Invicti Platform Security checks and Runtime SCA findings
RSS feedTrack new security checks, vulnerability detection capabilities, and Runtime SCA findings introduced in each Invicti Platform on-demand release. Updates include enhanced detection methods, CVE coverage, and improvements to vulnerability identification.
2025
Security checks, vulnerability database updates, and Runtime SCA enhancements released in 2025.
Release 05122025
Release date: 5 December 2025
Version: 25.12.1
Security checks
- Implemented security checks for Next.js/React Server Components RCE:
Release 03122025
Release date: 3 December 2025
Version: 25.11.3
Security checks
- Updated the Vulnerability Database (VDB) to version 20251202
- Improved severity ratings for ReviveAdserver versions 5.3.0, 5.3.1, 5.4.0, 5.4.1, 5.5.0, 5.5.1, 5.5.2 from Medium to High
- Added vulnerability detection for Drupal:
- CVE-2025-13080 (Medium)
- CVE-2025-13081 (Medium)
- CVE-2025-13082 (Medium)
- CVE-2025-13083 (Low)
- Added vulnerability detection for Piwigo:
- CVE-2025-62406 (High)
- Added vulnerability detection for ReviveAdserver:
- CVE-2025-48986 (High)
- CVE-2025-48987 (Medium)
- CVE-2025-55124 (Medium)
- Added vulnerability detection for MoveItTransfer:
- CVE-2025-13147 (Medium)
Improvements
- Improved password detection when leaked in responses
- Improved detection of DOM XSS vulnerabilities
Resolved issues
- Improved detection of chatbots
Release 25112025
Release date: 25 November 2025
Version: 25.11.2
Security checks
- Added detection for the Fortinet FortiWeb authentication bypass vulnerability (CVE-2025-64446)
- Added detection for the Citrix NetScaler memory leak and reflected XSS vulnerability (CVE-2025-12101)
- Improved detection of SQL injection attempts in prepared statements used with NodeJS and MySQL
- Added detection for the Oracle Identity Manager authentication bypass leading to RCE (CVE-2025-61757)
- Updated the Vulnerability Database (VDB) to version 20251125
Resolved issue
- Fixed an issue in the script that identifies API resources missing required authentication
Release 20112025
Release date: 20 November 2025
Version: 25.11.1
Security checks
- Added check for Django SQL Injection via
_connector parameter- CVE-2025-64459 - Updated the Vulnerability Database (VDB) to version 20251118
Improvement
- Updated High Risk profile to include Blind XSS vulnerability checks
Release 05112025
Release date: 5 November 2025
Security checks
- Improved Local Path Traversal detection in J2EE environments to cover CVE-2025-55752
- Added detection for Magento authentication bypass (SessionReaper) - CVE-2025-54236
- Updated the Vulnerability Database (VDB) to version 20251104
Improvements
- Improved detection of sensitive information and personally identifiable information (PII)
Resolved issues
- Resolved an issue where XSS findings in JSON responses didn't display attack details
- Fixed the issue where sensitive data was not highlighted in the response for Sensitive Data Exposure vulnerabilities
- Resolved classification of standard XSS vulnerabilities that depend on how legacy browsers handle encoding
Release 31102025
Release date: 31 October 2025
Security checks
- Updated AEM (Adobe Experience Manager) checks to include seven newly reported vulnerabilities from the Hopgoblin toolkit (CVE-2025-54251, CVE-2025-54249, CVE-2025-54252, CVE-2025-54250, CVE-2025-54247, CVE-2025-54248, CVE-2025-54246)
- Updated the Vulnerability Database (VDB) to version 20251006
- Updated the Vulnerability Database (VDB) to version 20251021
- Added detection for the Oracle E-Business Suite remote code execution vulnerability (CVE-2025-61882)
- Added a new information discovery capability to detect sensitive or personally identifiable (PII) data during scans
Improvements
- Increased the severity level of TLS 1.1 usage from “Info” to “Low”
- Added new informational XSS finding types for cases where exploitation depends on the encoding behavior of legacy browsers
Resolved issues
- Removed duplicate CVE findings