Skip to main content

Invicti Platform Security checks and Runtime SCA findings

RSS feed

Track new security checks, vulnerability detection capabilities, and Runtime SCA findings introduced in each Invicti Platform on-demand release. Updates include enhanced detection methods, CVE coverage, and improvements to vulnerability identification.

2026

Security checks, vulnerability database updates, and Runtime SCA enhancements released in 2026.

Release 20260310

Release date: 11 March 2026
Version: 25.12.12

Security checks

  • Updated the vulnerability database (VDB) to version 20260310
  • Improved technology detection
  • Updated severity ratings for Chamilo versions 1.10.0, 1.10.2, 1.10.4, 1.10.6, 1.10.8, 1.11.26, 1.8.6.1, 1.8.8.3, 1.9.0, 1.9.10, 1.9.10.2, 1.9.10.4, 1.9.6, 1.9.6.1, 1.9.8, 1.9.8.1, 1.9.8.2 from High to Critical
  • Updated severity rating for Chamilo version 1.11.24 from Medium to Critical
  • Updated severity ratings for Craft CMS versions 4.15.6.2, 4.16.17, 4.16.18, 4.16.19, 4.4.14, 4.5.6.1, 5.6.16, 5.7.1.1, 5.8.21, 5.8.22, 5.8.23 from High to Critical
  • Updated severity ratings for DotCMS versions 22.03, 22.03.2, 22.03.4, 22.03.5, 22.03.6, 22.03.7, 22.03.8, 22.03.9, 22.03.10, 22.03.11, 22.03.12, 22.03.13, 22.03.14, 22.03.15, 23.01.1, 23.01.2, 23.01.3, 23.01.4, 23.01.5, 23.01.6, 23.01.7, 23.01.8, 23.01.9, 23.01.10, 23.01.11, 23.01.12, 23.01.13, 23.01.14, 23.01.15, 23.01.16, 23.01.17, 23.10.24.0 from Medium to Critical
  • Updated severity ratings for EspoCRM versions 2.6.0, 2.7.0, 2.7.1, 2.7.2, 2.8.0, 2.8.1, 2.9.0, 2.9.1, 2.9.2, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.6.1, 3.6.2, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.9.0, 3.9.1, 3.9.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.5.0, 4.5.1, 4.6.0, 4.7.0, 4.7.1, 4.7.2, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.6.0, 5.6.1, 5.6.2, 5.6.3, 5.6.4, 5.6.5, 5.6.6, 5.6.7, 5.6.8, 5.6.9, 5.6.10, 5.6.11, 5.6.12, 5.6.13, 5.6.14, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.7.4, 5.7.5, 5.7.6, 5.7.7, 5.7.8, 5.7.9, 5.7.10, 5.7.11, 5.8.0, 5.8.1, 5.8.2, 5.8.3, 5.8.4, 5.8.5 from High to Critical
  • Updated severity ratings for osCommerce versions 1.0.6.0, 1.0.7.0, 1.0.7.1, 1.0.7.2, 1.0.7.3, 1.0.7.4, 1.0.7.5, 1.0.7.6, 1.0.7.7, 1.0.7.8, 1.0.7.9, 1.1, 1.11, 1.12, 1.13, 2.3, 2.3.1, 2.3.2, 2.3.3, 2.3.3.1, 2.3.3.2, 2.3.3.3, 2.3.3.4, 2.3.4 from Medium to High
  • Added vulnerability detection for Chamilo:
  • Added vulnerability detection for Craft CMS:
  • Added vulnerability detection for DOMPurify:
  • Added vulnerability detection for Django:
  • Added vulnerability detection for DotCMS:
  • Added vulnerability detection for EspoCRM:
  • Added vulnerability detection for Jetty:
  • Added vulnerability detection for MediaWiki:
  • Added vulnerability detection for Moodle:
  • Added vulnerability detection for Underscore.js:
  • Added vulnerability detection for Werkzeug:
  • Added vulnerability detection for XWikiplatform:
  • Added vulnerability detection for osCommerce:
  • Added vulnerability detection for phpMyFAQ:

