Security release notes

RSS feed

Track new security checks, vulnerability detection capabilities, and Runtime SCA findings introduced in each Invicti Enterprise and Invicti Standard release. Updates include enhanced detection methods, CVE coverage, and improvements to vulnerability identification.

2026

Security checks, vulnerability database updates, and Runtime SCA enhancements released in 2026.

Release 20260331

Release date: 7 April 2026

Security checks

Updated the vulnerability database (VDB) to version 20260407
Updated severity ratings for Grafana versions 9.0.0–9.0.9, 9.1.0–9.1.8, 9.2.1–9.2.7, 9.2.10, 9.2.13, 9.2.15, 9.2.17, 9.3.0–9.3.1, 9.3.4, 9.3.6, 9.3.8, 9.3.11, 9.3.13, 9.4.0–9.4.3, 9.4.7, 9.4.9, 9.4.16, 9.4.17, 9.5.0, 9.5.11, 9.5.13, 10.0.0, 10.0.7, 10.0.9, 10.1.0, 10.1.3, 10.1.5, 10.2.0, 10.3.0, 11.0.0, 11.2.0–11.2.10, 11.3.0–11.3.9, 11.4.0–11.4.8, 11.5.0–11.5.10 from High to Critical
Updated severity ratings for Grafana versions 9.3.2, 9.3.14–9.3.16, 9.4.10, 9.4.12–9.4.15, 9.5.1–9.5.3, 9.5.5–9.5.10, 9.5.12, 9.5.14–9.5.21, 10.0.1–10.0.6, 10.0.8, 10.0.10–10.0.13, 10.1.1–10.1.2, 10.1.4, 10.1.6–10.1.10, 10.2.1–10.2.9, 10.3.1–10.3.12, 10.4.0–10.4.17, 10.4.19, 11.0.1–11.0.11, 11.1.0–11.1.13 from Medium to Critical
Updated severity ratings for Grafana versions 12.0.4, 7.5.16, 7.5.17 from Medium to High
Added vulnerability detection for Apache Traffic Server:
- High: CVE-2025-58136, CVE-2025-65114
Added vulnerability detection for Dolibarr:
- Medium: CVE-2026-34036
Added vulnerability detection for Grafana:
- Critical: CVE-2026-27876
- High: CVE-2026-27877, CVE-2026-27880
- Medium: CVE-2026-27879, CVE-2026-28375, CVE-2026-33375
Added vulnerability detection for JBoss EAP:
- Critical: CVE-2026-28368, CVE-2026-28369
- High: CVE-2026-3121
- Medium: CVE-2026-4366
- Low: CVE-2026-4874
Added vulnerability detection for MongoDB:
- High: CVE-2026-4358
- Medium: CVE-2026-5170
Added vulnerability detection for Pega:
- Low: CVE-2025-62184
Added vulnerability detection for PrestaShop:
- Medium: CVE-2026-33673, CVE-2026-33674
Added vulnerability detection for Squid:
- High: CVE-2026-33526
- Medium: CVE-2026-33515
Added vulnerability detection for handlebars.js:
- Critical: CVE-2026-33937
- High: CVE-2026-33938, CVE-2026-33939, CVE-2026-33940, CVE-2026-33941
- Medium: CVE-2026-33916
Added vulnerability detection for phpMyFAQ:
- Medium: CVE-2026-34974

Release date: 31 March 2026

Security checks

Updated the vulnerability database (VDB) to version 20260331
Updated severity ratings for Ruby on Rails versions 5.2.4.3, 5.2.4.4, 5.2.4.5, 5.2.4.6, 5.2.5, 5.2.6, 5.2.6.2, 6.0.3.1, 6.0.3.2, 6.0.3.3, 6.0.3.4, 6.0.3.5, 6.0.3.6, 6.0.3.7, 6.0.4, 6.0.4.1, 6.0.4.2, 6.0.4.3, 6.0.4.4, 6.0.4.6, 6.0.6.1 from High to Critical
Updated severity rating for Ruby on Rails version 7.0.8.4 from Medium to Critical
Added vulnerability detection for Craft CMS:
- High: CVE-2026-33157
- Medium: CVE-2026-33158, CVE-2026-33159, CVE-2026-33160, CVE-2026-33161, CVE-2026-33162
Added vulnerability detection for MediaWiki:
- Medium: CVE-2025-11261, CVE-2025-61641, CVE-2025-61642, CVE-2025-61643, CVE-2025-61646
Added vulnerability detection for OpenCart:
- High: CVE-2024-58341
Added vulnerability detection for Ruby on Rails:
- Critical: CVE-2026-33195, CVE-2026-33202
- High: CVE-2026-33174, CVE-2026-33176
- Medium: CVE-2026-33169, CVE-2026-33170, CVE-2026-33173

