Ivanti RCE CVE-2024-21887 report template
  • Improved detection of CSP directives

Release v25.8.0

Release date: 13 August 2025

Security checks

Added detection of Pega Infinity as a technology in the Vulnerability Database (VDB)

Improvements

  • Defined the Hawk check delay in the scanning policy
  • Added a Maximum Cookie Count setting to manage cookie numbers when necessary

Resolved issues

  • Implemented fix to ensure that manual scanning continues without interruption when using a proxy
  • Implemented If-Modified-Since header to minimize false positives during vulnerability scans
  • Fixed logging in Post-Request scripts
  • Implemented fix to ensure Post-Request script is triggered for all requests in the browser context ‍

Release v25.7.0

Release date: 8 July 2025

Security checks

Improvements

  • Improved XSS detection to reduce noise
  • Increased the timeout duration for IAST responses to prevent premature failures
  • Implemented an enhancement to capture the token information present in the response during the OAuth2 Implicit Flow
  • Implemented an enhancement to enable more effective cookie management when HTTP/2 is enabled
  • Updated dependencies with known vulnerabilities
  • Improved prototype-pollution detection to reduce noise

Resolved issues

  • Enhanced support for using multiple secrets simultaneously within a single custom header
  • Resolved an issue where duplicate X-Content-Type-Options headers triggered false missing header reports
  • A fix was implemented to prevent the application from crashing due to faulty custom scripts
  • Addressed an issue encountered during report policy migration
  • Corrected the MOVEit SQLi check to avoid reporting an incorrect version

Release v25.6.0

Release date: 18 June 2025

Improvements

  • Improved Stack Trace Disclosure (Java) detection pattern
  • Added support for configuring the temp file via appsettings.json or an environment variable
  • Updated Microsoft.OpenApi to version 2.0 preview to support OpenAPI 3.1.0 for improved API scanning

Resolved issues

  • Fixed a file access conflict issue during VDB update
  • Resolved an issue where multiple versions of Next.js were not properly displayed in the Technologies dashboard and Scan Reports

Release v25.5.1

Release date: 27 May 2025

New features

  • Added Post-request script feature Read more

New security check

  • Added a new XSS Security check

Resolved issues

  • Fixed an issue with verifying the existence of links in the link pool
  • Improved incremental scanning
  • Implemented logic to create the UserDocumentsDirectoryPath when it doesn't already exist
  • Added support for defining headers and HTTP method during CSV importImproved usage and reliability of SmartCard authentication

Release v25.5.0

Release date: 6 May 2025

Improvements

  • Added the ability to add Parent Relations for Azure products, enabling easier hierarchical management
  • Implemented agent for secure storage and retrieval of passwords for Pre-Request scripts

Resolved issues

  • Fixed naming issues of WordPress plugin Contact Form 7
  • Fixed the issue of LoginRequiredUrl and Pre-Request script requests causing bottlenecks in HTTP requests
  • Fixed an issue that unnecessarily included the code parameter in OAuth2 authorization requests
  • The scanning engine now correctly processes merged request headers received from browser
  • Improved usage and reliability of SmartCard authentication

Release v25.4.0

Release date: 8 April 2025

Improvements

  • Updated remediation details for outdated AngularJS versions

Resolved issues

  • Fixed restrictions for JIRA integration
  • Updated Chromium and Node.js versions, resolving Chromium-related issues, including the unexpected increase in Chromium count
  • Exclude URL rules now function correctly even when the excluded URL is the target
  • Fixed an issue with retrieving OAuth2 token data from JSON responses

Release v25.3.0

Release date: 25 February 2025

Improvements

  • Enhanced technology version identification from URI
  • Improved reporting of multiple technology detections on the same file

Resolved issues

  • Implemented a fallback mechanism to mitigate Chrome-related issues
  • Updated OpenSSL from version 3.3.1 to 3.3.2
  • Implemented a fix for an import issue caused by gRPC backward compatibility failure

Release v25.2.1

Release date: 25 February 2025

Improvements

  • Improved importing GraphQL queries
  • Added the option to select US2 in the Enterprise Integration section, enabling IS connectivity for US2 instance customers

Resolved issues

  • Resolved issue preventing the use of the Chromium Extension in Scanner and Verifier Agent
  • Fixed the issue which was causing exports from Invicti Standard to Acunetix 360 to fail

