New features

• Added OWASP Top 10 2025 classification and reporting support
• Implemented OWASP Top 10 2025 classification in Report Policies

Improvements

• Implemented VDB update for auth verifier agent
• Improved Web Cache Deception detection accuracy and refined the response validation logic to handle authentication edge cases

Resolved issues

• Improved the generation of preference files for client certificate usage in the browser
• Fixed an issue that occurred when exporting scan data from Invicti Standard to Invicti Enterprise while OAuth was enabled
• Fixed an issue where some nodes were missing in the Knowledge Base under specific scan conditions

Improvements

• "Use HTTP Client" is now a scan policy setting and no longer requires account-level activation
• Updated Requester details in the Form Authentication API documentation

Resolved issues

• Fixed an issue preventing scans with OAuth2 settings from starting
• Fixed malformed masked URL usage in a scan

• Added SEM integration support with Client Certificate authentication
• Added support to use secrets in the OAuth2 tab
• Added .har file download on Authentication Verification

Improvements

• Updated Node to v20.20.0 for Invicti.Common.Browser.Driver
• Upgraded Shark.Java package from version 20 to version 21
• Improved login fail notification
• Incremental Scan now correctly detects new and modified pages and performs no action when there are no changes
• Improved DOM XSS simulation

Resolved issues

• Fixed an issue that impacted “Detailed Scan Report” generation
• Fixed an issue on creating Knowledge Base items.
• Updated information panel of Secrets section

• Added Browser Network and Console logs to the verification log area

Resolved issues

• Fixed TempPath-dependent errors when the path contains whitespace
• Fixed OAuth2 3-legged Authorization code issue
• Fixed sitemap issue causing URLs with /#/ to be missing
• Fixed retest scan launch failure
• An issue after the paused and resumed has been fixed
• Fixed scan data archiving error

2025

This section summarizes all releases, features, improvements, and fixes for 2025 as they're added.

• Relocated the InterceptDocumentOnly setting from Advanced settings to Scan policy for improved accessibility
• Upgraded the underlying engine to Chromium 137.0.7151.68, delivering critical security patches, improved stability, and better performance

Resolved issues

• Fixed an issue where excluded cookies were incorrectly appearing in reports
  ‍

Release v25.11.2-Hot fix

Release date: 5 December 2025

New security checks

• Implemented security checks for Next.js/React Server Components RCE:
  • CVE-2025-55182
  • CVE-2025-66478

• Improved the "SameSite Cookie Not Implemented" security check
• Improved the "JWT Signature isn't Verified" security check

Resolved issues

• Fixed login failures due to issues with loading authentication profiles
• Fixed an issue where Linux/cloud agents couldn't parse secrets pre-request query parameters
• Improved the application's launch time
  ‍

• Added WebLogic support for JAVA Shark sensor

Resolved issues

• Corrected a typo in the Ivanti RCE CVE-2024-21887 report template
• Improved detection of CSP directives

Added detection of Pega Infinity as a technology in the Vulnerability Database (VDB)

Improvements

• Defined the Hawk check delay in the scanning policy
• Added a Maximum Cookie Count setting to manage cookie numbers when necessary

Resolved issues

• Implemented fix to ensure that manual scanning continues without interruption when using a proxy
• Implemented If-Modified-Since header to minimize false positives during vulnerability scans
• Fixed logging in Post-Request scripts
• Implemented fix to ensure Post-Request script is triggered for all requests in the browser context
  ‍

• Added a new CVE check for CVE-2019-19326
• Added a new XSS attack for CVE-2024-11831

Improvements

• Improved XSS detection to reduce noise
• Increased the timeout duration for IAST responses to prevent premature failures
• Implemented an enhancement to capture the token information present in the response during the OAuth2 Implicit Flow
• Implemented an enhancement to enable more effective cookie management when HTTP/2 is enabled
• Updated dependencies with known vulnerabilities
• Improved prototype-pollution detection to reduce noise

Resolved issues

• Enhanced support for using multiple secrets simultaneously within a single custom header
• Resolved an issue where duplicate X-Content-Type-Options headers triggered false missing header reports
• A fix was implemented to prevent the application from crashing due to faulty custom scripts
• Addressed an issue encountered during report policy migration
• Corrected the MOVEit SQLi check to avoid reporting an incorrect version

• Improved Stack Trace Disclosure (Java) detection pattern
• Added support for configuring the temp file via appsettings.json or an environment variable
• Updated Microsoft.OpenApi to version 2.0 preview to support OpenAPI 3.1.0 for improved API scanning