Release 20260324

Release date: 24 March 2026

Security checks

Updated the vulnerability database (VDB) to version 20260324
Updated severity ratings for Craft CMS versions 4.17.0, 4.17.1, 4.17.2, 4.17.3, 5.9.0, 5.9.1, 5.9.2, 5.9.3, 5.9.4, 5.9.5, 5.9.6 from Medium to Critical
Updated severity ratings for LimeSurvey versions 1.72, 1.85, 1.86, 3.19.0, 3.19.1, 3.19.2, 3.19.3, 3.20.0, 3.20.2, 3.21.0, 3.21.1, 3.21.2, 3.21.3, 3.21.4, 3.21.5, 3.21.6, 3.22.0, 3.22.1, 3.22.2, 3.22.3, 3.22.4, 3.22.5, 3.22.6, 3.22.7, 3.22.8, 3.22.9, 3.22.10, 3.22.11, 3.22.12, 3.22.13, 3.22.14, 3.22.15, 3.22.16, 3.22.17, 3.22.18, 3.22.19, 3.22.20, 3.22.21, 3.22.210, 3.22.24, 3.22.25, 3.22.26, 3.22.27, 3.22.28, 3.22.29, 3.23.0, 3.23.1, 3.23.2, 3.23.3, 3.23.4, 3.23.5, 3.23.6, 3.23.7, 3.23.22, 3.23.32, 3.24.0, 3.24.1, 3.24.2, 3.24.3, 3.24.4, 3.24.5, 3.24.6, 3.25.0, 3.25.1, 3.25.2, 3.25.3, 3.25.4, 3.25.5, 3.25.6, 3.25.7, 3.25.8, 3.25.9, 3.25.10, 3.25.11, 3.25.12, 3.25.13, 3.25.14, 3.25.15, 3.25.16, 3.25.17, 3.25.18, 3.25.19, 3.25.20, 3.25.21, 3.25.22, 3.26.0, 3.26.1, 3.26.2, 3.26.3, 3.26.4, 3.26.5, 3.27.0, 3.27.1, 3.27.2, 3.27.3, 3.27.4, 3.27.5, 3.27.6, 3.27.7, 3.27.8, 3.27.9, 3.27.10, 3.27.11, 3.27.12, 3.27.13, 3.27.14, 3.27.16, 3.27.17, 3.27.18, 3.27.19, 3.27.20, 3.27.21, 3.27.22, 3.27.23, 3.27.24, 3.27.25, 3.27.26, 3.27.27, 3.27.28, 3.27.29, 3.27.30, 3.27.31, 3.27.32, 3.27.33, 3.27.34, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.1.11, 4.1.12, 4.1.13, 4.1.14, 4.1.15, 4.1.16, 4.1.17, 4.1.18, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 4.3.10, 4.3.11, 4.3.12, 4.3.13, 4.3.14, 4.3.15, 4.3.16, 4.3.17, 4.3.18, 4.3.19, 4.3.20, 4.3.21, 4.3.22, 4.3.23, 4.3.24, 4.3.25, 4.3.26, 4.3.27, 4.3.28, 4.3.29, 4.3.30, 4.3.31, 4.3.32, 4.3.33, 4.3.34, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 4.4.12, 4.4.13, 4.4.14, 4.4.15, 4.4.16, 4.5.0, 4.5.1, 4.5.2, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1.10, 5.1.11, 5.1.12, 5.1.13, 5.1.14, 5.1.15, 5.1.16, 5.1.17, 5.1.18, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.2.10, 5.2.11, 5.2.12, 5.4.4, 6.2.9 from High to Critical
Updated severity ratings for OpenSSL versions 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.6.0 from Critical to High
Added vulnerability detection for CKEditor:
- Medium: CVE-2026-28343
Added vulnerability detection for Chamilo:
- Critical: CVE-2026-28430
- High: CVE-2026-30875, CVE-2026-30881
- Medium: CVE-2026-30876, CVE-2026-30882
Added vulnerability detection for Craft CMS:
- Critical: CVE-2026-32267
- High: CVE-2026-31857, CVE-2026-31858, CVE-2026-32263, CVE-2026-32264
- Medium: CVE-2026-31859, CVE-2026-32262, CVE-2026-33051
Added vulnerability detection for Jenkins:
- High: CVE-2026-33001, CVE-2026-33002
Added vulnerability detection for LimeSurvey:
- Critical: CVE-2025-56422
- High: CVE-2025-56421
Added vulnerability detection for MediaWiki:
- Medium: CVE-2025-61636, CVE-2025-61637, CVE-2025-61638, CVE-2025-61639, CVE-2025-61640
- Low: CVE-2025-61634
Added vulnerability detection for NextJsReactFramework:
- High: CVE-2026-27979, CVE-2026-27980
- Medium: CVE-2026-27977, CVE-2026-27978, CVE-2026-29057
Added vulnerability detection for TornadoWebServer:
- High: CVE-2026-31958