Release v25.2.0

Release date: 13 February 2025

New features

  • Added single-tab crawling for websites that do not allow multiple-tab browsing
  • Upgraded the Shortcut integration API endpoint to v3

Improvements

  • Improved payload for Log4j detection
  • Added a feature to automatically override some headers in MFA cases

Resolved issues

  • Resolved scan authentication issues for multiple pages
  • Resolved issues related to screenshots and login processes
  • Fixed security check for popper.js detection
  • Added control for URLs that should not be included in the scope

Release v25.1.1

Release date: 28 January 2025

New security checks

  • Added detection of cookieconsent2 as a technology in the Vulnerability Database (VDB)

Improvements

  • Added the ability to replace placeholders in the browser for Authorization Headers
  • Improved report template of JWT Signature is not verified vulnerability

Resolved issues

  • Fixed tar file import error caused by invalid HAR file syntax that could disclose the local path of the On-Demand web app machine in the error message
  • Fixed duplicated links issue while importing proto files

Release v25.1.0

Release date: 14 January 2025

Improvements

  • Redirected support email addresses to the support.invicti.com link
  • Updated Chromium from version 121 to version 131 for enhanced performance and compatibility
  • Enhanced detection accuracy for Weak Ciphers Enabled by analyzing false positives

Resolved issues

  • Resolved the "Internal Server Error" encountered on the Invicti scans/report API endpoint after enabling the "Prevent any sensitive information showing within the product" setting
  • Resolved the issue where the Agent Verifier was encountering errors when using certificates in a Linux environment
  • Resolved a coverage issue where the login page reappeared during scans

2024

Release v24.12.1

Release date: 12 December 2024

Improvements

  • Added new paths to forced browsing
  • Updated the vulnerability template for the Internal Server Error vulnerability
  • Improved Insecure HTTP Usage detection

Release v24.12.0

Release date: 3 December 2024

New Security Checks

  • Added detection of Google Tag Manager as a technology in the Vulnerability Database (VDB)

Improvements

  • Invicti Standard Agent upgraded to .NET 8 for improved performance and compatibility
  • Improved analysis and remediation capabilities for (Possible) Server-Side Template Injection vulnerabilities

Resolved issues

  • Fixed a missing proxy implementation for ICBD and Puppeteer
  • Fixed an issue where Retest-type scans did not identify the same vulnerabilities detected during full scans
  • Fixed high CPU usage in some agents caused by Chromium
  • Fixed an issue where the Misconfigured Access-Control-Allow-Origin Header vulnerability was not detected
  • Improved detection of the (Possible) Password Transmitted over Query String vulnerability.

Release v24.11.0

Release date: 12 November 2024

Improvements

  • Multiple .proto files can now be used for scanning gRPC API Web Services

Resolved issues

  • Fixed an issue where uploading a .proto file caused a "No links found in the file" error
  • Fixed missing request/response details for some out-of-band vulnerabilities

Release v24.10.1

Release date: 30 October 2024

New Security Checks

Resolved issues

  • Fixed a bug that was disabling the skip scan phase option

Release v24.10.0

Release date: 8 October 2024

New Security Checks

Improvements

  • Added 'save as new' and 'overwrite' options when importing scans
  • Reporting improvements for the “Unknown Option Used In Referrer-Policy” vulnerability
  • Added the ability to export/import scan profiles and scan policies between different instances of Invicti Standard

Resolved issues

  • Various fixes for the verifiers
  • Out-of-date version for Boolean Based MongoDB Injection is now reported correctly

Release v24.9.1

Release date: 24 September 2024

New Security Checks

  • Added XWiki version disclosure vulnerability and attack patterns.

Resolved issues

  • Fixed the false negative issue related to Polyfill.io.
  • Fixed an issue related to creating a custom script for a web application using the OIDC method with a login pop-up.