Release 20260303

Release date: 5 March 2026
Version: 25.12.11

Security checks

Release 20260224

Release date: 25 February 2026
Version: 25.12.10

Security checks

Release 20260202

Release date: 3 February 2026
Version: 25.12.9

Security checks

  • Updated the vulnerability database (VDB) to version 20260202
  • Added comprehensive JWT authentication bypass detection
    • High: JWT Signature Bypass via None Algorithm
    • High: JWT Signature is not Verified
    • High: JWT Signature Bypass via kid SQL injection
    • High: JWT Signature Bypass via kid Path Traversal
    • High: JWT Signature Bypass via unvalidated jwk parameter
    • High: Unvalidated JWT jku parameter
    • High: Unvalidated JWT x5u parameter
    • High: JWT Signature Bypass via unvalidated jku parameter
    • High: JWT Signature Bypass via unvalidated x5u parameter
    • High: JWT Signature Bypass via unvalidated x5c parameter
  • Added authorization vulnerability detection
    • High: Horizontal Broken Function Level Authorization (BFLA)
    • High: Unauthenticated Access to Sensitive Functions
    • High: Horizontal IDOR/BOLA (Broken Object Level Authorization)
    • High: Vertical Broken Function Level Authorization (BFLA)
    • High: Vertical IDOR/BOLA (Broken Object Level Authorization)
  • Added sensitive information exposure detection
    • High: API Sensitive Info(PII) accessible without authentication
    • Medium: Resource Accessible Without Required Authentication
  • Added API inventory management checks
    • Medium: API Authentication Bypass Using a Test/Staging Host Header
  • Added microservice security checks
    • High: Microservice Directory Traversal
  • Added vulnerability detection for Java:
  • Added vulnerability detection for Jetty:
  • Added vulnerability detection for Joomla:
  • Removed vulnerability detection for LiferayPortal:
  • Added vulnerability detection for LimeSurvey:
  • Added vulnerability detection for MySQL:
  • Added vulnerability detection for Oracle:
  • Added vulnerability detection for Oracle HTTP Server:
  • Added vulnerability detection for osTicket:
  • Added vulnerability detection for phpMyFAQ:
  • Updated severity for Oracle 23.8 from Medium to High
  • Updated severity for osTicket 1.17, 1.17.1, 1.17.3, 1.17.4, 1.17.5, 1.17.6, 1.18 from Medium to High
  • Added Zimbra Collaboration Suite (ZCS) Local File Inclusion check CVE-2025-68645

Release 20260129

Release date: 29 January 2026
Version: 25.12.8

Security checks

  • Updated the vulnerability database (VDB) to version 20260127
  • Improved XSS detection
  • Added vulnerability detection for e107:

Resolved issue

  • Fixed notifications

Release 20260121

Release date: 21 January 2026
Version: 25.12.7

Security checks

Release 20260113

Release date: 13 January 2026
Version: 25.12.6

Security checks

Release 20260107

Release date: 7 January 2026
Version: 25.12.5

Security checks

  • Updated the Vulnerability Database (VDB) to version 20260106
  • Added 15 new versions for 18 technologies and 7 new CVEs
  • Updated severity ratings for MongoDB versions 4.2.18, 4.3.0-4.3.3, 4.4.29, 5.0.30-5.0.31, 6.0.23-6.0.26, 8.0.13-8.0.15, 8.2.0-8.2.1 from Medium to High
  • Updated severity rating for Podcast Generator version 3.2.9 from Medium to Critical
  • Updated severity ratings for Python versions 3.10.10-3.10.19, 3.11-3.11.14, 3.12-3.12.5 from High to Critical
  • Updated severity rating for Python version 3.12.6 from Medium to Critical
  • Added vulnerability detection for CrushFTP:
  • Added vulnerability detection for MongoDB:
  • Added vulnerability detection for Podcast Generator:
  • Added vulnerability detection for Python:
  • Added vulnerability detection for Roundcube:
  • Added vulnerability detection for phpMyFAQ:

2025

Security checks, vulnerability database updates, and Runtime SCA enhancements released in 2025.