Release 20260317

Release date: 17 March 2026

Security checks

Updated the vulnerability database (VDB) to version 20260317
Updated severity ratings for SharePoint versions 16.0.10417.20003, 16.0.18526.20172, 16.0.18526.20286, 16.0.18526.20396, 16.0.18526.20424, 16.0.18526.20508, 16.0.18526.20518, 16.0.19127.20100, 16.0.19127.20262, 16.0.19127.20338, 16.0.19127.20378, 16.0.19127.20442 from High to Critical
Updated severity ratings for Tomcat versions 9.0.109, 10.1.45, 10.1.46, 11.0.11 from Medium to Critical
Updated severity ratings for UndertowWebServer versions 2.0.30, 2.0.31, 2.0.32, 2.0.33, 2.0.34, 2.0.35, 2.0.36, 2.0.39, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.2.16, 2.2.17, 2.2.18, 2.2.19 from High to Critical
Added vulnerability detection for CaddyWebServer:
- High: CVE-2026-30851, CVE-2026-30852
Added vulnerability detection for Chamilo:
- Critical: CVE-2025-55208, CVE-2025-55289, CVE-2025-59542, CVE-2025-59543
- High: CVE-2025-59541, CVE-2026-29041
- Medium: CVE-2025-59540, CVE-2025-59544
Added vulnerability detection for Craft CMS:
- Medium: CVE-2026-29113
Added vulnerability detection for Envoy:
- High: CVE-2026-26308, CVE-2026-26310, CVE-2026-26330
- Medium: CVE-2026-26309, CVE-2026-26311
Added vulnerability detection for Jboss EAP:
- Critical: CVE-2025-12543
- High: CVE-2026-3009
Added vulnerability detection for OpenCart:
- Medium: CVE-2026-3714
Added vulnerability detection for SharePoint:
- Critical: CVE-2026-26105
- High: CVE-2026-26106, CVE-2026-26113, CVE-2026-26114
Added vulnerability detection for Tomcat:
- Critical: CVE-2025-66614
- High: CVE-2026-24734
- Low: CVE-2026-24733
Added vulnerability detection for UndertowWebServer:
- Critical: CVE-2025-12543