Release v24.9.0

Release date: 10 September 2024

New Security Checks

  • Adjusted the severity of SSLv3 and TLS 1.0 vulnerabilities to reflect their security risks
  • Added support for CSP frame-ancestors
  • Added detection for CVE-2024-6297, affecting several WordPress plugins

Improvements

  • Pre-request script now works in DOM as well

Resolved issues

  • Resolved an issue with a pre-request script that was affecting crawling functionality

Release v24.8.1

Release date: 27 August 2024

New Security Checks

  • Added detection for Jenkins Secret as a Sensitive Data Exposure

Improvements

  • Started to utilize the Microsoft Azure Trusted Signing service for code signing of Invicti Standard

Resolved issues

  • Fixed chromium-related issues in the agent
  • Fixed the issue where temp folders could not be deleted and Chromium instances remained open when Puppeteer encountered an error
  • Fixed the false positive on detection of "Stack Trace Disclosure (Java)"
  • Fixed an issue related to the Moment.js regex
  • Fixed the OIDC authentication issue
  • Fixed the issue where the REST API endpoint returned HTTP 400 instead of HTTP 200 when sending custom values
  • Fixed the issue preventing proper login to the target URL

Release v24.8.0

Release date: 13 August 2024

New Security Checks

  • Incorporated the reporting of sensitive information disclosures from Okta
  • Added a check for Authentication bypass in Fortra's GoAnywhere MFT CVE-2024-0204
  • Added a check for Open SSH server RC CVE-2024-6387
  • Added a check for cached pages that contain sensitive data CWE-525

Improvements

  • Resolved an issue where scans were failing due to the TLS connection not being established

Resolved issues

  • Resolved a problem that was causing scans to become stuck

Release v24.7.1

Release date: 25 July 2024

Improvements

  • Disabled the detection of CSRF vulnerabilities from built-in policies
  • Added custom header support for SSRF registration

Resolved issues

  • Fixed an issue related to BLR links

Release v24.7.0

Release date: 9 July 2024

New Security Checks

  • Added a new security check to identify supply chain attacks through Polyfill JS
  • Added a detection for GeoServer SQLi vulnerability CVE-2023-25157
  • Added checks for various WordPress plugins

Improvements

  • Improved Credit Card Disclosure Security Check
  • Added custom headers for communication between Agents and Invicti Hawk
  • Set the severity of 'Possible XSS' vulnerabilities to 'Informational'
  • Improved various Sensitive Data Exposure security checks
  • Improved the detection of the Short SSL Key Length vulnerability
  • Added the capability to check for Sensitive Data in XML responses

Resolved issues

  • Fixed missing Request Body content in vulnerability details
  • Fixed an issue with the 'IgnoreCertificateErrors' Agent setting for SSL Validation
  • Fixed a problem in the JWT Engine to resolve a false positive issue
  • Fixed an issue related to the OTA app scan
  • Fixed HTTP 413 responses resulting from nonce cookies stacking

Release v24.6.0

Release date: 13 June 2024

New Features

  • Added a feature for scanning gRPC API Web Services, Learn more

New Security Checks

  • Added a new attack pattern for missing Open Redirection

Improvements

  • Added an option to trigger only specified lists of events
  • Updated all the IAST Sensors: .NET Framework and .NET Core 6.2.0, Java 16.0.0 , Node.js 2.1.3 , PHP 8.0.1

Resolved issues

  • Fixed an issue with user-agent selection in scan policies that was causing disabled security check vulnerabilities to appear in the dashboards and scan reports
  • Fixed an issue with user-agent selection in scan policies that was causing disabled security check vulnerabilities to appear in the dashboards and scan reports
  • Fixed vulnerabilities with the Invicti Scan Agent Docker image
  • Fixed the disk space utilization issue that was causing the InvictiCommon folder size to increase significantly during scans
  • Improved the crawling capability to allow for automatic crawling of XHR requests
  • Fixed an AWS4Signer authentication issue

Release v24.5.1

Release date: 28 May 2024

New Security Checks

Improvements

  • Updated CWE IDs for several vulnerabilities

Resolved issues

  • Fixed an issue in the detection of the 'Improper XML parsing leads to Billion Laughs Attack' vulnerability
  • Resolved an issue with the Business Logic Recorder

Release v24.5.0

Release date: 7 May 2024

New Feature

  • Enabled Korean language support

New Security Checks

  • Added detection method for Angular
  • Added a new security check for Oracle EBS RCE

Resolved issues

  • Fixed a scan authentication issue and a crawling issue with Cloud Agents
  • Fixed the HTTP 401 forbidden response form authentication error
  • Fixed an issue with the detection method for wp-admin vulnerabilities
  • Fixed an error that was occurring when generating knowledge base reports
  • Updated the extraction algorithm for downloaded scan files from Invicti Enterprise
  • Fixed a scan issue that was producing 413 error responses

