2025

December

Release 52

(SAST) New rules:

F014 Java Spring Observable Time Discrepancy
F045 Java CSS Injection
F086 Java Download of Code Without Integrity Check
F107 Java LDAP Query Injection
F268 Java Unsafe Local File Access
F014 Go Unsafe Reflection
F022 Go gRPC Insecure Server Connection
F201 Dart Resource Updated By URL Data

Release 51

(SAST) New rules:

F014 Scala Spring Expression Language Injection
F280 Java Session Fixation
F063 Dart Absolute Path Traversal
F332 Dart Sensitive Information Exposure in Cleartext Channel
F360 Java Clickjacking
F385 Dart Use Hardcoded Cryptographic Key in Client

Release 50

(AI-SAST) SQL Injection: Added SQL Injection vulnerability detection to the AI scanner.
(AI-SAST) XSS: Added Cross-Site Scripting (XSS) vulnerability detection to the AI scanner.
(ASPM) Add filtering options to the files table : Added dynamic filtering options to the Files table, including task actions and file-type filters, to improve search accuracy and navigation. Only relevant filters now appear based on available data.
(ASPM) Enable file deletion in design map : Updated file-deletion permissions in Design Map to enable this action for the intended roles: User, Group Manager and Vulnerability Manager.
(MCP) Using scanners through MCP : Added MCP tools to guide AI agents in running SAST and SCA scanners via Docker, including configuration and execution steps.
(SAST) New rules:
- F014 C# Unsafe Reflection
- F355 Scala Inclusion of Functionality from Untrusted Control Sphere
- F020 C# Insecure Data Storage
- F372 Scala Cleartext Transmission of Sensitive Information
- F316 C# Buffer_Overflow
- F297 Java Unsafe Input SQL Injection

Release 49

(ASPM) Environments table improvements : Secrets alerts, CSPM icons and “Is Production” column: Added missing-secrets warnings and improved CSPM icons to match the new design. Renamed “Is Production” to “Deployment stage” with clearer status labels.
(ASPM) Add input and visualization of RASP controls in app mobile environments : Added RASP input for mobile environments with updated filenames and visual indicators in the environments table. Any RASP changes are now notified through the environment alert notification.
(ASPM) Add filtering options to the environments table : Improved the Environments table with filters for Git root, status, deployment stage, and environment type for faster, more accurate search.
(DB) Database updates for SCA vulnerabilities mitigation options : SCA vulnerabilities now show patch impact info, noting that minimal updates may add new issues or breaking changes.
(DB) Research team advisories on vulnerabilities page : Advisories discovered by Fluid Attacks are now tagged “Discovered by Fluid Attacks,” indicating whether the source is our pentesters, our scanner, or external pentesters via us.
(SAST) New rules:
- F014 Scala Unsafe Reflection
- F211 JS ReDos User Input
- F211 TS ReDos User Input
- F052 JS Unsafe MD5 Encryption
- F052 TS Unsafe MD5 Encryption
- F201 Scala Resource Injection
- F107 Scala LDAP Query Injection
- F404 Scala Command Injection
(Reachability) New rule: Python CVE-2024-24762 .

November

Release 48

(IDE plugins) Add reattack support to IntelliJ : Users can now request reattacks from our IntelliJ plugin to verify if vulnerabilities were properly fixed.
(SCA) Advisories database update frequency : We now update our advisories database five times a day, enabling us to report vulnerabilities related to newly published CVEs to our clients more quickly.
(SAST) New rules:
- F063 Unsafe Input Path Traversal Scala
- F014 Swift Unsafe Reflection
- F009 Swift Hard-coded Cryptographic Key
(Reachability) New rules:

Release 47

(ASPM) Edition flow for mobile app environments improvements : Updated the mobile app environment edition flow to support new questions. Users can now edit RASP controls and production status in addition to replacing the binary file, with guidance fields, such as access method and app name, shown as read-only.
(ASPM) Executive Report template enhancements : Updated the Executive Report PDF template to improve visual hierarchy, align with the design system, enhance navigation, and reduce document length, without changing report content.
(DB) Filters on vulnerabilities page : Added new filters, including search, severity, access type, and a dynamic ecosystem filter that updates based on the selected asset type.
(SAST) New rules:
- F017 Swift Sensitive Information Compromised
- F014 Insecure Functionality Ruby
- F184 Resource Injection Ruby
(Reachability) New rules:

Release 46

(ASPM) Improve Mobile App environment adding flow (binary file access) : Improved Mobile App environment creation with a guided, uninterrupted flow supporting in-modal binary selection or upload, updated inputs, and clearer environment type options.
(ASPM) Enable additional access methods for mobile app environments setup : Added new mobile access methods (TestFlight, Firebase, App Store Connect, Google Play Store) with dynamic fields, confirmation flow, and email notifications.
(ASPM) Single active branch per repository per organization : Enforced a new rule allowing only one active branch per repository per organization across all entry points (API, CSV, platform).
(SAST) New rules:
- F014 Insecure Functionality PHP
- F014 PHP Observable Timing Discrepancy
- F184 Unsafe Reflection PHP
- F184 Improper Verification of Cryptographic Signature PHP
- F422 Improper Neutralization Template Engine
(Reachability) New rules:

Release 45

(SAST) New rules:
- F096 Python Insecure deserialization with pickle
- F213 Python Exposure of sensitive data in the JWT payload
- F184 Expression Language Injection Kotlin Spring
- F184 Python User-controlled dynamic import
- F014 Insecure Functionality Kotlin Spring
- F004 Python Shell injection in Paramiko
(Reachability) New rules:

