2026
Last updated: May 11, 2026
May
Release 19
- (DAST-WEB) New rules:
- (DAST-API) New rules:
- (SAST) New rules:
- Dart Cryptography Hardcoded Nonce
- Dart Insecure Storage Sql Injection
- Go Hardcoded Amqp Password
- Go Hardcoded Mongodb Password
- Go Hardcoded Redis Password
- Typescript Nest Mssql Injection
- Java Server Information Exposure
- Ruby Hardcoded Key For Token
- Scala Hardcoded Key In Secretkeyspec
- Scala Header Insecure Cors Configuration
- Scala Random Hardcoded Seed
- Scala Secure Random Hardcoded Seed Unsafe
- Scala Hardcoded Keyparameter Use
- Scala Hardcoded Password In Pbekeyspec
- (SS) New rules:
April
Release 18
- (Compliance) Enterprise-Grade Security & Compliance Certifications: Fluid Attacks achieved ISO/IEC 27001 and ISO/IEC 27701 certification, with controls aligned to ISO/IEC 27017 and ISO/IEC 27018, a SOC 2 attestation and SOC 3 report, PCI DSS validation, and measures designed to support GDPR compliance.
- (ASPM) The Health Check filter in the Git Repositories table now includes a third option: "Requested" which was previously missing. Filter labels have also been aligned with the values shown in the table column, changing "Yes" / "No" to "Included" / "Not included" / "Requested" for consistency.
- (DB) Defines filters have been updated to recognize and expose the Rust ecosystem properly: Support for Rust advisories was previously available only at the data/source level; it is now fully reflected in the filter interface.
- (SAST) New rules:
- Dart Hardcoded Http client Credentials
- Dart Jaguar Hardcoded Jwt Secret
- Dart Jsonwebtoken Hardcoded Jwt Secret
- Java Insecure File Permissions
- Java Redos User Input In Compile
- Java Unsafe Header X Frame Options
- Java Use Of Insecure Random
- Typescript Nest Typeorm Sql Injection
- Dart Hardcoded Crypto Iv
- Typescript Nest Mysql Injection
- Typescript Nest Pg Sql Injection
- Go Hardcoded PostgreSQL Password
- Java Data Leak Through Persistent Cookie
- Json Yaml Secrets Manager Privileges
- Typescript Nest Oracle Sql Injection
- Typescript Nest Sqlite Injection
Release 17
- (ASPM) Add filters.rootNickname in vulnerabilities: Added a filters.rootNickname parameter to group.vulnerabilities and finding.vulnerabilities, allowing API users to filter vulnerabilities by root directly instead of relying on ambiguous combinations of search, where, and whereStartsWith.
- (CI Gate) Add GitHub action: Added a custom GitHub Action for the CI Agent, enabling clients to integrate it directly into their CI pipelines without manual setup or configuration.
- (SS) New rules:
- (DAST-WEB) New rules:
- (SAST) New rules:
- Java Vulnerable Spring Escape False
- Php Unsafe Target Blank Use
- Typescript Insecure Nest Injection
- Typescript Nest Sequelize Sql Injection
- Java Secure Random Hardcoded Seed Unsafe
- Javascript Express Fetch SSRF
- Javascript Express Http Https SSRF
- Typescript Express Fetch SSRF
- Typescript Express Http Https SSRF
- Typescript Unsafe Nest Axios SSRF
- Typescript Unsafe Nest Fetch SSRF
- Typescript Unsafe Nest Http Https SSRF
- Dart Webview Html Injection
- Dart Xss Public Storage Webview Injection
- Java Sensitive Information In Log4j Log
- Java Sensitive Information In Slf4j Log
- Java password field Missing Masking
- Dart Hardcoded Password In Connection
- Dart Smtp Hardcoded Password
- Java Hardcoded Key parameter Use
Release 16
- (ASPM) Improve "Add environment" flow: reorder fields and add Frontend/Backend distinction: Restructured the “Add environment” modal to improve configuration flow, introducing a clearer order for environment type, connection method, production context, frontend/backend URL classification, and conditional authentication settings with contextual guidance.
- (CI GATE, CSPM, DAST, MAST, SCA, SAST) Deploy public container images to GHCR alongside DockerHub: Published public scanner images to GitHub Container Registry (GHCR) and migrated them to the centralized container-builder for unified CI workflows and multi-arch support.