Release v24.4.0

Release date: 17 April 2024

Improvements

  • Improved AWS Secret Key ID detection security checks
  • Improved Google Cloud API Key detection security checks
  • Updated remediation information for Angular JS related vulnerabilities
  • Improved Boolean-Based MongoDB Injection detection method

Resolved issues

  • Fixed a validation error when validating Shark settings
  • Fixed an issue with duplicate custom user agents that was preventing scanning
  • Fixed an issue where authentication would fail when started with an Authentication profile
  • Fixed an issue that caused proxy usage for Chromium even when no proxy was selected from the scan policy settings

Release v24.3.1

Release date: 28 March 2024

New features

  • Provided a new encryption method of API Token for Agent/Verifier Agent
  • Added a pre-request script to generate AWS Signature token

New security checks

  • Added a new security check for TLS/SSL certificate key size too small issue
  • Improved WP Config detection over backup files
  • Added a new security check for CVE-2023-46805 / CVE-2024-21887
  • Added detection for exposed WordPress configuration files
  • Added a new Security Check that allows to report two vulnerabilities: TorchServe Management API Publicly Exposed and TorchServe - Management API SSRF
  • Command Injection in VMware Aria Operations for Networks can now be detected

Improvements

  • Implemented enhancements: Highlighting and Verification of Response Status Codes
  • Disabled the BREACH Security Engine
  • Report template of Possible XSS is updated to cover mime sniffing
  • Increased the default Severity level of Version Disclosure (Varnish) from 'Information' to 'Low'

Resolved issues

  • Fixed the issue where the customer couldn't scan their target with the additional website properly
  • Fixed an issue that was causing a memory issue in Javascript Parser
  • Fixed the inability of the custom script editor to load the form authentication fields

Release v24.3.0

Release date: 12 March 2024

New features

  • Added the ability to force authentication verifier agents to use incognito mode by default on Chromium browsers

New security checks

  • Added detection for ActiveMQ RCE to the OOB RCE Attack Pattern CVE-2023-46604

Resolved issues

  • Added a Cookie Source field to the Knowledge Base Cookies screen

Release v24.2.0

Release date: 20 February 2024

New features

  • Added a new BLR log providing details on BLR execution

New security checks

  • Implemented a detection and reporting mechanism for the Backup Migration WordPress plugin CVE-2023-6553
  • Added detection for TinyMCE

Improvements

  • Updated the "Insecure Transportation Security Protocol Supported (TLS 1.0)" vulnerability to High Severity
  • Updated the WSDL serialization mechanism
  • Implemented support for scanning sites with location permission pop-ups
  • Added support for FreshService API V2
  • Removed obsolete X-Frame-Options Header security checks

Resolved issues

  • Fixed a bug in the Request/Response tab of Version Disclosure vulnerabilities
  • Removed the target URL from the scope control list

Release v24.1.1

Release date: 30 January 2024

New security checks

  • Added a check for dotCMS
  • Added a check for the Ultimate Member WordPress plugin
  • Added a new mXSS pattern
  • Added new signatures to detect JWKs

Improvements

  • Improved the recommendations for the Weak Ciphers Enabled vulnerability
  • Improved detection of swagger.json vulnerabilities
  • Added support for AWS WAFv2 rules
  • Improved more of our error and warning messages so they are more user friendly
  • Added Sentry implementation into the Agent repository

Resolved issues

  • Fixed a proxy issue that was impacting the detection of weak ciphers
  • Fixed a problem with importing WDSL files

Release v24.1.0

Release date: 9 January 2024

New features

  • In the scan settings section, we've added a checkbox (under Authentication > Form) to collect all logs about the authentication progress
  • Enhanced reporting of DOM XSS vulnerabilities

Improvements

  • Updated the Shark Dotnet Sensor to .NET Core 6
  • Improved site-logout detection

Resolved issues

  • Resolved a problem with missing information in the report policy database
  • Fixed an issue with the import of scan data from Invicti Enterprise to Invicti Standard
  • Fixed a bug in the importing of links
  • Fixed some vulnerabilities on our Invicti Docker Image by updating the packages
  • Fixed reporting of some false/positive passive out-of-date vulnerabilities