Release 20260310

Release date: 10 March 2026

Security checks

Updated the vulnerability database (VDB) to version 20260310
Updated severity ratings for Chamilo versions 1.10.0, 1.10.2, 1.10.4, 1.10.6, 1.10.8, 1.11.26, 1.8.6.1, 1.8.8.3, 1.9.0, 1.9.10, 1.9.10.2, 1.9.10.4, 1.9.6, 1.9.6.1, 1.9.8, 1.9.8.1, 1.9.8.2 from High to Critical
Updated severity rating for Chamilo version 1.11.24 from Medium to Critical
Updated severity ratings for Craft CMS versions 4.15.6.2, 4.16.17, 4.16.18, 4.16.19, 4.4.14, 4.5.6.1, 5.6.16, 5.7.1.1, 5.8.21, 5.8.22, 5.8.23 from High to Critical
Updated severity ratings for DotCMS versions 22.03, 22.03.2, 22.03.4, 22.03.5, 22.03.6, 22.03.7, 22.03.8, 22.03.9, 22.03.10, 22.03.11, 22.03.12, 22.03.13, 22.03.14, 22.03.15, 23.01.1, 23.01.2, 23.01.3, 23.01.4, 23.01.5, 23.01.6, 23.01.7, 23.01.8, 23.01.9, 23.01.10, 23.01.11, 23.01.12, 23.01.13, 23.01.14, 23.01.15, 23.01.16, 23.01.17, 23.10.24.0 from Medium to Critical
Updated severity ratings for EspoCRM versions 2.6.0, 2.7.0, 2.7.1, 2.7.2, 2.8.0, 2.8.1, 2.9.0, 2.9.1, 2.9.2, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.6.2, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.5.0, 4.5.1, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.6.0, 5.6.1, 5.6.2, 5.6.3, 5.6.4, 5.6.5, 5.6.6, 5.6.7, 5.6.8, 5.6.9, 5.6.10, 5.6.11, 5.6.12, 5.6.13, 5.6.14, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.7.4, 5.7.5, 5.7.6, 5.7.7, 5.7.8, 5.7.9, 5.7.10, 5.7.11, 5.8.0, 5.8.1, 5.8.2, 5.8.3, 5.8.4, 5.8.5 from High to Critical
Updated severity ratings for osCommerce versions 1.0.6.0, 1.0.7.0, 1.0.7.1, 1.0.7.2, 1.0.7.3, 1.0.7.4, 1.0.7.5, 1.0.7.6, 1.0.7.7, 1.0.7.8, 1.0.7.9, 1.1, 1.11, 1.12, 1.13, 2.3, 2.3.1, 2.3.2, 2.3.3, 2.3.3.1, 2.3.3.2, 2.3.3.3, 2.3.3.4, 2.3.4 from Medium to High
Added vulnerability detection for Chamilo:
- Critical: CVE-2025-50187, CVE-2025-50190, CVE-2025-50192, CVE-2025-50199, CVE-2025-52998
- High: CVE-2024-47886, CVE-2025-50188, CVE-2025-50189, CVE-2025-50191, CVE-2025-50193, CVE-2025-50194, CVE-2025-50195, CVE-2025-50196, CVE-2025-50197, CVE-2025-52469, CVE-2025-52482
- Medium: CVE-2024-50337, CVE-2025-50186, CVE-2025-50198, CVE-2025-52468, CVE-2025-52470, CVE-2025-52475, CVE-2025-52476, CVE-2025-52563, CVE-2025-52564
Added vulnerability detection for Craft CMS:
- Critical: CVE-2026-28697, CVE-2026-28783
- High: CVE-2026-28695, CVE-2026-28696, CVE-2026-28784
- Medium: CVE-2026-27129, CVE-2026-28781, CVE-2026-28782, CVE-2026-29069
Added vulnerability detection for DOMPurify:
- Medium: CVE-2025-15599, CVE-2026-0540
Added vulnerability detection for Django:
- High: CVE-2026-25673
- Low: CVE-2026-25674
Added vulnerability detection for DotCMS:
- Critical: CVE-2025-11165
Added vulnerability detection for EspoCRM:
- Critical: CVE-2020-37094
Added vulnerability detection for Jetty:
- High: CVE-2026-1605
- Medium: CVE-2025-11143
Added vulnerability detection for MediaWiki:
- Medium: CVE-2025-61645
Added vulnerability detection for Moodle:
- High: CVE-2025-67847
Added vulnerability detection for Underscore.js:
- High: CVE-2026-27601
Added vulnerability detection for Werkzeug:
- Medium: CVE-2026-27199
Added vulnerability detection for XWikiplatform:
- High: CVE-2025-55749
Added vulnerability detection for osCommerce:
- High: CVE-2019-25495, CVE-2019-25496, CVE-2019-25497
Added vulnerability detection for phpMyFAQ:
- High: CVE-2026-27836

