Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.
Release Notes

Acunetix 360 On-Demand

RSS Feed

v26.2.1 - 24 Feb 2026

Copy Link Copy Link
This release introduces improvements to OAuth2 scans, discovery controls, issue APIs, accessibility, and authentication logic.

Improvements

  • Implemented an option to set the maximum LEN value in discovery settings using an account-based feature flag
  • Updated scan profile tag handling to apply only delta changes via UI & API
  • Invicti HTTP Requester can be turned on or off from Scan Policy now
  • Issue API responses now clearly indicate which request parameter is vulnerable
  • Updated headings and labels to meet WCAG 2.4.6 (Level AA) standards
  • Improved link descriptions to meet WCAG 2.4.4 (Level A) accessibility standards
  • Updated page titles to meet WCAG 2.4.2 (Level A)
  • Improved info and relationships formatting for WCAG 1.3.1 (Level A)
  • Added text alternatives for non-text content per WCAG 1.1.1 (Level A)
  • Corrected name, role, and value attributes for WCAG 4.1.2 (Level A)
  • Optimized the UI focus order for WCAG 2.4.3 (Level A)
  • Added detection for Advanced Custom Fields Extended (WordPress plugin)
  • Improved detection logic of “Possible Password Transmitted over Query String” to better handle SPA applications using hash-based routing, reducing false positives in modern JavaScript authentication flows
  • Aligned CVSS scores with the National Vulnerability Database

Resolved issues

  • Fixed an issue preventing scans with OAuth2 settings from starting
  • Resolved a Chromium issue on Auth Verifier Agents
  • Fixed malformed masked URL usage in the scan
  • Improved the authentication logic for Form and Basic/NTLM methods
  • Fixed a timer issue during the scan completion

v26.2.0 - 10 Feb 2026

Copy Link Copy Link
This release introduces HAR export for authentication verification and SEM client certificate integration, while enhancing scanner tagging, Shark.Java, login reliability, browser and Docker agent stability, and fixing issues in detailed scan reporting and client certificate UI behavior.

New features

  • Added the HTTP archive (.har) file download into the “Verify form authentication” screen

  • Added SEM integration support for Client Certificate authentication

Improvements

  • Improved login fail notification

  • Improved the Docker agent startup script logic by adding retry and cleanup mechanisms

  • Tags in Agent AWS instances have been updated

  • Upgraded Shark.Java package from version 20 to version 21

  • Fixed browser crashes that occurred under certain edge conditions

Resolved issues

  • Fixed an issue that impacted “Detailed Scan Report” generation

  • The UI issue experienced in the Client Certificate enable/disable state has been fixed

v26.1.2-HF - 22 Jan 2026

Copy Link Copy Link
This release fixes SCIM endpoint timeouts.

Resolved issue

  • Fixed SCIM endpoint timeouts caused by concurrent requests blocking indefinitely on resource locks

v26.1.1 - 15 Jan 2026

Copy Link Copy Link
Improvement for Maven chatbot

Improvements

  • Improved Maven chatbot

v26.1.0 - 13 Jan 2026

Copy Link Copy Link
Latest update adds 1-year Sitemap retention, Browser logs in verification, and Jira Fix Versions support. Includes OAuth2 fixes, libtiff6 security update, and improvements to chatbot persistence, URL rewriting, and scan scheduling.

New features

  • Added a 1-year retention policy for Sitemap records
  • Added Browser Network and Console logs to the verification log area

Improvements

  • Added support for Fix Versions when creating Jira issues via integration. Multiple fix versions can now be assigned to a single issue. Supports mixed usage of name and id attributes such as [{"name":"v1.2"},{"id":"10001"},{"name":"v1.0"}]
  • Chatbot pop-up now displays after redirection and persists until manually closed by the user

Resolved issues

  • Fixed OAuth2 update issue regarding the use of ‘secret’
  • Updated the vulnerable libtiff6 package
  • Fixed TempPath-dependent errors when the path contains whitespace
  • Fixed next execution time recalculation for on-premises environments after scan is triggered
  • Fixed InvictiProxy usage on Auth Verifiers
  • Fixed incorrect redirect for More Information link on URL Rewrite Custom Mode
  • Fixed OAuth2 3-legged Authorization code issue
  • Fixed sitemap issue causing URLs with /#/ to be missing
  • Fixed gRPC attack engine to use form values
  • Fixed retest scan launch failure
  • Fixed scan data archiving error

v25.12.0 - 10 Dec 2025

Copy Link Copy Link
Enhanced API compliance with 13 new PUT endpoints, OAuth2 secrets support, and Chromium 137 upgrade. Unified Splunk add-on, improved agent management, and fixes for proxy logging, scan queue issues, and API permissions.

New features

  • Enhanced REST API compliance by implementing proper PUT verb endpoints for 13 update operations (AgentGroups, AuthenticationProfiles, Discovery, Issues, Members, Notifications, Roles, ScanPolicies, ScanProfiles, Team, WebsiteGroups, Websites). Legacy POST endpoints remain fully supported for backward compatibility.
  • Added support for retrieving OAuth2 credentials from secrets storage

Improvements

 

  • Added agent type information to Queue Reason for improved clarity
  • Added the `InterceptDocumentOnly` setting to the Scan policy section under the Browser tab for easier access
  • Limited all discovery settings entries to 100 lines to address performance issues and improve data retrieval efficiency
  • Upgraded the underlying engine to `Chromium 137.0.7151.68`, delivering critical security patches, improved stability, and better performance
  • Unified the Splunk Enterprise and Splunk Cloud add-ons into a single package for simplified deployment and maintenance. The legacy on-premises app is now deprecated, with full support for both platforms available in the consolidated add-on.

Resolved issues

 

  • Proxy credentials are now properly masked in `InvictiProxy` logs
  • Resolved API request errors that occurred when `UrlRewriteExcludedLinks` was added to a profile
  • Fixed a permissions issue where users without Edit Members permissions were unable to perform API Token Reset operations
  • Resolved an issue where manually disabling an agent assigned to queued or active scans would cause those scans to become stuck indefinitely. The system now prevents disabling agents with assigned scans and displays clear error messages
  • Fixed the `/api/1.0/agentgroups/list` endpoint returning null for the Teams field when TeamAgentGroupAssignmentEnabled was enabled, ensuring team assignments for agent groups are properly retrieved
  • Corrected an issue where excluded cookies were incorrectly appearing in scan reports
  • Fixed missing `Known issues` and `CVE details` on the Scan Summary page

 

v25.11.2-HF - 05 Dec 2025

Copy Link Copy Link
This release includes security checks for Next.js/React Server Components RCE (React2Shell) vulnerability.

Security checks

v25.11.1-HF - 20 Nov 2025

Copy Link Copy Link
Hotfix for an issue that was causing login failures during authenticated scans

Resolved issue

  • Fixed an issue that was causing login failures during authenticated scans

v25.11.1 - 19 Nov 2025

Copy Link Copy Link
Aligned Acunetix security checks with report policy and improved scan stability when using custom scripts

New feature

  • Implemented Acunetix security checks into the report policy, aligning it with the existing functionality in Invicti Standard

Resolved issue

  • Prevented scan fails due to syntax errors on custom security scripts
1 2 3 17