October

Release 44

(ASPM) Plan upgrade and downgrade improvements : Clients can now easily upgrade or downgrade their plans, with a clear understanding of the benefits and potential drawbacks of doing so.
(ASPM) Repository settings : The section where repository exclusions and Health Checks (HCK) were managed has been renamed to “Repository settings”, featuring repository-specific configurations with default values aligned to Fluid Attacks’ recommendations to improve clarity, efficiency, and user confidence during setup.
(ASPM) Executive report improvements : Updated the executive report to show the highest severity in the consolidated view and display each weakness’s severity in the detailed view for greater accuracy and transparency.
(SAST) New rules:
- F184 Unsafe Reflection Kotlin Spring
- F014 PHP RCE in WordPress
- F184 Resource Injection Kotlin Spring
- F004 Python RCE with unreliable input
- F004 Python Code Injection via exec
- F004 PHP Options Injection via eval
- F067 Integer Overflow Scala
- F143 Scala XSS via eval
- F067 Integer Overflow Java
- F100 JS SSRF via Untrusted Input
- F100 TS SSRF via Untrusted Input
- F100 JS Playwright addInitScript Code Injection
- F100 TS Playwright addInitScript Code Injection
(Reachability) New rules:

Release 43

(SAST) New rules:
- F100 Scala SSRF through unvalidated URL
- F008 C# .config Request Validation Disabled
- F100 Scala Unvalidated External URL Enables SSRF
- F100 SSRF via urllib.request.urlopen in Django
- F100 Python SSRF by interpolation of client input into URL
- F039 C# Inexplicit Anonymous Access in .NET endpoint
- F404 JavaScript Node JS Command Injection
- F404 Java Command Injection
- F016 Go SSL/TLS Insecure Encryption
- F148 Go TLS Insecure Skip Verify
- F008 C# Request Validation Disabled
(Reachability) New rules:

Release 42

(ASPM) Recognize active session : Users were prompted to log in again when accessing the root URL (app.fluidattacks.com ). Now, active sessions are recognized and users are redirected to /home as expected.
(ASPM) CVSS 3.1 has been completely deprecated from our platform .
(SAST) New rules:
- F128 Go HttpOnly Disabled
- F130 Go Secure Cookie Disabled
- F143 JS Implied Eval Injection
- F143 TS Implied Eval Injection
- F096 Scala Deserialization of Untrusted Data
- F096 Ruby Yaml Load Insecure Deserialization
- F008 Ruby XSS Insecure HTML Safe
- F008 Dart Flutter Reflected XSS
- F008 Scala Reflected XSS
(Reachability) New rules:

Release 41

(ASPM) Update plan changes notification : Emails sent when a client changes their plan are now more explanatory, detailing what was changed and the benefits or drawbacks of the change.
(ASPM) Filtered view to show Top 20 vulnerabilities by Priority : A filtered view, accessible with the click of a button, has been added to the weaknesses view to highlight the global Top 20 vulnerabilities with the highest remediation priority.
(All) From KB to db.fluidattacks.com: Now, all references to our DB (advisories, weaknesses, fixes, requirements, standards) in our product point to db.fluidattacks.com, our new source of truth.
(SAST) New rules:
- F027 Java Dangerous File Upload
- F004 Java Unsafe Reflection
- F100 C# HTTP Request SSRF
- F021 C# XmlNode Xpath Injection
- F148 Go SSH Accept Any Host Keys With InsecureIgnoreHostKey
- F063 Swift Vapor Path Traversal
- F134 Scala PlayFramework Insecure CORS Configuration
- F309 Kotlin JWT Sign None
- F148 Ruby OpenSSL verification mode None
(Reachability) New rules:

Release 40

(ASPM) Priority : Now, platform users can see a Priority column that combines multiple criteria, such as CVSSF, KEV, EPSS, Reachability, and fixing cost, among others, to help them determine which vulnerabilities to fix first.
(ASPM) Improve UX for multi-select filters with long option names : Improvements were made to prevent UI overflow when multiple filters with long option values are displayed.
(ASPM) Approval tables improvements : Rows now switch from action buttons to status tags, with clear undo options and feedback messages. Bulk actions are supported through checkboxes with ‘Approve All’ / ‘Reject All’ controls.
(DB) Fixes section UI improvements : Added Fixes landing, category, and internal pages with cards, filters, and breadcrumbs.
(DB) Compliance section UI improvements : Added Compliance landing, category, and internal pages with cards, filters, and breadcrumbs.
(IDE plugin) From KB to db.fluidattacks.com : Every reference in our VSCode/Cursor extension to vulnerabilities’ information now points to db.fluidattacks.com.
(SAST) New rules:
- F096 Java ObjectMapper Insecure Deserialization
- F008 Kotlin Spring Boot Reflected XSS
- F156 Java Open Redirect
- F027 Ruby Dangerous File Upload
- F027 JS Express Dangerous File Upload
- F027 TS Express Dangerous File Upload
- F156 PHP Symfony Insecure Redirect
- F027 Php Unsafe File Upload
- F107 PHP LDAP injection
- F183 PHP Debug Enable
- F297 GORM SQL Injection
- F130 PHP Cookies Secure Disabled
(Reachability) New rules:

September

Release 39

(DB) Homepage improvements : Added top bar, navigation, and homepage UI improvements.
(DB) Weaknesses section UI improvements : Added Weaknesses landing, category, and internal pages with cards, filters, and breadcrumbs.
(DB) Requirements UI improvements : Added Requirements landing, category, and internal pages with cards, filters, and breadcrumbs.
(SAST) New rules:
- F297 Dart Raw SQL Injection
- F297 PHP Laravel Raw SQL Injection
- F297 Swift SQL Injection
- F297 Scala Tainted SQL Injection
- F297 Python SQL Injection
- F008 Flask Reflected XSS
- F404 Python Asyncio Subprocess command injection
- F007 Scala CSRF Headers Bypass
- F134 Kotlin Insecure CORS Origin