Release 20251230

Release date: 30 December 2025
Version: 25.12.4

Security checks

Improvements

  • Updated vulnerability classifications to align with OWASP Top 10 2025 categories
  • Updated OWASP Top 10 scan profile to align with OWASP Top 10 2025 categories

Release 20251217

Release date: 17 December 2025
Version: 25.12.3

Security checks

Improvements

  • Improved detection of DOM XSS vulnerabilities
  • Updated the alert text of the most detected vulnerabilities

Resolved issues

  • Improved detection of "Sensitive pages could be cached" vulnerabilities
  • Improved detection of "Open Redirect" vulnerabilities

Release 20251209

Release date: 9 December 2025
Version: 25.12.2

Security checks

  • Updated the Vulnerability Database (VDB) to version 20251209

Release 20251205

Release date: 5 December 2025
Version: 25.12.1

Security checks

Release 20251203

Release date: 3 December 2025
Version: 25.11.3

Security checks

Improvements

  • Improved password detection when leaked in responses
  • Improved detection of DOM XSS vulnerabilities

Resolved issues

  • Improved detection of chatbots

Release 20251125

Release date: 25 November 2025
Version: 25.11.2

Security checks

  • Added detection for the Fortinet FortiWeb authentication bypass vulnerability (CVE-2025-64446)
  • Added detection for the Citrix NetScaler memory leak and reflected XSS vulnerability (CVE-2025-12101)
  • Improved detection of SQL injection attempts in prepared statements used with NodeJS and MySQL
  • Added detection for the Oracle Identity Manager authentication bypass leading to RCE (CVE-2025-61757)
  • Updated the Vulnerability Database (VDB) to version 20251125

Resolved issue

  • Fixed an issue in the script that identifies API resources missing required authentication

Release 20251120

Release date: 20 November 2025
Version: 25.11.1

Security checks

  • Added check for Django SQL Injection via _connector parameter - CVE-2025-64459
  • Updated the Vulnerability Database (VDB) to version 20251118

Improvement

  • Updated High Risk profile to include Blind XSS vulnerability checks

Release 20251105

Release date: 5 November 2025

Security checks

  • Improved Local Path Traversal detection in J2EE environments to cover CVE-2025-55752
  • Added detection for Magento authentication bypass (SessionReaper) - CVE-2025-54236
  • Updated the Vulnerability Database (VDB) to version 20251104

Improvements

  • Improved detection of sensitive information and personally identifiable information (PII)

Resolved issues

  • Resolved an issue where XSS findings in JSON responses didn't display attack details
  • Fixed the issue where sensitive data was not highlighted in the response for Sensitive Data Exposure vulnerabilities
  • Resolved classification of standard XSS vulnerabilities that depend on how legacy browsers handle encoding

Release 20251031

Release date: 31 October 2025

Security checks

  • Updated AEM (Adobe Experience Manager) checks to include seven newly reported vulnerabilities from the Hopgoblin toolkit (CVE-2025-54251, CVE-2025-54249, CVE-2025-54252, CVE-2025-54250, CVE-2025-54247, CVE-2025-54248, CVE-2025-54246)
  • Updated the Vulnerability Database (VDB) to version 20251006
  • Updated the Vulnerability Database (VDB) to version 20251021
  • Added detection for the Oracle E-Business Suite remote code execution vulnerability (CVE-2025-61882)
  • Added a new information discovery capability to detect sensitive or personally identifiable (PII) data during scans

Improvements

  • Increased the severity level of TLS 1.1 usage from “Info” to “Low”
  • Added new informational XSS finding types for cases where exploitation depends on the encoding behavior of legacy browsers

Resolved issues

  • Removed duplicate CVE findings