Release 20260303

Release date: 3 March 2026

Security checks

Updated the vulnerability database (VDB) to version 20260303
Updated severity ratings for CaddyWebServer versions 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.10.8, 0.10.9, 0.10.10, 0.10.11, 0.10.12, 0.10.13, 0.10.14, 0.11.0, 0.11.1, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.3, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4 from High to Critical
Updated severity rating for Grafana version 10.4.0 from Low to Medium
Updated severity rating for Markdownit version 14.1.0 from Medium to High
Updated severity ratings for Moodle versions 4.2.10, 4.2.11 from Medium to High
Updated severity ratings for Piwigo versions 14.0.0, 14.1.0, 14.2.0, 14.3.0, 14.4.0 from Medium to High
Added vulnerability detection for Angular:
- Medium: CVE-2026-22610, CVE-2026-27970
Added vulnerability detection for CKEditor:
- Medium: CVE-2021-21254, CVE-2024-45613, CVE-2025-61261
Added vulnerability detection for CaddyWebServer:
- Critical: CVE-2026-27586, CVE-2026-27587, CVE-2026-27588, CVE-2026-27590
- Medium: CVE-2026-27585, CVE-2026-27589
Added vulnerability detection for CakePHP:
- Medium: CVE-2026-23643
Added vulnerability detection for Chamilo:
- Medium: CVE-2026-1106
Added vulnerability detection for Craft CMS:
- Medium: CVE-2026-27126, CVE-2026-27127, CVE-2026-27128
Added vulnerability detection for Dolibarr:
- High: CVE-2019-25450, CVE-2019-25452
- Medium: CVE-2021-47779
Added vulnerability detection for Grafana:
- Medium: CVE-2025-41117, CVE-2026-21722
- Low: CVE-2026-21725
Added vulnerability detection for Markdownit:
- High: CVE-2026-2327
Added vulnerability detection for MongoDb:
- High: CVE-2026-1847, CVE-2026-1848, CVE-2026-1849, CVE-2026-1850
- Medium: CVE-2026-25609, CVE-2026-25610, CVE-2026-25613
Added vulnerability detection for Moodle:
- High: CVE-2026-26045, CVE-2026-26046
- Medium: CVE-2026-26047
Added vulnerability detection for NextJsReactFramework:
- High: CVE-2025-59472
Added vulnerability detection for Piwigo:
- High: CVE-2024-48928
- Medium: CVE-2025-62512

Release 20260224

Release date: 24 February 2026

Security checks

Updated the vulnerability database (VDB) to version 20260224
Updated severity ratings for PostgreSQL versions 14.13, 15.8, 16.4, 17.0 from Medium to High
Added vulnerability detection for Angular:
- Medium: CVE-2025-66412
Added vulnerability detection for Craft CMS:
- High: CVE-2026-25495, CVE-2026-25497, CVE-2026-25498
- Medium: CVE-2026-25491, CVE-2026-25492, CVE-2026-25493, CVE-2026-25494, CVE-2026-25496
Added vulnerability detection for Grafana:
- High: CVE-2026-21720
Added vulnerability detection for Hiawatha:
- Medium: CVE-2025-57783
- Low: CVE-2025-57784
Added vulnerability detection for Jenkins:
- High: CVE-2026-27099
- Medium: CVE-2026-27100
Added vulnerability detection for Lodash:
- Medium: CVE-2025-13465
Added vulnerability detection for NextJsReactFramework:
- High: CVE-2025-59471
Added vulnerability detection for PostgreSQL:
- High: CVE-2026-2004, CVE-2026-2005, CVE-2026-2006, CVE-2026-2007
- Medium: CVE-2026-2003
Added vulnerability detection for PrestaShop:
- Medium: CVE-2026-25597
Added vulnerability detection for React:
- High: CVE-2026-23864
Added vulnerability detection for Skipper:
- High: CVE-2026-23742, CVE-2026-24470
Added vulnerability detection for XWikiplatform:
- Medium: CVE-2025-66472, CVE-2026-26000
Added vulnerability detection for axios:
- High: CVE-2026-25639
Removed vulnerability detection for bootstrap.js:
- CVE-2024-6531