Release 38

(ASPM) Package imports view with transitivity grouping : Entering from the Locations column in Packages, a second view displays the detailed locations where each dependency was found, grouped by transitivity.
(IDE Plugin) Custom Fix in the IntelliJ integration : The IntelliJ plugin now supports Custom Fix, allowing developers to get tailored remediation guides generated with AI.
(ASPM) Integrated KEV Information into Package details : Details of vulnerabilities found with SCA now indicate whether they are listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, and clients can filter by this parameter to better prioritize remediation.
(SAST) New rules:
- F007 Ruby Missing CSRF Protection
- F007 Python Django No CSRF
- F007 PHP Symfony CSRF Protection
- F007 Php WP Plugins CSRF Audit
- F404 Python OS Command Injection
- F100 Kubernetes Host Probes SSRF

Release 37

(ASPM) Added placeholders to table search bars : Reviewed all search bars across the platform and updated placeholders to help users understand which fields can be searched.
(ASPM) Not configured days to technical debt : The “Days to technical debt” column in Policies now displays “Not configured” when this policy has not been set.
(ASPM) Increased character limit for Key field : Values for “Key” in the secrets management window can now be longer, so the field can support full email addresses and extended identifiers.
(ASPM) “Manage Members” can be dismissed by clicking outside or scrolling : The “Manage Members” dropdown now closes on outside clicks and adjusts or closes when scrolling.
(ASPM) Improved API error messages and whitespace handling : Enhanced API error messages for Docker image additions and now automatically trim leading/trailing whitespace in URIs.
(SCA) Malware advisories : Updated the scanner to report malware advisories for npm packages.

Release 36

(ASPM) GenAI fix support for SCA vulnerabilities : The “How to fix” button now generates a remediation guide for SCA vulnerabilities.
(ASPM) Organization vulnerabilities report : Now this report is generated asynchronously instead of once a day, allowing users to get updated information whenever a report is requested.
(ASPM) Enhanced “Packages” and improved SBOM export flow : Merged ‘Docker images’ tab into the ‘Packages’ tab and enhanced the SBOM export modal with clearer options, filtering, and validation.

August

Release 35

(ASPM) Renamed “Surface” section to “Inventory” : Renamed Surface to Inventory, moved Packages to the first tab in Inventory, and grouped technical attributes under a Surface tab.
(ASPM) Enhanced Last commit filter in Inventory : Now under the Inventory → Surface → Lines subtab, users can copy the entire commit hash from the Last commit column to filter using this parameter.
(ASPM) Deprecated “Black” service : Our platform no longer allows the creation of groups under the “Black” service (black-box testing) or the updating of existing ones to this service. Current clients using this service are not affected by the change.
(ASPM) Redesigned Packages section : Enhanced Packages as a new dependency inventory view with auditing, SBOM generation, risk insights, and compliance support, including updated columns and filters.
(SAST) New rule: F164 Swift Insecure KeyChain ACL.

Release 34

(ASPM) Deleted “Download analytics” button : The feature to download a PNG image containing the graphs and figures in the Analytics sections is no longer available.
(ASPM) Replace weaknesses count with vulnerabilities count in the Groups section : Clients can now view open vulnerabilities within their groups in the “Groups of your organization” section, providing immediate insight into which groups have more open vulnerabilities.
(ASPM) Agent rename to CI Gate in emails : “CI Agent” was replaced with “CI Gate” in all platform notifications.
(DB) Search feature : Clients can now use a search feature to help them navigate our Database .
(SAST) New rules:
- F016 Swift Weak TLS Configuration
- F008 Swift WebView LoadHTMLString XSS
- F060 JavaScript Insecure postMessage Wildcard
- F060 TypeScript Insecure postMessage Wildcard
- F014 Swift Deprecated WebView Usage
- F434 JavaScript Client-Side Template Injection
- F434 TypeScript Client-Side Template Injection

Release 33

(ASPM) Remove “Weekly trend” from the Compliance section: Weekly trends indicator was removed from Compliance to improve clarity.
(ASPM) Agent rename to CI Gate : Now, under the DevSecOps section, the ‘Agent’ is called ‘CI Gate’ to align with its purpose and the security gates configuration.
(SAST) New rules:
- F021 Kotlin XPath Injection
- F297 Kotlin SQL Injection
- F404 Kotlin Code Injection
- F096 Kotlin Insecure Deserialization
- F014 Ruby on Rails Mass Assignment
- F052 Swift Weak Hash Algorithm

Release 32

(ASPM) Updated empty states in vulnerabilities table : Update the empty states in the Vulnerabilities table columns to ensure they are consistent and easy to understand.
(ASPM) Added Undeterminable to dependency type filters : Clients can now filter by the “Undeterminable” option in the dependency type filters of the vulnerabilities table.
(ASPM) Added “Fix with AI” filter : Clients can now filter by the “Fix with AI” attribute in the Vulnerabilities sections, making it easy to find vulnerabilities that have an AI-generated fix available.
(DB) Moved database page to db.fluidattacks.com : To improve ease of use and consultation, all our vulnerabilities, security requirements, fixes, and standard details can now be found at our Database .
(SAST) New rules:
- F100 Kotlin SSRF From Untrusted URL
- F014 PHP Arbitrary File Read
- F404 Ruby Command Injection via Open3
- F008 Ruby Reflected Cross-Site Scripting
- F297 Ruby SQL Injection
- F404 Ruby Code Injection via eval
- F017 PHP Insecure Session Configuration (use_only_cookies)

