Acunetix 360 On-Premises

Security checks

• CVE-2026-32933 remediation: Upgraded the AutoMapper library to remediate CVE-2026-32933, protecting your environment against the recently disclosed unbounded-recursion vulnerability.

Improvements

• .NET 8 security patches in scanner/AV agent: Updated the .NET 8 SDK to the latest version to include Microsoft’s newest security patches in the internal scanner/AV agent, keeping your agents protected against recently disclosed .NET vulnerabilities.
• Incremental scan efficiency: Incremental scans now retest with the detection pattern only instead of re-running full attack payloads on unchanged content, so subsequent scans complete faster without behaving like full scans.

Resolved issues

• GraphQL audit duplicate findings: The GraphQL Audit script now runs as an active check with a groupable signature, so unrelated payloads sent to GraphQL endpoints are no longer reported as separate “Introspection Query Enabled” findings.
• Invite email protection: You can no longer change the invitee’s email during team or account invitations, ensuring invitations always go to the correct, intended address.
• Login & logout verification: The “Verify login & logout” button has been fixed, ensuring you can validate your authentication settings without interruption.

Verify the Hash value for package integrity in Acunetix 360 on-premises

The hash value for the “26.5.1.zip” file is 0294ABC6E3C7C03221323373F5CD95FAEA9632CBC2D2DC7A2711D768285D5ABA.

You can verify the integrity of the file by checking its hash value using one of the outlined methods:

PowerShell (Windows):

Get-FileHash -Path "26.5.1.zip" -Algorithm SHA256

Command Prompt (Windows):

certutil -hashfile "26.5.1.zip" SHA256

Linux or macOS:

sha256sum "26.5.1.zip"

Improvements

• You can now specify the maximum number of rows (LEN) in Discovery directly from the Settings menu
• Invicti HTTP Requester can now be activated or deactivated from the Scan policy
• API responses for vulnerability issues now include the IsAttackParameter, making it easier to pinpoint exactly which request parameter is vulnerable without additional investigation
• The UseHttpClient can be activated in the Scan policy instead of account-based enablement
• Resolved an issue where agents would terminate abruptly while archiving and finalizing long-running scans, ensuring scan results are fully preserved and processed regardless of scan duration
• Added detection for Advanced Custom Fields Extended (WordPress plugin)
• Improved detection logic of “Possible Password Transmitted over Query String” to better handle SPA applications using hash-based routing, reducing false positives in modern JavaScript authentication flows
• Aligned CVSS scores with the National Vulnerability Database

Resolved issues

• Scans no longer fail when running in restricted network environments – Passive Engine now retrieves host addresses more safely and reliably through the configured proxy, ensuring compatibility
• Resolved an issue where the VDB version remained outdated even after a successful update in the verifier mode, ensuring customers always see accurate and up-to-date version information
• Users who installed via silent install can now add targets without encountering licensing errors
• Resolved an issue where the AV Service configuration wasn’t automated during silent installation, restoring a fully unattended install experience
• Resolved an issue where masking an API key in the URL with wildcards caused key mismatches during scans, resulting in 401/403 authentication errors
• Resolved an issue where WSDL file uploads were failing

Verify the Hash value for package integrity in Acunetix 360 on-premises

The hash value for the “26.3.0.zip” file is 658936B0054C1324E636E9FE68C68C8255D0F3FBDD4BD415F33ADBF1A24CED46.

You can verify the integrity of the file by checking its hash value using one of the outlined methods:

PowerShell (Windows):

Get-FileHash -Path "26.3.0.zip" -Algorithm SHA256

Command Prompt (Windows):

certutil -hashfile "26.3.0.zip" SHA256

Linux or macOS:

sha256sum "26.3.0.zip"

New feature

• Improved REST API compliance by adding proper PUT verb endpoints for 13 update operations (AgentGroups, AuthenticationProfiles, Discovery, Issues, Members, Notifications, Roles, ScanPolicies, ScanProfiles, Team, WebsiteGroups, Websites), replacing legacy POST endpoints while maintaining full backward compatibility

Improvements

• Added agent type information to Queue Reason for improved clarity
• Limited all discovery settings entries to 100 lines to address performance issues and improve data retrieval efficiency
• Relocated the “InterceptDocumentOnly” setting from Advanced settings to Scan policy for improved accessibility
• Unified the Splunk Enterprise and Splunk Cloud add-ons into a single package for simplified deployment and maintenance. The legacy on-premises app is now deprecated, with full support for both platforms available in the consolidated add-on
• Upgraded the underlying engine to Chromium 137.0.7151.68, delivering critical security patches, improved stability, and better performance

Resolved issues

• Fixed TempPath-dependent errors when the path contains whitespace
• Fixed InvictiProxy usage on Auth Verifiers
• Fixed a permissions issue where users without “Edit Members” permissions were unable to perform API Token Reset operations
• Fixed the /api/1.0/agentgroups/list endpoint returning null for the Teams field when TeamAgentGroupAssignmentEnabled was enabled, ensuring team assignments for agent groups are properly retrieved
• Fixed OAuth 2.0 3-legged Authorization code issue
• Fixed a sitemap issue causing URLs with /#/ to be missing
• Fixed an issue where excluded cookies were incorrectly appearing in scan reports
• Fixed gRPC attack engine to use form values
• Fixed scan data archiving error

Verify the Hash value for package integrity in Acunetix 360 on-premises

The hash value for the “26.1.0.zip” file is 981B126AC2A2BB56DAFD74BED818DA5AC897F3B990030E11845DDF654DBE1643.

