Pre-scan authentication validation for NTLM, Basic, and Kerberos:Scans can now be configured to fail immediately if credentials are invalid, preventing unauthenticated scans from running silently.
Sitemap data retention policy now available in General Settings:Root users can now enable automatic cleanup of sitemap data older than one year, helping manage storage and keep scan data relevant.
Interactive Login now supported on the Form Authentication page:Users can now handle MFA, CAPTCHA, and other interactive authentication steps directly within the UI during scan setup. Captured sessions are stored encrypted and reused automatically across future scans.
Improvements
Docker agent updated with latest security patches:The Docker agent base image has been updated to address a critical OpenSSL vulnerability.
Scans now fail immediately when the target returns HTTP 502:If the first response is a 502, the scan stops right away rather than continuing against an unreachable target.
Resolved issues
Custom policy severity settings no longer reset after a product update:User-configured severity levels in custom report policies are now preserved across upgrades.
Multiple scan notifications can now be created for the same target with different scan groups:Creating more than one "New Scan Notification" for the same target was incorrectly blocked when scan groups differed. The duplicate check now accounts for scan group selection.
Login/Logout Verification dialog no longer shows stale errors on quick reopen:Closing and immediately reopening the verification modal no longer causes outdated error messages or incorrect UI state to appear.
Targets can no longer be re-imported before the deletion grace period has elapsed:A target deleted within the last week could cause "already exists" errors when re-adding the same URL. This is now handled correctly.
Remediation scans now correctly use the target's assigned agent group:On-Prem remediation scans triggered via "Mark as Fixed (Unconfirmed)" were getting stuck in queue because the wrong agent was selected instead of the target's configured internal agent group. Remediation scans now use the same agent selection logic as full and retest scans.
Splunk plugin link now directs to the correct page:The Splunk integration link was pointing to an incorrect destination and has been fixed.
Report generation no longer fails for findings with expired request/response data:Generating reports that included older findings where HTTP request/response data had been purged per the retention policy could cause the report to fail entirely. The report engine now handles missing evidence gracefully.
Sensitive information masking logic improved:The "Prevent any sensitive information showing within the product" option now works more reliably across relevant areas of the UI.
FIDO2 security key (YubiKey) registration no longer fails with "Incorrect U2F security key" error:A dependency version mismatch was causing YubiKey registration to fail. This has been resolved and FIDO2 keys can now be registered successfully.
Security checks
JavaScript Source Map detection now availableAdded Javascript Source Map detected vulnerability into security checks.