July

Release 31

(ASPM) Improved “How to fix” tab : Improved the design of the “How to fix” section and made the tab always visible for open vulnerabilities, added an “Auto-fix” button for supported cases, simplified the modal flow, and added guidance when Autofix is unavailable.
(ASPM) Markdown input validations : The platform now runs validations in the Group context and Disambiguation before submitting or closing Markdown inputs to shorten the feedback loop on entered text.
(ASPM) New webhooks : Added notifications for confirmed zero-risk vulnerabilities .
(Reachability) New rules:
(SAST) New rules:
- F063 Kotlin JAX-RS Path Traversal
- F100 PHP Server Side Request Forgery
- F021 PHP XPath Injection
- F404 PHP Preg Replace Code Injection
- F297 PHP SQL Injection
- F123 PHP Local File Inclusion
- F063 Ruby File Join Path Traversal

Release 30

(Fixes) Support for new files : Our Custom Fix and Autofix features now support Docker files.
(IDE plugin) Updated IntelliJ extension compatibility : Fluid Attacks’ extension can now be used in the latest version of IntelliJ IDEA.
(APK CLI) Improvements in outputs : The CVSS3.1 field was deprecated and the CVSS4 field was added.
(CSPM CLI) Improvements in outputs : The CVSS3.1 field was deprecated, and the CVSS4 field was added.
(DAST CLI) Improvements in outputs : The CVSS3.1 field was deprecated, and the CVSS4 field was added.
(SAST CLI) Improvements in outputs : The CVSS3.1 field was deprecated, and the CVSS4 field was added.
(SCA CLI) Improvements in outputs : The CVSS3.1 field was deprecated and the CVSS4, direct/transitive status, and EPSS score fields were added.
(Reachability) New rules:
(SAST) New rules:
- F404 Ruby Kernel Command Injection
- F008 Go HTML Template XSS
- F146 Go Database SQL Injection
- F098 Go OS Rename File Manipulation
- F404 Go Exec Command Injection
- F004 JS Unsandboxed Iframe
- F004 TS Unsandboxed Iframe
- F063 Go Path Traversal
- F052 JS JSONWEBTOKEN Allow Invalid Key Types
- F052 TS JSONWEBTOKEN Allow Invalid Key Types

Release 29

(ASPM) Vulnerability and risk exposure summary : In vulnerabilities, added the number of open security issues, those that have available fixes with AI, and the total risk exposure share of the group.
(ASPM) UI improvements in Group status and Plan columns : Improved the Group status and Plan columns in the Groups section by using colored tags for better readability and quick recognition of statuses (i.e., subscribed, suspended, free trial) and active plan.
(ASPM) Enable opening weaknesses in new tabs : Enhanced navigation in Vulnerabilities by allowing users to open individual weaknesses in a new tab.
(Fixes) Support for new files : Our custom fix and suggested fix features now support the following file types: .html, .yaml (Helm, CloudFormation, Docker Compose), .xml (Android), and .json (ARM).
(SAST CLI) Improvements in scanner output : Now the console output is much more legible and clear, and the CVSS v4 score has been added.
(SAST) New rules:
- F100 Go Net HTTP SSRF
- F405 Go Insecure File Permissions
- F021 Go XMLPath XPath Injection
- F100 Python HTTP Request SSRF
- F405 Python Insecure File Permissions
- F020 Swift Insecure Data No File Protection

Release 28

(ASPM) Added ‘Copy’ button in location column : Users can now copy the vulnerability URL directly from the Location column using a new “Copy” button.
(ASPM) Editing of “connection types” and “production_environments?” : Users can now edit the environment’s connection type and production status after registration.
(ASPM) Improved visibility of treatments : Added colors to treatments in the Locations table to help distinguish them more quickly.
(ASPM) Improved readability and implemented brand colors in report : The Executive Summary chart was updated with a larger font for readability, and overall, the colors were changed to align with Fluid Attacks’ chosen brand colors.
(SCA) UV package manager support : Added support for UV package handler, allowing uv.lock dependencies to be detected and reported.
(SAST) New rules:
- F106 Python PyMongo NoSQL Injection
- F008 Python Insecure MARKUP XSS
- F083 Java JAXP Insecure SAXTransformerFactory XXE
- F083 Java JDOM2 Insecure SaxBuilder XXE
- F083 Java DOM4J Insecure SaxReader XXE
- F083 Java Insecure XML Validator XXE
- F083 Java Insecure XSLT Transformer Factory
- F100 Java SSRF From Untrusted URL
- F004 Java EL Injection From HTTP Request
- F096 Swift Foundation Insecure NSKEYEDUNARCHIVER

Release 27

(ASPM) Persistent filters by default : Filters are saved in every table of the platform.
(ASPM) Added Git root exceptions : Added specific exception handling when adding Git repositories to improve error flows.
(SAST) New rules:
- F004 JavaScript Engine Code Injection
- F268 Swift WebKit Unsafe Local File Access
- F372 Swift Network Framework Insecure TCP Connection
- F094 XML JS/TS CryptoJS Insecure Use Of CBC Mode
- F134 Yaml Spring Insecure Cors Wildcard

June

Release 26

(ASPM) Queued Git root cloning : Re-enabled the ‘Queued’ status for Git roots within scope for clarity and to allow clients to use this status as a filter.
(ASPM) OWASP Top 10 for LLMs report : Users can now include the OWASP Top 10 for LLMs standard in their reports of noncompliance from the Compliance section.
(SAST) New rules:
- F372 Swift Insecure HTTP
- F097 JQuery Reverse Tabnabbing
- F134 YAML AWS SAM Insecure Cors
- F134 Properties Spring Insecure Cors Wildcard
- F447 Gradle Missing Checksum Verification
- F359 Dockerfile Hardcoded Credentials CHPASSWD
- F264 XML .NET Weak Encryption Algorithm
- F134 XML Java EE Insecure Cors Wildcard