Resolved issues

• Fixed a file access conflict issue during VDB update
• Resolved an issue where multiple versions of Next.js were not properly displayed in the Technologies dashboard and Scan Reports

• Added Post-request script feature Read more

New security check

• Added a new XSS Security check

Resolved issues

• Fixed an issue with verifying the existence of links in the link pool
• Improved incremental scanning
• Implemented logic to create the UserDocumentsDirectoryPath when it doesn't already exist
• Added support for defining headers and HTTP method during CSV importImproved usage and reliability of SmartCard authentication

• Added the ability to add Parent Relations for Azure products, enabling easier hierarchical management
• Implemented agent for secure storage and retrieval of passwords for Pre-Request scripts

Resolved issues

• Fixed naming issues of WordPress plugin Contact Form 7
• Fixed the issue of LoginRequiredUrl and Pre-Request script requests causing bottlenecks in HTTP requests
• Fixed an issue that unnecessarily included the code parameter in OAuth2 authorization requests
• The scanning engine now correctly processes merged request headers received from browser
• Improved usage and reliability of SmartCard authentication

• Updated remediation details for outdated AngularJS versions

Resolved issues

• Fixed restrictions for JIRA integration
• Updated Chromium and Node.js versions, resolving Chromium-related issues, including the unexpected increase in Chromium count
• Exclude URL rules now function correctly even when the excluded URL is the target
• Fixed an issue with retrieving OAuth2 token data from JSON responses

• Improved importing GraphQL queries
• Added the option to select US2 in the Enterprise Integration section, enabling IS connectivity for US2 instance customers

Resolved issues

• Resolved issue preventing the use of the Chromium Extension in Scanner and Verifier Agent
• Fixed the issue which was causing exports from Invicti Standard to Acunetix 360 to fail

• Enhanced technology version identification from URI
• Improved reporting of multiple technology detections on the same file

Resolved issues

• Implemented a fallback mechanism to mitigate Chrome-related issues
• Updated OpenSSL from version 3.3.1 to 3.3.2
• Implemented a fix for an import issue caused by gRPC backward compatibility failure

• Added single-tab crawling for websites that do not allow multiple-tab browsing
• Upgraded the Shortcut integration API endpoint to v3

Improvements

• Improved payload for Log4j detection
• Added a feature to automatically override some headers in MFA cases

Resolved issues

• Resolved scan authentication issues for multiple pages
• Resolved issues related to screenshots and login processes
• Fixed security check for popper.js detection
• Added control for URLs that should not be included in the scope

• Added detection of cookieconsent2 as a technology in the Vulnerability Database (VDB)

Improvements

• Added the ability to replace placeholders in the browser for Authorization Headers
• Improved report template of JWT Signature is not verified vulnerability

Resolved issues

• Fixed tar file import error caused by invalid HAR file syntax that could disclose the local path of the On-Demand web app machine in the error message
• Fixed duplicated links issue while importing proto files

• Redirected support email addresses to the support.invicti.com link
• Updated Chromium from version 121 to version 131 for enhanced performance and compatibility
• Enhanced detection accuracy for Weak Ciphers Enabled by analyzing false positives

Resolved issues

• Resolved the "Internal Server Error" encountered on the Invicti scans/report API endpoint after enabling the "Prevent any sensitive information showing within the product" setting
• Resolved the issue where the Agent Verifier was encountering errors when using certificates in a Linux environment
• Resolved a coverage issue where the login page reappeared during scans

2024

• Added new paths to forced browsing
• Updated the vulnerability template for the Internal Server Error vulnerability
• Improved Insecure HTTP Usage detection

• Added detection of Google Tag Manager as a technology in the Vulnerability Database (VDB)

Improvements

• Invicti Standard Agent upgraded to .NET 8 for improved performance and compatibility
• Improved analysis and remediation capabilities for (Possible) Server-Side Template Injection vulnerabilities

Resolved issues

• Fixed a missing proxy implementation for ICBD and Puppeteer
• Fixed an issue where Retest-type scans did not identify the same vulnerabilities detected during full scans
• Fixed high CPU usage in some agents caused by Chromium
• Fixed an issue where the Misconfigured Access-Control-Allow-Origin Header vulnerability was not detected
• Improved detection of the (Possible) Password Transmitted over Query String vulnerability.

