Acunetix 360 On-Demand Release Notes

v26.5.1 - 21 May 2026

Copy Link Copy Link

The latest release includes AutoMapper CVE-2026-32933 fix, evidence field for version disclosure, MongoDB detection accuracy, and notification fix.

Security checks

CVE-2026-32933 remediation: Upgraded the AutoMapper library to remediate CVE-2026-32933, protecting your environment against the recently disclosed unbounded-recursion vulnerability.

New features

Evidence field for version disclosure and outdated technology findings: Version disclosure and outdated technology findings now include an evidence field that shows exactly where the scanner detected the library, so you can locate and remediate the source faster.

Improvements

MongoDB injection detection accuracy: Improved the Boolean-based MongoDB injection detection engine to reduce false positives on applications that don’t use MongoDB.

Resolved issues

Notifications to deactivated or deleted users: Notification emails no longer reach users who have been deactivated or deleted while an active notification relationship still exists, so scan-completion alerts only go to active recipients.

v26.5.0 - 12 May 2026

Copy Link Copy Link

The latest release includes agent security patches, fixes for report policy upgrades, and SSO team API assignment.

Improvements

.NET 8 security patches in scanner/AV agent: Updated the .NET 8 SDK to the latest version to include Microsoft’s newest security patches in the internal scanner/AV agent, keeping your agents protected against recently disclosed .NET vulnerabilities.

Resolved issues

User-edited report policy sections preserved on upgrade: Your customizations to CWE values and vulnerability template sections in report policies are no longer overwritten during version upgrades, so you don’t lose tuning work each time you upgrade.
Team assignment via member invitation API: The /members/newinvitation endpoint now applies and returns the Teams field for SSO-only users, matching the UI and the /members/new endpoint.

v26.4.2-HF - 29 Apr 2026

Copy Link Copy Link

This release includes the CVE-2026-40175 remediation.

Improvements

CVE-2026-40175 Remediation: Remediated CVE-2026-40175 by upgrading the Axios library in Acunetix 360.

v26.4.1 - 28 Apr 2026

Copy Link Copy Link

The latest release improves authentication stability and secures user onboarding.

Resolved issues

Login & logout verification: The “Verify login and logout” button has been fixed, ensuring you can validate your authentication settings without interruption.
Invite email protection: You can no longer change the invitee’s email during team or account invitations, ensuring invitations always go to the correct, intended address.

v26.4.0 - 14 Apr 2026

Copy Link Copy Link

Latest update enhances Chromium reliability with CVE-2026-2781 security patch, API Hub integration fixes, and improved scan stability.

Improvements

Chromium process tracking: Improved detection and cleanup of stalled Chromium processes, ensuring smoother and more reliable scan performance.

Resolved issues

CVE-2026-2781 protection: Docker and OpenShift scanner agent OS libraries are updated to shield your environments against this specific vulnerability.
API Hub inventory linking: API inventory items now link correctly after updating to the latest API Hub. No further action needed.
API Hub JWT key reliability: This update fixes an issue where API Hub’s newly generated JWT shared key and access token failed authorization after reinstalling API Hub in a fresh environment.
DefectDojo report imports: Reports from DefectDojo now import successfully again after their recent API changes.
Auth Verifier Chromium stability: Auth Verifier Agents no longer get stuck with hung Chromium processes during verification flows.
DST scan schedule timing: Scan schedules no longer jump by an hour after Daylight Saving Time changes.

v26.3.1 - 31 Mar 2026

Copy Link Copy Link

Latest update improves authentication, reporting, and agent stability.

Improvements

WSDL upload reliability: You can now upload WSDL files without errors, so integrating your web services is smoother and more reliable.
Passive engine proxy stability: Scans that use a custom web proxy now run more reliably, so your targets are scanned without unexpected timeouts or interruptions.

Bug fixes

Notification delivery reliability: Scan completion emails now send correctly again, so your team reliably receives alerts when scans finish.
OAuth scan export reliability: Scans that use OAuth settings now export successfully, so your scan data is complete and available without errors.

v26.3.0 - 10 Mar 2026

Copy Link Copy Link

This release introduces support for OWASP Top Ten 2025 classification and performance improvements.

New features

Added OWASP Top 10 2025 classification and reporting support
Implemented OWASP Top 10 2025 classifications in Report Policies

Improvements

Implemented VDB update for auth verifier agent
Upgraded SQLite-related packages
Improved Web Cache Deception detection accuracy and refined the response validation logic to handle authentication edge cases

Resolved issues

Improved the generation of preferences files for client certificate usage in the browser
Fixed an issue where some nodes were missing in the Knowledge Base under specific scan conditions
Fixed an issue where URLs imported via file or added manually weren’t transferred from Invicti Standard to Invicti Enterprise scans

v26.2.1 - 24 Feb 2026

Copy Link Copy Link

This release introduces improvements to OAuth2 scans, discovery controls, issue APIs, accessibility, and authentication logic.

Improvements

Implemented an option to set the maximum LEN value in discovery settings using an account-based feature flag
Updated scan profile tag handling to apply only delta changes via UI & API
Invicti HTTP Requester can be turned on or off from Scan Policy now
Issue API responses now clearly indicate which request parameter is vulnerable
Updated headings and labels to meet WCAG 2.4.6 (Level AA) standards
Improved link descriptions to meet WCAG 2.4.4 (Level A) accessibility standards
Updated page titles to meet WCAG 2.4.2 (Level A)
Improved info and relationships formatting for WCAG 1.3.1 (Level A)
Added text alternatives for non-text content per WCAG 1.1.1 (Level A)
Corrected name, role, and value attributes for WCAG 4.1.2 (Level A)
Optimized the UI focus order for WCAG 2.4.3 (Level A)
Added detection for Advanced Custom Fields Extended (WordPress plugin)
Improved detection logic of “Possible Password Transmitted over Query String” to better handle SPA applications using hash-based routing, reducing false positives in modern JavaScript authentication flows
Aligned CVSS scores with the National Vulnerability Database

Resolved issues

Fixed an issue preventing scans with OAuth2 settings from starting
Resolved a Chromium issue on Auth Verifier Agents
Fixed malformed masked URL usage in the scan
Improved the authentication logic for Form and Basic/NTLM methods
Fixed a timer issue during the scan completion

v26.2.0 - 10 Feb 2026

Copy Link Copy Link

This release introduces HAR export for authentication verification and SEM client certificate integration, while enhancing scanner tagging, Shark.Java, login reliability, browser and Docker agent stability, and fixing issues in detailed scan reporting and client certificate UI behavior.

New features

Added the HTTP archive (.har) file download into the “Verify form authentication” screen
Added SEM integration support for Client Certificate authentication

Improvements

Improved login fail notification
Improved the Docker agent startup script logic by adding retry and cleanup mechanisms
Tags in Agent AWS instances have been updated
Upgraded Shark.Java package from version 20 to version 21
Fixed browser crashes that occurred under certain edge conditions

Resolved issues

Fixed an issue that impacted “Detailed Scan Report” generation
The UI issue experienced in the Client Certificate enable/disable state has been fixed