Release 25

(ASPM) CVSS 4.0 is mandatory : All SAST, SCA, CSPM, and DAST reports include the CVSS 4.0 score from now on.
(ASPM) Migrated tables to new design : Improved UX and usability for the following tables: Trusted devices, and Groups (in Portfolios).
(MCP) Answering questions using Knowledge Base : Fluid Attacks’ MCP server can now answer users’ questions using the information in the Knowledge Base.
(DB) OWASP Top 10 for LLMs verification : Fluid Attacks verifies that you comply with this new standard.
(SAST) New rules:
- F264 Java Weak Crypto In SecretKeyFactory
- F094 Java Spring Weak CBC Cipher Suites
- F134 YAML Insecure Cors Header
- F405 YAML Insecure File Permissions for other
- F359 Build.Gradle Hardcoded Credentials
- F157 Terraform Azure NSG Allows Unrestricted SSH Access
- F157 Terraform Azure NSG Allows Unrestricted SMTP Access
- F157 Terraform Azure NSG Allows Unrestricted RPC Access
- F157 Terraform Azure NSG Allows Unrestricted PostgreSQL Database Access

Release 24

(ASPM) Migrated tables to new design : Improved UX and usability for the following tables: Execution details (in DevSecOps), Credentials management window, subentries to new entry (Mailmap section), Treatment acceptance (in Locations), Update verification (in Locations), API token window, Records preview (in Locations) and Update affected reattacks (in Locations).
(SAST) New rules:
- F332 Java Spring Datasource No Encryption
- F359 Package.json NodeJS Git Credentials Exposure
- F380 Dockerfile Curl No Checksum
- F380 Dockerfile Wget No Checksum
- F183 Android Debuggable Enabled
- F134 Swift Vapor Insecure CORS Header
- F016 Nginx Insecure SSL Protocols
- F134 Ruby On Rails Insecure CORS Header
- F043 Nginx Insecure CSP Inline Script
- F135 Nginx Insecure Cors Header
- F129 Python Flask Insecure Cookie Samesite None
- F129 Python Django Insecure Cookie Samesite None
- F216 Log Exposed Username in Path
- F134 PHP Laravel Insecure Cors Configuration
- F037 Spring Prometheus Endpoint Exposure
- F359 Java Spring Hardcoded Credentials
- F149 Java Spring Insecure SMTP

Release 23

(ASPM) Enhanced the Surface table (Ports) : Enhanced user experience with filtering, sorting, searching, and pagination in the Surface section (Ports).
(SAST) New rules:
- F129 JS Express Insecure Cookie Samesite
- F129 TS Express Insecure Cookie Samesite
- F043 JS Insecure CSP Inline Script
- F313 JS Insecure TLS Reject Unauthorized in False
- F313 TS Insecure TLS Reject Unauthorized in False
- F043 Kotlin Insecure CSP Inline Script
- F134 JS Lambda Insecure Cors
- F134 TS Lambda Insecure Cors
- F338 Kotlin Hardcoded Salt Bytes
- F094 JS SSH2FTPClient CBC Cipher Used
- F094 TS SSH2FTPClient CBC Cipher Used
- F135 C Sharp Insecure SameSite Cookie Configuration

May

Release 22

(SCA) Reporting Docker images vulnerabilities : Now, the vulnerabilities discovered in Docker images can be viewed in the Vulnerabilities table.
(MCP) AI Agent to production.
(SAST) New rules:
- F395 Kotlin Hardcoded Init Vector
- F135 CSharp ASP.NET Insecure Cookie Samesite None
- F134 JS Express Insecure CORS Header with Wildcard Origin
- F134 TS Express Insecure CORS Header with Wildcard Origin
- F395 Java Static IV in Base64 Scenarios
- F134 CSharp Insecure Use of Wildcard CORS Configuration
- F134 CSharp Insecure Cors Header via HttpWebRequest
- F125 CSharp ASP.NET Directory Browsing Enabled
- F078 CSharp ASP.NET AllowInsecureHTTP in True
- F043 Java Insecure CSP Inline Script
- F368 Java Host Key Checking
- F134 Java Insecure Cors Modifier
- F134 Java Spring Insecure Cors
- F129 Java Spring Cookiegenerator SameSite
- F129 Java Spring Insecure Cookie Samesite None
- F130 Java Spring Cookiegenerator Secure
- F060 Java JSCH StrictHostKeyChecking Disabled
- F052 Java Insecure Cipher Mode
- F134 Dart Shelf Insecure CORS Header

Release 21

(ASPM) Package details : Added a new section in the vulnerability modal with the fields ‘Dependency’, ‘Dependency type’, ‘ID’, ‘%EPSS’, ‘Stage’, ‘Reachability’, ‘Version status’, ‘Affected version’, ‘CPEs’, ‘Namespace’ and ‘Advisory URLs’.
(ASPM) ‘Potential’ tag : Added the new ‘Potential’ tag to let customers identify the dependencies that are imported in their code but whose vulnerability is not confirmed to be reachable.
(SAST) New rules:
- F134 Go Gin Insecure CORS Header
- F359 Python Hardcoded Credentials in PyMySQL

Release 20

(SCA) Reachability label : When a dependency is reachable, it appears as a tag in the inherited vulnerability.
(ASPM) Enhanced tables in Organization Billing : Enhanced user experience with filtering, sorting, searching, and pagination in the Billing section.
(ASPM) Enhanced the Surface table (Lines) : Enhanced user experience with filtering, sorting, searching, and pagination in the Surface section (Lines).
(ASPM) Enhanced the Members table (organization and groups) : Enhanced user experience with filtering, sorting, searching, and pagination in the Members table at both the organization and group levels.
(Design Map) Delete files from Design Map : Clients can now delete uploaded files from this section.
(Design Map) UI Improvements : Renamed columns, added tooltips, and improved alignment, sorting, and layout.
(Design Map) Multilingual classification support : Design Map now supports documents in both English and Spanish.