• Multiple .proto files can now be used for scanning gRPC API Web Services

Resolved issues

• Fixed an issue where uploading a .proto file caused a "No links found in the file" error
• Fixed missing request/response details for some out-of-band vulnerabilities

• Added detection for multiple JavaScript libraries
• Added detection for Masa CMS CVE-2022-47002 and CVE-2021-42183

Resolved issues

• Fixed a bug that was disabling the skip scan phase option

• Updated detection for ActiveMQ - Remote Code Execution CVE-2023-46604 and TorchServe Management API SSRF CVE-2023-43654

Improvements

• Added 'save as new' and 'overwrite' options when importing scans
• Reporting improvements for the “Unknown Option Used In Referrer-Policy” vulnerability
• Added the ability to export/import scan profiles and scan policies between different instances of Invicti Standard

Resolved issues

• Various fixes for the verifiers
• Out-of-date version for Boolean Based MongoDB Injection is now reported correctly

• Added XWiki version disclosure vulnerability and attack patterns.

Resolved issues

• Fixed the false negative issue related to Polyfill.io.
• Fixed an issue related to creating a custom script for a web application using the OIDC method with a login pop-up.

• Adjusted the severity of SSLv3 and TLS 1.0 vulnerabilities to reflect their security risks
• Added support for CSP frame-ancestors
• Added detection for CVE-2024-6297, affecting several WordPress plugins

Improvements

• Pre-request script now works in DOM as well

Resolved issues

• Resolved an issue with a pre-request script that was affecting crawling functionality

• Added detection for Jenkins Secret as a Sensitive Data Exposure

Improvements

• Started to utilize the Microsoft Azure Trusted Signing service for code signing of Invicti Standard

Resolved issues

• Fixed chromium-related issues in the agent
• Fixed the issue where temp folders could not be deleted and Chromium instances remained open when Puppeteer encountered an error
• Fixed the false positive on detection of "Stack Trace Disclosure (Java)"
• Fixed an issue related to the Moment.js regex
• Fixed the OIDC authentication issue
• Fixed the issue where the REST API endpoint returned HTTP 400 instead of HTTP 200 when sending custom values
• Fixed the issue preventing proper login to the target URL

• Incorporated the reporting of sensitive information disclosures from Okta
• Added a check for Authentication bypass in Fortra's GoAnywhere MFT CVE-2024-0204
• Added a check for Open SSH server RC CVE-2024-6387
• Added a check for cached pages that contain sensitive data CWE-525

Improvements

• Resolved an issue where scans were failing due to the TLS connection not being established

Resolved issues

• Resolved a problem that was causing scans to become stuck

• Disabled the detection of CSRF vulnerabilities from built-in policies
• Added custom header support for SSRF registration

Resolved issues

• Fixed an issue related to BLR links

• Added a new security check to identify supply chain attacks through Polyfill JS
• Added a detection for GeoServer SQLi vulnerability CVE-2023-25157
• Added checks for various WordPress plugins

Improvements

• Improved Credit Card Disclosure Security Check
• Added custom headers for communication between Agents and Invicti Hawk
• Set the severity of 'Possible XSS' vulnerabilities to 'Informational'
• Improved various Sensitive Data Exposure security checks
• Improved the detection of the Short SSL Key Length vulnerability
• Added the capability to check for Sensitive Data in XML responses

Resolved issues

• Fixed missing Request Body content in vulnerability details
• Fixed an issue with the 'IgnoreCertificateErrors' Agent setting for SSL Validation
• Fixed a problem in the JWT Engine to resolve a false positive issue
• Fixed an issue related to the OTA app scan
• Fixed HTTP 413 responses resulting from nonce cookies stacking

• Added functionality for scanning gRPC API Web Services, Learn more

New Security Checks

• Added a new attack pattern for missing Open Redirection

Improvements

• Added an option to trigger only specified lists of events
• Updated all the IAST Sensors: .NET Framework and .NET Core 6.2.0, Java 16.0.0 , Node.js 2.1.3 , PHP 8.0.1

Resolved issues

• Fixed an issue with user-agent selection in scan policies that was causing disabled security check vulnerabilities to appear in the dashboards and scan reports
• Fixed an issue with user-agent selection in scan policies that was causing disabled security check vulnerabilities to appear in the dashboards and scan reports
• Fixed vulnerabilities with the Invicti Scan Agent Docker image
• Fixed the disk space utilization issue that was causing the InvictiCommon folder size to increase significantly during scans
• Improved the crawling capability to allow for automatic crawling of XHR requests
• Fixed an AWS4Signer authentication issue

• Added detection methods for five more WordPress Templates
• Added detection of Fortinet vulnerabilities CVE-2020-12812 , CVE-2019-5591 , CVE-2018-13379