Release 20260219

Release date: 19 February 2026

Security checks

Updated the vulnerability database (VDB) to version 20260219
Updated severity ratings for Moodle versions 3.9.24, 3.10.11, 3.11.17, 3.11.18, 4.0.11, 4.0.12, 4.1.16, 4.1.17, 4.1.18, 4.1.19, 4.1.20, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 5.0.0, 5.0.1, 5.0.2 from High to Critical
Updated severity ratings for OpenSSL versions 1.0.2zh, 1.0.2zi, 1.1.1w from Medium to High
Updated severity ratings for OpenSSL versions 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.3.0, 3.3.1, 3.5.0 from High to Critical
Updated severity ratings for Roundcube versions 1.5.6, 1.6.5, 1.6.6 from High to Critical
Updated severity ratings for moveittransfer versions 2022.0.0, 2022.0.4, 2022.0.5, 2022.0.6, 2022.0.7, 2022.0.8, 2022.0.9, 2022.1.0, 2022.1.5, 2022.1.6, 2022.1.7, 2022.1.8, 2022.1.9, 2022.1.10 from Medium to High
Added vulnerability detection for Chamilo:
- Medium: CVE-2025-69581
Added vulnerability detection for CrushFTP:
- Medium: CVE-2025-63420
Added vulnerability detection for Django:
- High: CVE-2025-14550, CVE-2026-1285
- Medium: CVE-2025-13473, CVE-2026-1207, CVE-2026-1287, CVE-2026-1312
Added vulnerability detection for Moodle:
- Critical: CVE-2025-67856
- High: CVE-2025-67848, CVE-2025-67851, CVE-2025-67853
- Medium: CVE-2025-67849, CVE-2025-67850, CVE-2025-67852, CVE-2025-67855, CVE-2025-67857
Added vulnerability detection for OpenSSL:
- Critical: CVE-2025-15467
- High: CVE-2025-69419, CVE-2025-69420, CVE-2025-69421
- Medium: CVE-2025-11187, CVE-2025-15468, CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2026-22795, CVE-2026-22796
Added vulnerability detection for PodcastGenerator:
- Medium: CVE-2025-70336
Added vulnerability detection for Python:
- Medium: CVE-2025-6075, CVE-2025-12781
Added vulnerability detection for Roundcube:
- Critical: CVE-2024-37385
Added vulnerability detection for SharePoint:
- High: CVE-2026-21260, CVE-2026-21511
Added vulnerability detection for WebERP:
- High: CVE-2020-37082
Added vulnerability detection for Werkzeug:
- Medium: CVE-2026-21860
Added vulnerability detection for XWikiplatform:
- Medium: CVE-2026-24128
Added vulnerability detection for advanced-custom-fields:
- Medium: CVE-2018-20986, CVE-2021-24241, CVE-2023-6701, CVE-2023-40068, CVE-2024-4565, CVE-2024-9529
Added vulnerability detection for moveittransfer:
- High: CVE-2025-11235
Added vulnerability detection for wordpresspluginacf-extended:
- Critical: CVE-2025-14533

Release 20260203

Release date: 3 February 2026
Version: 25.12.9

Security checks

Added comprehensive JWT authentication bypass detection
- High: JWT Signature Bypass via None Algorithm
- High: JWT Signature is not Verified
- High: JWT Signature Bypass via kid SQL injection
- High: JWT Signature Bypass via kid Path Traversal
- High: JWT Signature Bypass via unvalidated jwk parameter
- High: Unvalidated JWT jku parameter
- High: Unvalidated JWT x5u parameter
- High: JWT Signature Bypass via unvalidated jku parameter
- High: JWT Signature Bypass via unvalidated x5u parameter
- High: JWT Signature Bypass via unvalidated x5c parameter
Added authorization vulnerability detection
- High: Horizontal Broken Function Level Authorization (BFLA)
- High: Unauthenticated Access to Sensitive Functions
- High: Horizontal IDOR/BOLA (Broken Object Level Authorization)
- High: Vertical Broken Function Level Authorization (BFLA)
- High: Vertical IDOR/BOLA (Broken Object Level Authorization)
Added sensitive information exposure detection
- High: API Sensitive Info(PII) accessible without authentication
- Medium: Resource Accessible Without Required Authentication
Added API inventory management checks
- Medium: API Authentication Bypass Using a Test/Staging Host Header
Added microservice security checks
- High: Microservice Directory Traversal
Added vulnerability detection for Java:
- Medium: CVE-2026-21925
- High: CVE-2026-21932
- Medium: CVE-2026-21933
- High: CVE-2026-21945
Added vulnerability detection for Jetty:
- High: CVE-2025-5115
Added vulnerability detection for Joomla:
- Medium: CVE-2025-63082
- Medium: CVE-2025-63083
Removed vulnerability detection for LiferayPortal:
- CVE-2023-33944
Added vulnerability detection for LimeSurvey:
- Medium: CVE-2020-36993
- High: CVE-2024-39063
- Critical: CVE-2025-41375
- Medium: CVE-2025-41376
Added vulnerability detection for MySQL:
- Medium: CVE-2026-21964
Added vulnerability detection for Oracle:
- High: CVE-2026-21939
Added vulnerability detection for Oracle HTTP Server:
- Critical: CVE-2026-21962
Added vulnerability detection for osTicket:
- High: CVE-2026-22200
Added vulnerability detection for phpMyFAQ:
- Medium: CVE-2026-24420
- Medium: CVE-2026-24421
- High: CVE-2026-24422
Updated severity for Oracle 23.8 from Medium to High
Updated severity for osTicket 1.17, 1.17.1, 1.17.3, 1.17.4, 1.17.5, 1.17.6, 1.18 from Medium to High