You can verify the integrity of the file by checking its hash value using one of the outlined methods:

PowerShell (Windows):

Get-FileHash -Path "26.1.0.zip" -Algorithm SHA256

Command Prompt (Windows):

certutil -hashfile "26.1.0.zip" SHA256

Linux or macOS:

sha256sum "26.1.0.zip"

New features

• The Secrets screen now supports selecting and referencing secrets from SEM integrations in addition to manually entered name–value pairs. This allows more secure and centralized secret management
• Added WebLogic support for JAVA Shark sensor

Improvements

• Replaced old POST deletion methods with standard DELETE endpoints for a more consistent API. The POST endpoints are now deprecated. Be sure to update your integrations.
• Masked sensitive data in request/response details

Resolved issues

• Fixed an issue showing the wrong Vulnerability Database (VDB) version
• Fixed a cache cleaning issue
• Fixed Intel instance assignment issue for On-prem Cloud Provider
• Fixed an issue for 3-legged authorization code flow
• Added RegEx validation to prevent invalid patterns causing scan failures
• The Agent auto-updater can now use encrypted proxy credentials in the appsettings.json
• Fixed the Discrepancy in the permission count of the Roles.
• Addressed SSL errors in certificate-based environments by adding support for the IgnoreSslCertificateErrors parameter
• Fixed Unable to Load Scan Session & Unable to Find Scan Files error
• Containerized Agents stuck auto update issue resolved

Notes for Verifying the Hash Value for Package Integrity in Acunetix 360 On-Premises

The hash value for the “25.11.0.zip” file is provided below. You can verify the integrity of the file by checking its hash value using one of the outlined methods:
Release Package Hash Value: 2793E21FE9164725FDEBB6662EF71E55A88C0E96A9B9224133A467BA2B5FA835

Methods to Verify the Hash Value:

PowerShell (Windows):

Get-FileHash -Path "25.11.0.zip" -Algorithm SHA256

Command Prompt (Windows):

certutil -hashfile "25.11.0.zip" SHA256

Linux or macOS:

sha256sum "25.11.0.zip"

New features

• LDAP Integration: Permanently enabled LDAP integration for on-premise WebApp installations by removing its associated feature flag. LDAP functionality is now available by default
• Added Post-Request Script feature (Read more)
• Added API GET method to retrieve scheduled scans by ID

Improvements

• Updated plugin dependencies to address known security vulnerabilities and improve overall stability; upgraded Jenkins compatibility to version 2.474
• Increased the timeout duration for IAST responses to prevent premature failures
• When user roles changes details are now available on Activity Logs
• Jenkins Plugin: Corrected misleading UI validation for the “Report Type” parameter within the “Netsparker Enterprise Scan” build step. The field no longer incorrectly appears as required, clarifying its optional nature
• Added validation to ensure base scan file existence before initiating Incremental or Retest scans, preventing potential scan failures due to missing dependencies
• Improved design of Authentication Verifier Service page
• Added support for configuring the temp file via appsettings.json or an environment variable
• Updated workflows to improve reliability and security while maintaining alignment with GitHub’s best practices
• Updated the Jenkins plugin script generation to use the latest GitHub Actions versions and ubuntu-latest runner for improved compatibility and security
• Addressed multiple versions of GitHub Actions available in the marketplace
• Improved incremental scanning
• Implemented an enhancement to capture the token information present in the response during the OAuth2 Implicit Flow
• Added new REST API endpoint (agents/listverifiers) to retrieve AV agents data
• Implemented an enhancement to enable more effective cookie management when HTTP/2 is enabled
• Updated Microsoft.OpenApi to version 2.0 preview to support OpenAPI 3.1.0 for improved API scanning
• Agent and Verifier download names now come in certain format
• Minor security patch for the Authentication Verifier service
• Improved suspend mechanism in JIRA integration

Resolved issues

• An improvement has been made to allow multiple secrets to be used simultaneously within a single custom header
• File Uploads: Expanded the allowed MIME types for ZIP file uploads to include application/zip and application/x-zip. This resolves issues where ZIP files uploaded from certain operating systems (e.g., Mac/Linux) were not recognized due to variations in reported MIME types
• Resolved an issue where duplicate X-Content-Type-Options headers triggered false missing header reports
• Resolved discrepancy between API (listByWebsite) and UI (Recent Scans) results
• Fixed an issue with verifying the existence of links in the link pool
• Resolved an issue where SSL certificate chain errors blocked UI or auto-update of Internal Verifier Agents on Linux
• Implemented logic to create the UserDocumentsDirectoryPath when it doesn’t already exist
• Added support for defining headers and HTTP method during CSV import
• Resolved an issue where multiple versions of Next.js were not properly displayed in the Technologies dashboard and Scan Reports
• Added a note for values requiring wrap-around quotes in API

Notes for Verifying the Hash Value for Package Integrity in Acunetix 360 On-Premises

The hash value for the “25.7.0.zip” file is provided below. You can verify the integrity of the file by checking its hash value using one of the outlined methods:
Release Package Hash Value: 55449537AFC3B384CC721BD04085FDCE8D600DF6D98CE9EC506AF2CB5A2C5B1F

Methods to Verify the Hash Value:

PowerShell (Windows):

Get-FileHash -Path "25.7.0.zip" -Algorithm SHA256

Command Prompt (Windows):

certutil -hashfile "25.7.0.zip" SHA256

Linux or macOS:

sha256sum "25.7.0.zip"