- (DB) Enhancing EPSS Value with Temporal Context: Added a tooltip with a last-updated timestamp to the EPSS field, giving clear visibility into how current the data is and supporting more confident, informed vulnerability prioritization.
- (DB) Original filter for DB: Added an Original Severity filter to the vulnerabilities page, allowing users to filter by CVE source severity alongside the existing adjusted severity filter.
- (SS) Add secret scan github action: Added infrastructure and a GitHub Action for the new secret scanner, including Docker image creation and publishing to DockerHub and GHCR.
- (SS) New rules:
- (DAST-API) New rules:
- (DAST-WEB) New rules:
- (SAST) New rules:
- Go Hardcoded Cryptographic Key
- Javascript Marsdb Nosql Injection
- PHP Curl Unsafe X Frame Options
- PHP Mb Send Mail Parameter Tampering
- PHP Unsafe Header X Frame Options
- Typescript Marsdb Nosql Injection
- Javascript Insecure Deprecated Encryption
- PHP Parse Value Shadowing
- Typescript Insecure Deprecated Encryption
- Go Email Content Forgery
- Go Email Headers Forgery
- Go Weak Rsa Key Size
- Java Unsafe Logger Injection
- Javascript Cryptojs Passphrase Mode
- Javascript Injection Of Untrusted Content
- Javascript Reflected Xss Protection Header
- Typescript Cryptojs Passphrase Mode
- Typescript Injection Of Untrusted Content
- Typescript Reflected Xss Protection Header
Release 15
- (SCA) Add severity field and severity threshold to scanner output:
Added
cvss_v4_severityto scan results and astrictness_thresholdconfig flag to fail pipelines only when vulnerabilities at or above the configured severity floor are found. - (IDE Plugin) Improve authentication and loading messages in IntelliJ plugin: Added visual state indicators (spinner, alert, and check icons) and adjusted dark mode contrast using standardized colors for clearer feedback during authentication and vulnerability loading.
- (ASPM) Redesign Groups data panel to show attack surface and vulnerabilities: Added new Attack Surface and Vulnerability Summary sections, including repository coverage metrics (with/without OAuth) and a detailed breakdown of total vulnerabilities, CVSSF, and severity distribution.
- (ASPM) Migrate platform authentication to Auth0: Replaced in-house Google, Microsoft, and Bitbucket authentication flows with Auth0, enabling built-in MFA, OTP, and third-party integrations while reducing application complexity.
- (ASPM) Track severity updates in vulnerability and weakness history: Approving a severity update now records a timestamped entry in both the vulnerability and weakness tracking timelines.
- (SAST) New rules:
- Javascript Crypto Unsafe Empty Password
- Javascript Insecure Sensitive Information File Storage
- PHP Ssl Verification Disabled Setopt
- PHP Unsafe User Controlled Variable
- Python Fastapi Html Injection
- Python Starlette Html Injection
- Typescript Crypto Unsafe Empty Password
- Typescript Insecure Sensitive Information File Storage
- Javascript Bcrypt Unsafe Empty Password
- Javascript Jwt Unsafe Empty Password
- Javascript Sensitive Information In Jwt
- Javascript Sequelize Unsafe Empty Password
- PHP Insecure Samesite Cookie Attribute
- Typescript Bcrypt Unsafe Empty Password
- Typescript Jwt Unsafe Empty Password
- Typescript Sensitive Information In Jwt
- Typescript Sequelize Unsafe Empty Password
- Go Insecure Random Key Generation
- Python Django Path Traversal
- Python Django Reflected Xss
- Python Fastapi Path Traversal
- Python Starlette Path Traversal
- Javascript Manual CSRF Token Handling Ajax
- Javascript Manual CSRF Token Handling Axios
- Javascript Manual CSRF Token Handling Fetch
- Javascript Manual CSRF Token Handling Xhr
- Javascript Unsafe Csv Injection Csv Writer
- Javascript Unsafe Csv Injection Fast Csv
- Javascript Unsafe Csv Injection Fs
- PHP Regex With User Input
- Typescript Manual CSRF Token Handling Ajax
- Typescript Manual CSRF Token Handling Axios
- Typescript Manual CSRF Token Handling Fetch
- Typescript Manual CSRF Token Handling Xhr
- Typescript Unsafe Csv Injection Csv Writer
- Typescript Unsafe Csv Injection Fast Csv
- Typescript Unsafe Csv Injection Fs
- PHP Command Argument Injection
- PHP Insecure Channel Use Websocket Client
- PHP Mb Send Mail Header Injection
- PHP Session Trust Boundary Violation
- (SS) New rules:
Release 14
- (DB) Improve Fixes section: Reorganized the Fixes section with top-level groupings (Code, Infrastructure, Packages), introducing a dedicated SCA navigation model (Ecosystem → Fix) with initial coverage for TypeScript, Python, and Kotlin.
