Security release notes

Track new security checks, vulnerability detection capabilities, and Runtime SCA findings introduced in each Invicti Enterprise and Invicti Standard release. Updates include enhanced detection methods, CVE coverage, and improvements to vulnerability identification.

2026​

Security checks, vulnerability database updates, and Runtime SCA enhancements released in 2026.

Release 20260224​

Release date: 24 February 2026

Security checks​

• Updated the vulnerability database (VDB) to version 20260224
• Updated severity ratings for PostgreSQL versions 14.13, 15.8, 16.4, 17.0 from Medium to High
• Added vulnerability detection for Angular:
  • Medium: CVE-2025-66412
• Added vulnerability detection for Craft CMS:
  • High: CVE-2026-25495, CVE-2026-25497, CVE-2026-25498
  • Medium: CVE-2026-25491, CVE-2026-25492, CVE-2026-25493, CVE-2026-25494, CVE-2026-25496
• Added vulnerability detection for Grafana:
  • High: CVE-2026-21720
• Added vulnerability detection for Hiawatha:
  • Medium: CVE-2025-57783
  • Low: CVE-2025-57784
• Added vulnerability detection for Jenkins:
  • High: CVE-2026-27099
  • Medium: CVE-2026-27100
• Added vulnerability detection for Lodash:
  • Medium: CVE-2025-13465
• Added vulnerability detection for NextJsReactFramework:
  • High: CVE-2025-59471
• Added vulnerability detection for PostgreSQL:
  • High: CVE-2026-2004, CVE-2026-2005, CVE-2026-2006, CVE-2026-2007
  • Medium: CVE-2026-2003
• Added vulnerability detection for PrestaShop:
  • Medium: CVE-2026-25597
• Added vulnerability detection for React:
  • High: CVE-2026-23864
• Added vulnerability detection for Skipper:
  • High: CVE-2026-23742, CVE-2026-24470
• Added vulnerability detection for XWikiplatform:
  • Medium: CVE-2025-66472, CVE-2026-26000
• Added vulnerability detection for axios:
  • High: CVE-2026-25639
• Removed vulnerability detection for bootstrap.js:
  • CVE-2024-6531

Release 20260219​

Release date: 19 February 2026

Security checks​

• Updated the vulnerability database (VDB) to version 20260219
• Updated severity ratings for Moodle versions 3.9.24, 3.10.11, 3.11.17, 3.11.18, 4.0.11, 4.0.12, 4.1.16, 4.1.17, 4.1.18, 4.1.19, 4.1.20, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 5.0.0, 5.0.1, 5.0.2 from High to Critical
• Updated severity ratings for OpenSSL versions 1.0.2zh, 1.0.2zi, 1.1.1w from Medium to High
• Updated severity ratings for OpenSSL versions 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.3.0, 3.3.1, 3.5.0 from High to Critical
• Updated severity ratings for Roundcube versions 1.5.6, 1.6.5, 1.6.6 from High to Critical
• Updated severity ratings for moveittransfer versions 2022.0.0, 2022.0.4, 2022.0.5, 2022.0.6, 2022.0.7, 2022.0.8, 2022.0.9, 2022.1.0, 2022.1.5, 2022.1.6, 2022.1.7, 2022.1.8, 2022.1.9, 2022.1.10 from Medium to High
• Added vulnerability detection for Chamilo:
  • Medium: CVE-2025-69581
• Added vulnerability detection for CrushFTP:
  • Medium: CVE-2025-63420
• Added vulnerability detection for Django:
  • High: CVE-2025-14550, CVE-2026-1285
  • Medium: CVE-2025-13473, CVE-2026-1207, CVE-2026-1287, CVE-2026-1312
• Added vulnerability detection for Moodle:
  • Critical: CVE-2025-67856
  • High: CVE-2025-67848, CVE-2025-67851, CVE-2025-67853
  • Medium: CVE-2025-67849, CVE-2025-67850, CVE-2025-67852, CVE-2025-67855, CVE-2025-67857
• Added vulnerability detection for OpenSSL:
  • Critical: CVE-2025-15467
  • High: CVE-2025-69419, CVE-2025-69420, CVE-2025-69421
  • Medium: CVE-2025-11187, CVE-2025-15468, CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2026-22795, CVE-2026-22796
• Added vulnerability detection for PodcastGenerator:
  • Medium: CVE-2025-70336
• Added vulnerability detection for Python:
  • Medium: CVE-2025-6075, CVE-2025-12781
• Added vulnerability detection for Roundcube:
  • Critical: CVE-2024-37385
• Added vulnerability detection for SharePoint:
  • High: CVE-2026-21260, CVE-2026-21511
• Added vulnerability detection for WebERP:
  • High: CVE-2020-37082
• Added vulnerability detection for Werkzeug:
  • Medium: CVE-2026-21860
• Added vulnerability detection for XWikiplatform:
  • Medium: CVE-2026-24128
• Added vulnerability detection for advanced-custom-fields:
  • Medium: CVE-2018-20986, CVE-2021-24241, CVE-2023-6701, CVE-2023-40068, CVE-2024-4565, CVE-2024-9529
• Added vulnerability detection for moveittransfer:
  • High: CVE-2025-11235
• Added vulnerability detection for wordpresspluginacf-extended:
  • Critical: CVE-2025-14533