Release 19

(ASPM) Enhanced tables for IP roots and URL roots : Enhanced user experience with filtering, sorting, searching, and pagination in the Scope section.
(ASPM) Enhanced the Surface table (languages) : Enhanced user experience with filtering, sorting, searching, and pagination in the Surface section (Languages).
(ASPM) Authorization improvements : Permissions for the User role were updated so that it cannot remove environments from the scope, restricting this action to higher-level roles only: Group Manager and Vulnerability Manager.
(ASPM) Inherited vulnerabilities filtering : ‘Inherited’ vulnerabilities can now be filtered by dependency type (‘Direct’ or ‘Transitive’), EPSS, package manager, stage (‘Run’ or ‘Build’) and by whether they are reachable or not.
(SAST) New rules:
- F006 C Sharp Token Validation Bypassed via Unsafe Delegates
- F061 C Sharp Insecure DLL loading

April

Release 18

(Design Map) Correlate threats : Clients can now correlate threats identified in their security designs with vulnerabilities reported by Fluid Attacks.
(IDE) Cursor IDE extension: Our clients’ development teams can now check reported vulnerabilities, request reattacks, generate fixes using artificial intelligence, and request treatments, all without leaving the Cursor IDE.
(ASPM) Enhanced the Integrations table : Enhanced user experience with filtering, sorting, searching, and pagination in the Integrations section.
(ASPM) Enhanced the Surface table (packages) : Enhanced user experience with filtering, sorting, searching, and pagination in the Surface section (packages).
(ASPM) Enhanced Scope tables : Enhanced user experience with filtering, sorting, searching, and pagination in the Scope subsections.
(MCP) Fluid Attacks’ Model Context Protocol : Launched a new integration that enables users to query real-time security data from Fluid Attacks through natural language prompts in AI tools such as Claude or VS Code using Copilot as the agent. This is possible with minimal setup and no need for complex commands.
(SAST) Architecture improvements in Fluid Attacks’ scanner : Aiming for a cleaner architecture and better separation of concerns, our APK scanner is now a separate CLI with its own Docker image.
(SAST) New rules:
- F089 C Sharp Insecure Deserialization Of Untrusted XML in .NET DataTable
- F260 C Sharp Memory Corruption Risk Due to Serialization of Pointers
- F007 C Sharp Lack of ViewState association with session in ASP.NET Web Forms (CSRF)
- F115 C Sharp Insertion of Untrusted Certificate into Root Store
- F130 C Sharp Insecure Cookie Transmission via Unset Secure Flag in ASP.NET Core

Release 17

(ASPM) Upgrade plan flow from Talk to a Pentester : If clients with the Essential plan would like to use the ‘Talk to a Pentester’ feature, which is available only in the Advanced plan, they can easily request an upgrade from the dialog when attempting to access the feature.
(ASPM) Upgrade plan flow from Reattack : Clients who downgraded to the Essential plan and want to reattack vulnerabilities previously found via RE, SCR, and PTaaS can easily request a plan upgrade from the dialog when attempting to access the feature.
(ASPM) Enhanced the Vulnerabilities table : Enhanced user experience with filtering, sorting, searching, and pagination in the Vulnerabilities section.
(ASPM) Enhanced Logs tables : Enhanced user experience with filtering, sorting, searching, and pagination in the Logs subsections.
(SCA) Change displayed technique for types 431 and 120 : Vulnerability types 431 and 120 now accurately display ‘SAST’ as the technique that detected them.
(SAST) New rules:
- F056 JS/TS Insecure gRPC Communication via createInsecure
- F125 C Sharp Insecure Configuration: Directory Browser Middleware Exposes Filesystem
- F140 C Sharp Insecure Corrupted State Exception (CSE) Catching in .NET
- F204 JS/TS Mass Assignment via Object.assign in Express
- F323 C Sharp XML External Entity (XXE) via Insecure DTD Processing in XmlReaderSettings
- F422 C Sharp Server-Side Template Injection (SSTI) in Razor

Release 16

(SAST) New rules:

F115 JS Improper CSRF Middleware Order
F115 TS Improper CSRF Middleware Order
F002 JS Uncontrolled Error Object Allocation via Ajv allErrors Option
F002 TS Uncontrolled Error Object Allocation via Ajv allErrors Option
F014 C Sharp Insecure Random Number Generator for Cryptographic Key Generation

Release 15

(ASPM) Enhanced flow for upgrading to paid plans : Improved the flow to make it easier for free trial users to upgrade their plan.
(ASPM) Management options in credentials table : Options to edit and remove credentials are now accessible through a single button for a cleaner look.
(ASPM) Columns in Surface table : Added new filters and columns UI to ease data filtering.
(SBOM) Support of packages.swift : packages.swift files now appear in SBOM.
(SAST) New rules:
- F068 JS Missing Path In Session Cookie
- F068 TS Missing Path In Session Cookie
- F146 PHP MySQL Query Injection
- F134 Go Gin Framework Insecure CORS
- F006 JS JWT Token Forgery
- F006 TS JWT Token Forgery
- F134 Koa Framework Insecure CORS
- F431 Swift Package Missing Package Lock