- (DB) Add Exploit signal (ordinal) and improve EPSS display: Added exploit availability as an ordinal signal (0–n sources) with filterable groupings and simplified EPSS display format to support clearer vulnerability prioritization.
- (SAST) New rules:
- Html Import Map Missing Integrity
- Javascript Kony Browser Html String
- PHP Laravel Open Redirect
- Python SSRF Session Unvalidated Url
- Typescript Kony Browser Html String
- Go Smtp Hardcoded Password
- Go Use Of Hardcoded Password
- PHP Mail Header Injection
- PHP Unsafe Open Redirect
- PHP Unsafe Parameter Tampering
- Python Jwt Decode Without Verification
- Python Jwt None Algorithm
- Javascript Bunyan Log Forging
- Javascript Log4Js Log Forging
- Javascript Pino Log Forging
- Javascript Winston Log Forging
- PHP Sensitive Information Stored In Log
- PHP User Input In Danger Function
- Typescript Bunyan Log Forging
- Typescript Log4Js Log Forging
- Typescript Pino Log Forging
- Typescript Winston Log Forging
- (SS) New rules:
March
Release 13
- (IDE Plugin) Remove redundant repository selection pop-up when project is already open in IDE: Now our VSCode and Cursor extensions auto-detect the active repository when a project is already open, eliminating the repository selection pop-up.
- (ASPM) Standardize file input experience in Add File modal: Processing is now indicated via the Upload button loading state, with the modal closing on completion and feedback shown through global notifications.
- (ASPM) Minimum privilege for organizations and groups: Introduced per-organization and group activity tracking to replace the global last-activity check, enforcing least privilege by revoking access only for inactive orgs/groups while preserving access where the user remains active.
- (ASPM) Restrict environment and repository exclusion to privileged roles only: Restricted scope exclusion permissions to group managers only, preventing users and vulnerability managers from excluding environments or repositories and reinforcing least-privilege governance.
- (DB) Improve detail panel structure to show Base vs Adjusted CVSS + vectors: Scope now shows both Base (source) and Adjusted CVSS (Fluid) with vectors, clearly differentiating them to improve traceability and clarity.
- (SAST) New rules:
- Dart Get Storage Insecure Data Storage
- PHP Hardcoded Cryptographic Key
- Scala Hardcoded Salt In Hash
- Scala Hash Without Salt
- PHP Hardcoded Salt In Hash
- PHP Weak Encryption Size
- Python Httpx Cleartext Sensitive Information
- Dart Insecure Storage Of Sensitive Data
- Go Path Traversal Open File
- PHP Hardcoded Cryptographic Iv
- Dart File Storage Of Sensitive Data
- PHP Insufficiently Protected Credentials
- Python Aiohttp Cleartext Sensitive Information
- Python Urllib3 Cleartext Sensitive Information
Release 12
- (ASPM) Add supported and tested columns to Lines table: Added language support and Machine testing status columns to the Lines table for file-level visibility.
- (ASPM) Improve Groups filters: Updated Groups section filters to be functional and aligned with the target registration flow improvements.
- (ASPM) Add Cursor to Integrations: Added Cursor as an available option in the platform Integrations section.
- (ASPM) Restrict environment exclusion toggle to authorized roles: Limited the environment URL exclusion toggle to authorized roles, preventing unauthorized scope changes and vulnerability closures.
- (CI Gate) Show EPSS and reachability in SCA execution logs: Added EPSS score and reachability status to execution logs for SCA vulnerabilities.
