Security release notes

Track new security checks, vulnerability detection capabilities, and Runtime SCA findings introduced in each Invicti Enterprise and Invicti Standard release. Updates include enhanced detection methods, CVE coverage, and improvements to vulnerability identification.

2026​

Security checks, vulnerability database updates, and Runtime SCA enhancements released in 2026.

Release v25.12.9​

Release date: 3 February 2026

Security Checks​

• Added comprehensive JWT authentication bypass detection
  • High: JWT Signature Bypass via None Algorithm
  • High: JWT Signature is not Verified
  • High: JWT Signature Bypass via kid SQL injection
  • High: JWT Signature Bypass via kid Path Traversal
  • High: JWT Signature Bypass via unvalidated jwk parameter
  • High: Unvalidated JWT jku parameter
  • High: Unvalidated JWT x5u parameter
  • High: JWT Signature Bypass via unvalidated jku parameter
  • High: JWT Signature Bypass via unvalidated x5u parameter
  • High: JWT Signature Bypass via unvalidated x5c parameter
• Added authorization vulnerability detection
  • High: Horizontal Broken Function Level Authorization (BFLA)
  • High: Unauthenticated Access to Sensitive Functions
  • High: Horizontal IDOR/BOLA (Broken Object Level Authorization)
  • High: Vertical Broken Function Level Authorization (BFLA)
  • High: Vertical IDOR/BOLA (Broken Object Level Authorization)
• Added sensitive information exposure detection
  • High: API Sensitive Info(PII) accessible without authentication
  • Medium: Resource Accessible Without Required Authentication
• Added API inventory management checks
  • Medium: API Authentication Bypass Using a Test/Staging Host Header
• Added microservice security checks
  • High: Microservice Directory Traversal
• Added vulnerability detection for Java:
  • Medium: CVE-2026-21925
  • High: CVE-2026-21932
  • Medium: CVE-2026-21933
  • High: CVE-2026-21945
• Added vulnerability detection for Jetty:
  • High: CVE-2025-5115
• Added vulnerability detection for Joomla:
  • Medium: CVE-2025-63082
  • Medium: CVE-2025-63083
• Removed vulnerability detection for LiferayPortal:
  • CVE-2023-33944
• Added vulnerability detection for LimeSurvey:
  • Medium: CVE-2020-36993
  • High: CVE-2024-39063
  • Critical: CVE-2025-41375
  • Medium: CVE-2025-41376
• Added vulnerability detection for MySQL:
  • Medium: CVE-2026-21964
• Added vulnerability detection for Oracle:
  • High: CVE-2026-21939
• Added vulnerability detection for Oracle HTTP Server:
  • Critical: CVE-2026-21962
• Added vulnerability detection for osTicket:
  • High: CVE-2026-22200
• Added vulnerability detection for phpMyFAQ:
  • Medium: CVE-2026-24420
  • Medium: CVE-2026-24421
  • High: CVE-2026-24422
• Updated severity for Oracle 23.8 from Medium to High
• Updated severity for osTicket 1.17, 1.17.1, 1.17.3, 1.17.4, 1.17.5, 1.17.6, 1.18 from Medium to High

Release v25.12.8​

Release date: 27 January 2026

Security checks​

• Updated the vulnerability database (VDB) to version 20260127
• Added vulnerability detection for e107:
  • High: CVE-2022-50939
  • Medium: CVE-2022-50905

Release v25.12.7​

Release date: 20 January 2026

Security checks​

• Updated the vulnerability database (VDB) to version 20260120
• Updated severity rating for Craft CMS version 3.9.15 from Medium to Critical
• Updated severity ratings for Craft CMS versions 4.4.16, 4.4.16.1, 4.4.17, 4.5.0, 4.14.9, 4.14.10, 4.14.11, 4.14.11.1, 4.14.12, 4.14.13, 4.14.14, 4.14.15, 4.15.0, 4.15.0.1, 4.15.0.2, 4.15.1, 4.15.2, 4.15.3, 4.15.4, 4.15.5, 4.15.6, 4.15.6.1, 5.6.10, 5.6.10.1, 5.6.10.2, 5.6.11, 5.6.12, 5.6.13, 5.6.14, 5.6.15, 5.6.17, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.7.4, 5.7.5, 5.7.6, 5.7.7, 5.7.8, 5.7.8.1, 5.7.8.2 from High to Critical
• Updated severity rating for Grafana version 12.0.0 from High to Critical
• Updated severity ratings for e107 versions 2.1.4, 2.3.2 from Medium to High
• Added vulnerability detection for Craft CMS:
  • Critical: CVE-2025-68456
  • High: CVE-2025-68454, CVE-2025-68455
  • Medium: CVE-2025-68436, CVE-2025-68437
• Added vulnerability detection for Grafana:
  • Critical: CVE-2025-41115
• Added vulnerability detection for Python:
  • Medium: CVE-2025-13837
• Added vulnerability detection for SharePoint:
  • High: CVE-2026-20943, CVE-2026-20947, CVE-2026-20948, CVE-2026-20951, CVE-2026-20963
  • Medium: CVE-2026-20958, CVE-2026-20959
• Added vulnerability detection for e107:
  • High: CVE-2022-50907, CVE-2022-50916, CVE-2025-11941
  • Medium: CVE-2022-50906, CVE-2025-61505
• Added vulnerability detection for typo3CMS:
  • High: CVE-2025-59022, CVE-2026-0859
  • Medium: CVE-2025-59020, CVE-2025-59021

Release v25.12.6​

Release date: 12 January 2026

Security checks​

• Added vulnerability detection for OpenCart:
  • Medium: CVE-2025-15116
• Added vulnerability detection for PHP:
  • High: CVE-2025-14177, CVE-2025-14178, CVE-2025-14180
• Added vulnerability detection for WordPress:
  • High: CVE-2024-31210
• Added vulnerability detection for phpMyFAQ:
  • High: CVE-2025-62519, CVE-2025-69200
  • Medium: CVE-2025-68951