Release 14

(ASPM) Improved Acceptance section in Policies : The process for requesting acceptance policies was simplified by improving the user interface, making treatment statuses, temporary and permanent acceptances, as well as the section’s functionality and tables, clearer.
(ASPM) Improved reattack flow and messages : Improved the user flow to request a reattack from three to two clicks and implemented detailed error messages.
(ASPM) Updated PDF available in the free trial : Updated the PDF about plans and prices linked in the banner shown to free trial users.
(Reachability) New rules:
(SAST) New rules:
- F085 Flutter Framework Sensitive Information Stored in SharedPreferences
- F332 Ruby OpenURI Request
- F130 PHP Laravel Cookie Insecure
- F183 JS Struts Debug Mode enabled in production
- F371 JS Angular Use Of Insecure InnerHtml
- F371 TS Angular Use Of Insecure InnerHtml
- F008 PHP Laravel Reflected XSS
- F151 Ruby NET Telnet Request

March

Release 13

(ASPM) Moved existing filters to a new design : Implemented a new filter design in the organization’s Logs and groups’ Scope sections to ease data filtering.
(Agent) Ignoring SCA findings when breaking the build : Now, our Agent receives a flag (--inherited) that allows users to decide whether they want to ignore vulnerabilities reported by the SCA scans when breaking the build, specifying if they are used in development (build), production (run), or any of those (all) stages.
(Reachability) New rules:
- Kotlin CVE-2021-43570
- Scala CVE-2021-41084
(SAST) New rules:
- F157 Helm Insecure Ingress Egress
- F134 Ruby On Rails Insecure CORS
- F008 React Native WebView JS Enabled
- F097 Vue JS Reverse Tabnabbing

Release 12

(ASPM) Added Origin quick filter in Locations : Now vulnerabilities can be filtered by their origin (‘Inherited’, ‘Injected’).
(ASPM) Moved existing filters to a new design in the organization’s views : Implemented a new filter design in the organization’s Billing, Mailmap and Members sections to ease data filtering.
(SCA) Move SCA reports from general 011-393 findings to specific ones according to CVE : Now, our scanner reports SCA vulnerabilities to specific findings instead of grouping all reports together in the same general category.
(Reachability) New rules:
- PHP CVE-2021-3902
- Dart CVE-2023-39139
(SAST) New rules:
- F372 Ruby Net HTTP Client Request
- F052 Scala JWT Generation Without Valid Signature
- F052 Scala Insecure Key Secret
- F134 Python Starlette Insecure CORS
- F052 Scala Insecure Hash Argument
- F052 Scala Insecure Key Secret

###Release 11

(ASPM) Moved existing filters to new design in locations view : Implemented a new filter design inside the Locations section to ease data filtering.
(ASPM) Testing multiple environments : Allow clients to indicate which registered environment corresponds to production, so Fluid Attacks can perform the proper assessments and prevent downtime due to security testing.
(ASPM) Treatment acceptance button improvements : The treatment acceptance button is now grayed out when there are no pending approvals, preventing user confusion.
(ASPM) Origin columns in the vulnerabilities table : Users can now quickly identify in the table if a vulnerability is in a dependency (‘Inherited’) or in code owned by them (‘Injected’).
(ASPM) Vulnerabilities’ modal improvements : Adjustments were made to facilitate viewing vulnerability information, including severity, origin (‘Injected’, ‘Inherited’), technique (‘CSPM’, ‘DAST’, ‘PTAAS’, ‘RE’, ‘SAST’, ‘SCA’, ‘SCR’), and status (‘Vulnerable’, ‘Safe’).
(Reachability) New rules:
(SAST) New rules:
- F052 Scala Insecure Cipher Mode
- F052 Scala Use of Insecure Password Encoder
- F097 JavaScript NextJS Reverse Tabnabbing
- F097 Typescript NextJS Reverse Tabnabbing
- F157 Terraform Azure NSG Allows Unrestricted NetBIOS Access
- F157 Terraform Azure NSG Allows Unrestricted MongoDB Access
- F157 Terraform Azure NSG Allows Unrestricted MS SQL Server Access
- F157 Terraform Azure NSG Allows Unrestricted Oracle Database Access
- F016 ARM API Management back does not have a minimum TLS version set
- F016 ARM API Management front does not have a minimum TLS version set
- F148 Ruby NET FTP Request

Release 10

(ASPM) Updated the filter component : Adjustments to prevent the table header view from shifting and buttons from disappearing when there are a large number of filters applied.
(ASPM) Signatures in executive reports and testing certificates : As part of the enhancements to obtain the CREST Penetration Testing accreditation, reports generated from our platform are now signed by our Head of Service and our VP of Hacking.
(SCA) From general to specific categories in SCA reports : Vulnerabilities associated with CVE entries will be reported under the categories that match their specific descriptions.
(SAST) New rules:
- F101 Terraform Azure Storage Account Geo-Replication is Disabled
- F101 Terraform Azure Storage Account Blob Service Soft Delete is Disabled
- F101 Terraform Azure Key Vault Accidental Purge Prevention is Disabled
- F148 Terraform Azure App Service Allows FTP Deployments
- F134 Nest Insecure CORS Configuration
(Reachability) New rules:

February

Release 9

(ASPM) More info for free trial users on paid plan features : Encourage free trial users to upgrade to a paid plan (Essential or Advanced) by highlighting the value of the features that interest them the most.
(ASPM) Revert the Vuln Management button to ‘Reattack’ and ‘Treatment acceptance’ : Return to the previous button configuration for Reattacks and Treatment Acceptance to improve user experience.
(ASPM) Filters new UI and behavior : Existing filters have been upgraded to deliver more robust and precise performance. The interface has been streamlined by reorganizing components, enhancing clarity, and improving overall efficiency. This applies to the following sections: Groups, Supply chain, DevSecOps, (group-level) Members, and Authors.
(ASPM) Organization Manager can access all groups within the organization : Now, when someone gains access to a platform as an Organization Manager, they automatically get access to all the groups within the corresponding organization.
(IDE plugin) Align severity scoring between platform and extension : Standardize the severity scoring by ensuring that the platform and the VS Code extension display the maxOpenSeverityScoreV4 value to maintain consistency across all interfaces.
(SAST) New rule: F372 Ruby HTTP Client Request.