- (SAST) New rules:
- Scala Logging Of Sensitive Data
- Swift Sensitive Data In External Storage
- Swift Sensitive Data In Keyboard Logging
- C Sharp User Input Generate Improper Output
- C Sharp User Input In Content
- Python Unencrypted Ftp Connection
- Scala Redos With Untrusted Input
- Scala Spring Session Fixation
- PHP Unlink Path Traversal
- Python Insecure Snmp Connection
- Python Unencrypted Telnet Connection
- Scala Hardcoded Password In Connection
- Scala Unsafe Parameter Tampering
- PHP Sensitive Information In Jwt
- PHP Syslog Log Injection
- PHP Use Of Hardcoded Password
- PHP User Input Storage Sensitive Data
- Python Requests Cleartext Sensitive Information
Release 11
- (MCP) SCA remediation with AI agents: Added repository context configuration to the MCP server, enabling autonomous SCA vulnerability remediation via AI agents.
- (ASPM) Display 'No fix available' guidance: Added actionable guidance when vulnerabilities have no remediation path (EOL packages, abandonware, pending fixes).
- (ASPM) Improve Location filter with selector and search options: Replaced free-text Location filter with a selector supporting nickname, base URL, prefix matching, and full-text search.
- (ASPM) Improve 'New Group' modal for target registration: Added target type and target evaluation stage fields to the New Group creation flow.
- (DB) Dynamic filter options: Filter options are now generated dynamically based on available results, preventing empty result combinations.
- (IDE Plugin) IDE SCA remediation options: Added multiple SCA remediation options to GenAI-powered fixes in the VSCode extension.
- (Docs) Add fix guide for transitive dependency vulnerabilities: Added guide covering lockfile refresh, overrides, and shrinkwrap removal strategies.
- (Docs) Add SAST and SCA GitHub Actions to CLI docs: Documented the new SAST and SCA GitHub Actions with auto-detected scan modes.
- (SAST) New rules:
Release 10
(SAST) New rules:
- Python Django Open Redirect
- Python Fastapi Open Redirect
- Python Starlette Open Redirect
- Scala Use Unvalidated Forwards
- Swift User Input In Regular Expression
- Swift Information Exposure In Query String
- Python Fastapi Uncontrolled Format String
- Python Starlette Uncontrolled Format String
- Python Fastapi Sensitive Data Logging
- Python Starlette Sensitive Data Logging
- Scala Spring Unsafe Open Redirect
- Scala Spring Use Unvalidated Forwards
- Python Logging Config Insecure Listen
- Scala Secure Flag Not Set
- Swift Webview Xss Injection
- Javascript Unsafe Input Resource Injection
- Typescript Unsafe Input Resource Injection
February
Release 9
- (SCA) Add support for new package managers: Added support for CocoaPods (Podfile parser), Bun, and RubyGems (.gemspec) package managers.
- (SCA) Add SCA remediation options to vulnerability details: Added remediation options (closest min fix, safe fix, complete fix) for direct and transitive dependencies.
- (Docs & DB) Standardize central layout and sidebar widths: Constrained main content and sidebar widths on large screens to improve readability and layout consistency.
- (ASPM) Update Groups table to match new group modal: Updated the Groups section structure to align with the new group creation flow and target registration improvements.
- (ASPM) Allow editing environment authentication field: Enabled editing of the "Requires Authentication" field on existing environment records.
- (ASPM) Relocate CI Gate token and installation guide: Moved CI Gate token management and installation guide from Scope to DevSecOps section.
- (SAST) New rules:
- Dart Unsafe Input Path Traversal Relative
- Ruby Insufficiently Protected Credentials
- Javascript Weak Password Encoding Base64
- Python Boto3 Ssl Verification Bypass
- Python Ssl Certificate Verification Bypass
- Typescript Weak Password Encoding Base64
- Python Aiohttp Ssl Verification Bypass
- Python Websocket Ssl Verification Bypass
- Ruby Hardcoded Session Secret Token
- Scala Hardcoded Initialization Vector
- Swift Hardcoded Password In Urlcredentials
- Config Files Misconfiguration In Impersonation
- Config Files Disabled Session Id Regeneration
- Ruby Short Session Key
- Scala Play Plaintext Storage Sensitive Data
- Dart Tempfile Unencrypted Sensitive Information
- Dart Native Language Cmd Injection
- Scala Spring Plaintext Storage Sensitive Data
- Scala Unsafe Open Redirect
Release 8
(SAST) New rules:
- Python Http Uncontrolled Cors Origin
- Python Wsgiref Uncontrolled Cors Origin
- C Sharp Sensitive Information In Logs
- C Sharp Jwt Sensitive Information Exposure
- Python Django Sensitive Data Logging
- Ruby Ssl Certificate Verification Bypass
- Scala Jwt Sensitive Information Exposure
- C Sharp CSRF Protection Disabled
- Python Django Uncontrolled Cors Origin
- Ruby Unsafe Open Redirect
- Config Files Insecure Cookieless Configuration
- Python Urllib3 Ssl Verification Bypass
- Python Hardcoded Password In Connection
- Ruby Sensitive Cookie Without Httponly
- C Sharp Hardcoded Credentials In Directory
- C Sharp Parameter Tampering In Email
- Python Httpx Ssl Verification Bypass
Release 7
- (DAST) Update scanner technique to MAST: Update APK scanner to replace DAST with MAST across the entire flow, including Docker image (mast scan config.yaml).