Release 20260203​

Release date: 3 February 2026
Version: 25.12.9

Security checks​

• Added comprehensive JWT authentication bypass detection
  • High: JWT Signature Bypass via None Algorithm
  • High: JWT Signature is not Verified
  • High: JWT Signature Bypass via kid SQL injection
  • High: JWT Signature Bypass via kid Path Traversal
  • High: JWT Signature Bypass via unvalidated jwk parameter
  • High: Unvalidated JWT jku parameter
  • High: Unvalidated JWT x5u parameter
  • High: JWT Signature Bypass via unvalidated jku parameter
  • High: JWT Signature Bypass via unvalidated x5u parameter
  • High: JWT Signature Bypass via unvalidated x5c parameter
• Added authorization vulnerability detection
  • High: Horizontal Broken Function Level Authorization (BFLA)
  • High: Unauthenticated Access to Sensitive Functions
  • High: Horizontal IDOR/BOLA (Broken Object Level Authorization)
  • High: Vertical Broken Function Level Authorization (BFLA)
  • High: Vertical IDOR/BOLA (Broken Object Level Authorization)
• Added sensitive information exposure detection
  • High: API Sensitive Info(PII) accessible without authentication
  • Medium: Resource Accessible Without Required Authentication
• Added API inventory management checks
  • Medium: API Authentication Bypass Using a Test/Staging Host Header
• Added microservice security checks
  • High: Microservice Directory Traversal
• Added vulnerability detection for Java:
  • Medium: CVE-2026-21925
  • High: CVE-2026-21932
  • Medium: CVE-2026-21933
  • High: CVE-2026-21945
• Added vulnerability detection for Jetty:
  • High: CVE-2025-5115
• Added vulnerability detection for Joomla:
  • Medium: CVE-2025-63082
  • Medium: CVE-2025-63083
• Removed vulnerability detection for LiferayPortal:
  • CVE-2023-33944
• Added vulnerability detection for LimeSurvey:
  • Medium: CVE-2020-36993
  • High: CVE-2024-39063
  • Critical: CVE-2025-41375
  • Medium: CVE-2025-41376
• Added vulnerability detection for MySQL:
  • Medium: CVE-2026-21964
• Added vulnerability detection for Oracle:
  • High: CVE-2026-21939
• Added vulnerability detection for Oracle HTTP Server:
  • Critical: CVE-2026-21962
• Added vulnerability detection for osTicket:
  • High: CVE-2026-22200
• Added vulnerability detection for phpMyFAQ:
  • Medium: CVE-2026-24420
  • Medium: CVE-2026-24421
  • High: CVE-2026-24422
• Updated severity for Oracle 23.8 from Medium to High
• Updated severity for osTicket 1.17, 1.17.1, 1.17.3, 1.17.4, 1.17.5, 1.17.6, 1.18 from Medium to High

Release 20260127​

Release date: 27 January 2026
Version: 25.12.8

Security checks​

• Updated the vulnerability database (VDB) to version 20260127
• Added vulnerability detection for e107:
  • High: CVE-2022-50939
  • Medium: CVE-2022-50905

Release 20260120​

Release date: 20 January 2026
Version: 25.12.7

Security checks​

• Updated the vulnerability database (VDB) to version 20260120
• Updated severity rating for Craft CMS version 3.9.15 from Medium to Critical
• Updated severity ratings for Craft CMS versions 4.4.16, 4.4.16.1, 4.4.17, 4.5.0, 4.14.9, 4.14.10, 4.14.11, 4.14.11.1, 4.14.12, 4.14.13, 4.14.14, 4.14.15, 4.15.0, 4.15.0.1, 4.15.0.2, 4.15.1, 4.15.2, 4.15.3, 4.15.4, 4.15.5, 4.15.6, 4.15.6.1, 5.6.10, 5.6.10.1, 5.6.10.2, 5.6.11, 5.6.12, 5.6.13, 5.6.14, 5.6.15, 5.6.17, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.7.4, 5.7.5, 5.7.6, 5.7.7, 5.7.8, 5.7.8.1, 5.7.8.2 from High to Critical
• Updated severity rating for Grafana version 12.0.0 from High to Critical
• Updated severity ratings for e107 versions 2.1.4, 2.3.2 from Medium to High
• Added vulnerability detection for Craft CMS:
  • Critical: CVE-2025-68456
  • High: CVE-2025-68454, CVE-2025-68455
  • Medium: CVE-2025-68436, CVE-2025-68437
• Added vulnerability detection for Grafana:
  • Critical: CVE-2025-41115
• Added vulnerability detection for Python:
  • Medium: CVE-2025-13837
• Added vulnerability detection for SharePoint:
  • High: CVE-2026-20943, CVE-2026-20947, CVE-2026-20948, CVE-2026-20951, CVE-2026-20963
  • Medium: CVE-2026-20958, CVE-2026-20959
• Added vulnerability detection for e107:
  • High: CVE-2022-50907, CVE-2022-50916, CVE-2025-11941
  • Medium: CVE-2022-50906, CVE-2025-61505
• Added vulnerability detection for typo3CMS:
  • High: CVE-2025-59022, CVE-2026-0859
  • Medium: CVE-2025-59020, CVE-2025-59021

Release 20260112​

Release date: 12 January 2026
Version: 25.12.6

Security checks​

• Added vulnerability detection for OpenCart:
  • Medium: CVE-2025-15116
• Added vulnerability detection for PHP:
  • High: CVE-2025-14177, CVE-2025-14178, CVE-2025-14180
• Added vulnerability detection for WordPress:
  • High: CVE-2024-31210
• Added vulnerability detection for phpMyFAQ:
  • High: CVE-2025-62519, CVE-2025-69200
  • Medium: CVE-2025-68951