Improvements

• Updated CWE IDs for several vulnerabilities

Resolved issues

• Fixed an issue in the detection of the 'Improper XML parsing leads to Billion Laughs Attack' vulnerability
• Resolved an issue with the Business Logic Recorder

• Enabled Korean language support

New Security Checks

• Added detection method for Angular
• Added a new security check for Oracle EBS RCE

Resolved issues

• Fixed a scan authentication issue and a crawling issue with Cloud Agents
• Fixed the HTTP 401 forbidden response form authentication error
• Fixed an issue with the detection method for wp-admin vulnerabilities
• Fixed an error that was occurring when generating knowledge base reports
• Updated the extraction algorithm for downloaded scan files from Invicti Enterprise
• Fixed a scan issue that was producing 413 error responses

• Improved AWS Secret Key ID detection security checks
• Improved Google Cloud API Key detection security checks
• Updated remediation information for Angular JS related vulnerabilities
• Improved Boolean-Based MongoDB Injection detection method

Resolved issues

• Fixed a validation error when validating Shark settings
• Fixed an issue with duplicate custom user agents that was preventing scanning
• Fixed an issue where authentication would fail when started with an Authentication profile
• Fixed an issue that caused proxy usage for Chromium even when no proxy was selected from the scan policy settings

• Provided a new encryption method of API Token for Agent/Verifier Agent
• Added a pre-request script to generate AWS Signature token

New security checks

• Added a new security check for TLS/SSL certificate key size too small issue
• Improved WP Config detection over backup files
• Added a new security check for CVE-2023-46805 / CVE-2024-21887
• Added detection for exposed WordPress configuration files
• Added a new Security Check that allows to report two vulnerabilities: TorchServe Management API Publicly Exposed and TorchServe - Management API SSRF
• Command Injection in VMware Aria Operations for Networks can now be detected

Improvements

• Implemented enhancements: Highlighting and Verification of Response Status Codes
• Disabled the BREACH Security Engine
• Report template of Possible XSS is updated to cover mime sniffing
• Increased the default Severity level of Version Disclosure (Varnish) from 'Information' to 'Low'

Resolved issues

• Fixed the issue where the customer couldn't scan their target with the additional website properly
• Fixed an issue that was causing a memory issue in Javascript Parser
• Fixed the inability of the custom script editor to load the form authentication fields

• Added the ability to force authentication verifier agents to use incognito mode by default on Chromium browsers

New security checks

• Added detection for ActiveMQ RCE to the OOB RCE Attack Pattern CVE-2023-46604

Resolved issues

• Added a Cookie Source field to the Knowledge Base Cookies screen

• Added a new BLR log providing details on BLR execution

New security checks

• Implemented a detection and reporting mechanism for the Backup Migration WordPress plugin CVE-2023-6553
• Added detection for TinyMCE

Improvements

• Updated the "Insecure Transportation Security Protocol Supported (TLS 1.0)" vulnerability to High Severity
• Updated the WSDL serialization mechanism
• Implemented support for scanning sites with location permission pop-ups
• Added support for FreshService API V2
• Removed obsolete X-Frame-Options Header security checks

Resolved issues

• Fixed a bug in the Request/Response tab of Version Disclosure vulnerabilities
• Removed the target URL from the scope control list

• Added a check for dotCMS
• Added a check for the Ultimate Member WordPress plugin
• Added a new mXSS pattern
• Added new signatures to detect JWKs

Improvements

• Improved the recommendations for the Weak Ciphers Enabled vulnerability
• Improved detection of swagger.json vulnerabilities
• Added support for AWS WAFv2 rules
• Improved more of our error and warning messages so they are more user friendly
• Added Sentry implementation into the Agent repository

Resolved issues

• Fixed a proxy issue that was impacting the detection of weak ciphers
• Fixed a problem with importing WDSL files

• In the scan settings section, we've added a checkbox (under Authentication > Form) to collect all logs about the authentication progress
• Enhanced reporting of DOM XSS vulnerabilities

Improvements

• Updated the Shark Dotnet Sensor to .NET Core 6
• Improved site-logout detection

Resolved issues

• Resolved a problem with missing information in the report policy database
• Fixed an issue with the import of scan data from Invicti Enterprise to Invicti Standard
• Fixed a bug in the importing of links
• Fixed some vulnerabilities on our Invicti Docker Image by updating the packages
• Fixed reporting of some false/positive passive out-of-date vulnerabilities