Acunetix 360 On-Demand

New features

• Pre-scan authentication validation for NTLM, Basic, and Kerberos: Scans can now be configured to fail immediately if credentials are invalid, preventing unauthenticated scans from running silently.
• Sitemap data retention policy now available in General Settings: Root users can now enable automatic cleanup of sitemap data older than one year, helping manage storage and keep scan data relevant.
• Interactive Login now supported on the Form Authentication page: Users can now handle MFA, CAPTCHA, and other interactive authentication steps directly within the UI during scan setup. Captured sessions are stored encrypted and reused automatically across future scans.

Improvements

• Docker agent updated with latest security patches: The Docker agent base image has been updated to address a critical OpenSSL vulnerability.
• Scans now fail immediately when the target returns HTTP 502: If the first response is a 502, the scan stops right away rather than continuing against an unreachable target.

Resolved issues

• Custom policy severity settings no longer reset after a product update: User-configured severity levels in custom report policies are now preserved across upgrades.
• Multiple scan notifications can now be created for the same target with different scan groups: Creating more than one “New Scan Notification” for the same target was incorrectly blocked when scan groups differed. The duplicate check now accounts for scan group selection.
• Login/Logout Verification dialog no longer shows stale errors on quick reopen: Closing and immediately reopening the verification modal no longer causes outdated error messages or incorrect UI state to appear.
• Targets can no longer be re-imported before the deletion grace period has elapsed: A target deleted within the last week could cause “already exists” errors when re-adding the same URL. This is now handled correctly.
• Remediation scans now correctly use the target’s assigned agent group: On-Prem remediation scans triggered via “Mark as Fixed (Unconfirmed)” were getting stuck in queue because the wrong agent was selected instead of the target’s configured internal agent group. Remediation scans now use the same agent selection logic as full and retest scans.
• Splunk plugin link now directs to the correct page: The Splunk integration link was pointing to an incorrect destination and has been fixed.
• Report generation no longer fails for findings with expired request/response data: Generating reports that included older findings where HTTP request/response data had been purged per the retention policy could cause the report to fail entirely. The report engine now handles missing evidence gracefully.
• Sensitive information masking logic improved: The “Prevent any sensitive information showing within the product” option now works more reliably across relevant areas of the UI.
• FIDO2 security key (YubiKey) registration no longer fails with “Incorrect U2F security key” error: A dependency version mismatch was causing YubiKey registration to fail. This has been resolved and FIDO2 keys can now be registered successfully.

Security checks

• JavaScript Source Map detection now available Added Javascript Source Map detected vulnerability into security checks.

Security checks

• CVE-2026-32933 remediation: Upgraded the AutoMapper library to remediate CVE-2026-32933, protecting your environment against the recently disclosed unbounded-recursion vulnerability.

New features

• Evidence field for version disclosure and outdated technology findings: Version disclosure and outdated technology findings now include an evidence field that shows exactly where the scanner detected the library, so you can locate and remediate the source faster.

Improvements

• MongoDB injection detection accuracy: Improved the Boolean-based MongoDB injection detection engine to reduce false positives on applications that don’t use MongoDB.

Resolved issues

• Notifications to deactivated or deleted users: Notification emails no longer reach users who have been deactivated or deleted while an active notification relationship still exists, so scan-completion alerts only go to active recipients.

Improvements

• CVE-2026-40175 Remediation: Remediated CVE-2026-40175 by upgrading the Axios library in Acunetix 360.

Improvements

• Chromium process tracking: Improved detection and cleanup of stalled Chromium processes, ensuring smoother and more reliable scan performance.

Resolved issues

• CVE-2026-2781 protection: Docker and OpenShift scanner agent OS libraries are updated to shield your environments against this specific vulnerability.
• API Hub inventory linking: API inventory items now link correctly after updating to the latest API Hub. No further action needed.
• API Hub JWT key reliability: This update fixes an issue where API Hub’s newly generated JWT shared key and access token failed authorization after reinstalling API Hub in a fresh environment.
• DefectDojo report imports: Reports from DefectDojo now import successfully again after their recent API changes.
• Auth Verifier Chromium stability: Auth Verifier Agents no longer get stuck with hung Chromium processes during verification flows.
• DST scan schedule timing: Scan schedules no longer jump by an hour after Daylight Saving Time changes.

New features

• Added OWASP Top 10 2025 classification and reporting support

• Implemented OWASP Top 10 2025 classifications in Report Policies

Improvements

• Implemented VDB update for auth verifier agent
• Upgraded SQLite-related packages
• Improved Web Cache Deception detection accuracy and refined the response validation logic to handle authentication edge cases

Resolved issues

• Improved the generation of preferences files for client certificate usage in the browser
• Fixed an issue where some nodes were missing in the Knowledge Base under specific scan conditions
• Fixed an issue where URLs imported via file or added manually weren’t transferred from Invicti Standard to Invicti Enterprise scans