Release 8

(ASPM) Column management : Allow users to enable or disable columns based on preferences and reorganize them via drag-and-drop. Personalized configurations can be saved and persist in future use. Additionally, the first column is fixed and locked, ensuring it remains visible and cannot be disabled, proving consistent access to critical information.
(ASPM) Rename user manager : The User Manager at the organization level became the Organization Manager, and that at the group level became the Group Manager to keep role names aligned with their corresponding scope.
(Reachability) New rule: Python CVE-2022-22817 .

Release 7

(ASPM) Centralized policies management : Policy management is now centralized at the organization-level section to simplify changes.
(SAST) New rules:
- F096 Python Insecure Serialization
- F266 Docker Socket Mount
(Reachability) New rules:
- Python CVE-2020-13091
- Python CVE-2022-22817

Release 6

Fluid Attacks becomes an AWS partner : We are officially listed by AWS as leveraging AWS technologies in our processes for helping businesses secure their cloud environments.
(ASPM) Updated terminology for vulnerabilities column : Instead of displaying “X types found” in the Groups section, now “X types open” is displayed to be accurate.
(ASPM) Eliminated “Unauthorized access” window : Removed the window that appears when a user’s session expires, and instead, the user is redirected to the login page.
(ASPM) Renamed Agent’s executions report : Report name was renamed from “forces_execution.csv” to “FluidAttacks_DevSecOpsAgent.csv”.
(ASPM) Column management : Column customization in the Locations, Vulnerabilities and To do tables is now allowed, simplifying navigation.
(ASPM) Added banner for free trial users : A banner now informs free trial users that automated tools typically detect 30% of a system’s risk exposure.
(ASPM) Testing your production environment: You can also add the production environment of your system under assessment as a second environment to undergo our continuous security testing. This option is only available in the Advanced plan.
(SCA) Malware advisories : Updated the scanner to report malware advisories under finding F488 - Use of software with malware.
(SAST) New rules: F002 Python Asymmetric Denial of Service.

January

Release 5

(ASPM) Inherited to surface : The Inherited section, which contained all the package-related information, was renamed Packages and moved inside the Surface section.
(ASPM) UI improvements for Treatment modals : Updated Treatment modals to have less intrusive alerts.
(ASPM) Add policy information to DevSecOps and Members tab (Organization and Groups) : Added informative banners that display the configured policies in the DevSecOps and Members sections.
(SBOM) Amazon Elastic Container Registry (ECR) : Our scanner now supports Docker images from AWS Elastic Container Registry (ECR).
(SAST) New rules:
- F004 JavaScript Arbitrary Command Injection
- F004 Typescript Arbitrary Command Injection
- Java CSFRHandler Hardcoded Password
- F183 Java Debug Mode Enabled
- F359 Java Hardcoded Password in SetPassword
- F359 Java Key Manager Factory Hardcoded Password
- F359 Java PBEKeySpec Kerberos Hardcoded Secret
- F359 Java KeyStore Hardcoded Password
- F390 JavaScript Prototype Pollution
- F390 Typescript Prototype Pollution
(Reachability) New rule: Python CVE-2020-28975 .

Release 4

(ASPM) Modified the maximum days limit for which a vulnerability can be temporarily accepted : The limit was 90 days, which was modified to 999 days.
(ASPM) From “Inherited” to “Packages” and from “Injected” to “Vulnerabilities” : Updated some of the platform’s section names to improve clarity.
(ASPM) Feedback modal for incomplete information to generate report : A new modal was implemented to inform users, when requesting reports, that they need to provide group information in the Scope section to generate the report.
(SAST) New rules:
- F002 Python Asymmetric Denial of Service
- F004 Typescript Arbitrary Command Injection
- F004 JavaScript Arbitrary Command Injection
- F006 Java SAML Ignore Comments
- F016 Terraform Redis cache insecure port is enabled
- F096 Java RPC Enabled Extensions
- F101 Terraform Azure Postgres DB log retention days is set to less than 3 days
- F350 Java Ignore SSL Certificate Errors

Release 3

(ASPM) Added Type column in Packages : A new column was added to the Dependency Detail table to identify whether a dependency is direct or indirect.
(ASPM) Added Environment column in Packages : A new column was added to the Dependency Detail table to identify when a dependency is used in the development (‘Build’) or production (‘Run’) stages.

Release 2

(SAST) New rule: F149 Java Insecure SMTP SSL.

Release 1

(ASPM) Improved mutation to add CSPM environments : Previously, adding an environment to a Git root (APK, URL, or CSPM) was handled using the same mutation, which could lead to inconsistencies. A new mutation was created to handle adding CSPM environments specifically, making the process more precise and less prone to errors.
(SAST) New rules:
- F130 Java Cookie Serializer Secure
- F344 Java Wicket String Escaping
- F159 Java Dangerous Permission
(SLA) Enhanced accuracy SLA: We now offer 90%+ F2 score involving risk exposure and 90%+ F0.5 score involving the number of vulnerabilities.

Tip

Free trial: Search for vulnerabilities in your apps for free with Fluid Attacks’ automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan . If you prefer the Advanced plan, which includes the expertise of Fluid Attacks’ hacking team, fill out this contact form .