Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.
Release Notes

Acunetix Standard & Premium

RSS Feed

v25.11.2 - Security - 25 Nov 2025

Copy Link Copy Link
This update introduces new vulnerability detections, improvements to injection and authentication checks, enhanced observability for PII risks, and the latest VDB update.

Security check

  • Added detection for the Fortinet FortiWeb authentication bypass vulnerability (CVE-2025-64446)
  • Added detection for the Citrix NetScaler memory leak and reflected XSS vulnerability (CVE-2025-12101)
  • Improved detection of SQL injection attempts in prepared statements used with NodeJS and MySQL
  • Added detection for the Oracle Identity Manager authentication bypass leading to RCE (CVE-2025-61757)
  • Updated the Vulnerability Database to version 20251125

Resolved issue

  • Fixed an issue in the script that identifies API resources missing required authentication

v25.11.1 - Security - 21 Nov 2025

Copy Link Copy Link
25.11.1 security release for Acunetix brings VDB updates.

Security check

  • Updated the Vulnerability Database (VDB) to version 20251118
  • Added check for Django SQL Injection via _connector parameter (CVE-2025-64459)

Improvements

  • Updated High Risk profile to include Blind XSS vulnerability checks

v25.11 - 14 Nov 2025

Copy Link Copy Link
Enhancements to DAST scanning, improved cookie and WSDL handling, better sitemap and Path Fragment processing, Python 3.13.6 upgrade, and fixes for PII false positives and API documentation access.

Improvements

  • Added support for tracking session tokens in URL Parameters in DAST scans
  • Updated LSR to use configured custom cookies
  • Added support for Custom Namespaces in WSDL specifications
  • Improved support for web applications that return 429 responses during the DAST scan
  • Improved processing of Path Fragments discovered by Deepscan
  • Improved handling of sitemaps
  • Upgraded Python to v3.13.6
  • Upgraded to PostgreSQL 17.6 for Acunetix on-premises

Resolved issues

  • Fixed false positives from “PII without authentication” scripts
  • API documentation is now properly reachable in the most recent on-premise version

v25.8.5 - Security - 05 Nov 2025

Copy Link Copy Link
Security check update: Enhanced Local Path Traversal detection for J2EE (CVE-2025-55752), added Magento authentication bypass detection (CVE-2025-54236), updated VDB to 20251104, improved sensitive data and PII detection, and fixed XSS and sensitive data display issues.

Security check

  • Improved Local Path Traversal detection in J2EE environments to cover CVE-2025-55752
  • Added detection for Magento authentication bypass (SessionReaper) – CVE-2025-54236
  • Updated the Vulnerability Database (VDB) to version 20251104

Improvements

  • Improved detection of sensitive information and personally identifiable information (PII)

Resolved issues

  • Resolved an issue where XSS findings in JSON responses didn’t display attack details
  • Fixed the issue where sensitive data was not highlighted in the response for Sensitive Data Exposure vulnerabilities
  • Resolved classification of standard XSS vulnerabilities that depend on how legacy browsers handle encoding

v25.8.4 - Security - 03 Nov 2025

Copy Link Copy Link
Security update: New AEM and Oracle vulnerabilities, PII detection, VDB updated, TLS 1.1 severity increased, XSS info added, duplicates removed.

Security check

  • Updated AEM (Adobe Experience Manager) checks to include seven newly reported vulnerabilities from the Hopgoblin toolkit (CVE-2025-54251, CVE-2025-54249, CVE-2025-54252, CVE-2025-54250, CVE-2025-54247, CVE-2025-54248, CVE-2025-54246)
  • Updated the Vulnerability Database (VDB) to version 20251006
  • Updated the Vulnerability Database (VDB) to version 20251021

  • Added detection for the Oracle E-Business Suite remote code execution vulnerability (CVE-2025-61882)

  • Added a new information discovery capability to detect sensitive or personally identifiable (PII) data during scans

Improvements

  • Increased the severity level of TLS 1.1 usage from “Info” to “Low”
  • Added new informational XSS finding types for cases where exploitation depends on the encoding behavior of legacy browsers

Resolved issues

  • Removed duplicate CVE findings

v25.8.2 - additional update - 17 Sep 2025

Copy Link Copy Link
Security check Added the “JWT authentication bypass with LSR” check Upgraded Vulnerability Database (VDB) to version 20250916

Security check

  • Added the “JWT authentication bypass with LSR” check
  • Upgraded Vulnerability Database (VDB) to version 20250916

v25.8.2 - 10 Sep 2025

Copy Link Copy Link
Security check improvements with upgraded Vulnerability Database (VDB) to version 20250909 and corrected OWASP 2021 classifications for multiple reports.

Security check

  • Upgraded Vulnerability Database (VDB) version to 20250909

Fix

  • Fixed OWASP 2021 classifications for multiple reports

v25.8.1 - 03 Sep 2025

Copy Link Copy Link
Security check Upgraded Vulnerability Database (VDB) version to 20250902 Improvement Improved the “GraphQL Introspection Query Enabled” check Improved the “Weak Session IDs” check

Security check

  • Upgraded Vulnerability Database (VDB) version to 20250902

Improvement

  • Improved the “GraphQL Introspection Query Enabled” check
  • Improved the “Weak Session IDs” check

    v25.8 - 22 Aug 2025

    Copy Link Copy Link
    Improvement Improved accuracy in identifying ELMAH error log endpoints for ASP.NET Fix Resolved an issue where attaching the same target with a different port returned “Host already attached”

    Improvement

    • Improved accuracy in identifying ELMAH error log endpoints for ASP.NET

    Fix

    • Resolved an issue where attaching the same target with a different port returned “Host already attached”
    1 2 3 4 30