Release 20260127

Release date: 27 January 2026
Version: 25.12.8

Security checks

Updated the vulnerability database (VDB) to version 20260127
Added vulnerability detection for e107:
- High: CVE-2022-50939
- Medium: CVE-2022-50905

Release 20260120

Release date: 20 January 2026
Version: 25.12.7

Security checks

Updated the vulnerability database (VDB) to version 20260120
Updated severity rating for Craft CMS version 3.9.15 from Medium to Critical
Updated severity ratings for Craft CMS versions 4.4.16, 4.4.16.1, 4.4.17, 4.5.0, 4.14.9, 4.14.10, 4.14.11, 4.14.11.1, 4.14.12, 4.14.13, 4.14.14, 4.14.15, 4.15.0, 4.15.0.1, 4.15.0.2, 4.15.1, 4.15.2, 4.15.3, 4.15.4, 4.15.5, 4.15.6, 4.15.6.1, 5.6.10, 5.6.10.1, 5.6.10.2, 5.6.11, 5.6.12, 5.6.13, 5.6.14, 5.6.15, 5.6.17, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.7.4, 5.7.5, 5.7.6, 5.7.7, 5.7.8, 5.7.8.1, 5.7.8.2 from High to Critical
Updated severity rating for Grafana version 12.0.0 from High to Critical
Updated severity ratings for e107 versions 2.1.4, 2.3.2 from Medium to High
Added vulnerability detection for Craft CMS:
- Critical: CVE-2025-68456
- High: CVE-2025-68454, CVE-2025-68455
- Medium: CVE-2025-68436, CVE-2025-68437
Added vulnerability detection for Grafana:
- Critical: CVE-2025-41115
Added vulnerability detection for Python:
- Medium: CVE-2025-13837
Added vulnerability detection for SharePoint:
- High: CVE-2026-20943, CVE-2026-20947, CVE-2026-20948, CVE-2026-20951, CVE-2026-20963
- Medium: CVE-2026-20958, CVE-2026-20959
Added vulnerability detection for e107:
- High: CVE-2022-50907, CVE-2022-50916, CVE-2025-11941
- Medium: CVE-2022-50906, CVE-2025-61505
Added vulnerability detection for typo3CMS:
- High: CVE-2025-59022, CVE-2026-0859
- Medium: CVE-2025-59020, CVE-2025-59021

Release 20260112

Release date: 12 January 2026
Version: 25.12.6

Security checks

Added vulnerability detection for OpenCart:
- Medium: CVE-2025-15116
Added vulnerability detection for PHP:
- High: CVE-2025-14177, CVE-2025-14178, CVE-2025-14180
Added vulnerability detection for WordPress:
- High: CVE-2024-31210
Added vulnerability detection for phpMyFAQ:
- High: CVE-2025-62519, CVE-2025-69200
- Medium: CVE-2025-68951

Security release notes

2026​

Release 20260331​

Security checks​

Security checks​

Release 20260324​

Security checks​

Release 20260317​

Security checks​

Release 20260310​

Security checks​

Release 20260303​

Security checks​

Release 20260224​

Security checks​

Release 20260219​

Security checks​

Release 20260203​

Security checks​

Release 20260127​

Security checks​

Release 20260120​

Security checks​

Release 20260112​

Security checks​

2026

Release 20260331

Security checks

Security checks

Release 20260324

Security checks

Release 20260317

Security checks

Release 20260310

Security checks

Release 20260303

Security checks

Release 20260224

Security checks

Release 20260219

Security checks

Release 20260203

Security checks

Release 20260127

Security checks

Release 20260120

Security checks

Release 20260112

Security checks