- (DB) Make general search bar index vulnerabilities: Extend the main search bar indexing to include vulnerabilities (e.g., CVE identifiers) for direct discovery and navigation.
- (DB) Add "View JSON" link to vulnerability's detail page: Add a "View JSON" link to vulnerability detail pages, pointing to the data.json endpoint and opening in a new tab.
- (DB) Improve Log in: Rename "Get started" to "Try for free" and add a clear ghost "Log in" button in the top bar. Align flow with design system, including avatar dropdown with user info and ghost "Log out."
- (DB) Scalable filter UX for Database: Group multiple vulnerability filters under the default Filter dropdown and remove highlighted filters. Reserve the highlighted filter for a single dominant case to ensure scalability and a clean hierarchy.
- (DB) LLMs.txt: Add an llms.txt endpoint to improve consumption of DB pages by LLMs.
- (IDE Plugin) Enhance IntelliJ sidebar: Add severity icons to the IntelliJ plugin sidebar, categorized by typology, to improve visual context and prioritization of weaknesses.
- (MCP) Add output file configuration to MCP scanner tool prompts: Add a default output section to YAML examples in MCP scanner tools to generate Fluid-Attacks-Results.csv instead of stdout-only results.
- (SAST) New rules:
- C Sharp Session Cookie Injection
- C Sharp Api Use Hardcoded Password
- Ruby Sensitive Information Weak Sha1
- Ruby Sensitive Information Weak Md5
- Ruby Hardcoded Encryption Key
- Ruby Weak Cipher Encryption
- Ruby Weak Cipher Encryption Blowfish
- Ruby Hardcoded Password In Connection
- Ruby Unsafe Hardcoded Password
- Python Flask Sensitive Data Logging
- C Sharp Hardcoded Cryptographic Key
Release 6
- (Docs & DB) Add multiple authentication methods: Added Google, Microsoft, LinkedIn, Bitbucket, and internal login as authentication options.
- (DB) Add detection status to vulnerabilities: Added a flag indicating whether each vulnerability has been detected at least once.
- (ASPM) Add KEV and EPSS metrics to Package Details: Added KEV and EPSS metrics to the Package Details view to provide better vulnerability context for clients.
- (SAST) New rules:
January
Release 5
- (ASPM) Azure integration now supports Bug as a work item type: Our integration can create work items of type 'Bug', which is useful for users or clients whose projects do not have the 'Issue' type available.
- (SAST) New rules:
- Java Uncontrolled Memory Allocation
- JavaScript Kony Hardcoded Encryption Key
- JavaScript Hardcoded Password In Connection
- Typescript Kony Hardcoded Encryption Key
- Typescript Hardcoded Password In Connection
- Java Intent Sensitive Communication
- JavaScript React Native Missing Masking
- Typescript React Native Missing Masking
- Python Django Uncontrolled Format String
- Python Flask Uncontrolled Format String
- Python Tornado Uncontrolled Format String
- JavaScript Cordova Open Redirect
- JavaScript Kony Url Injection
- JavaScript SSL Verification Bypass
- Typescript Cordova Open Redirect
- Typescript Kony Url Injection
- Typescript Ssl Verification Bypass
- Java Unsafe Object Binding
- Java Insecure Storage Sensitive Information
- JavaScript Cordova File Manipulation
- Typescript Cordova File Manipulation
Release 4
- (ASPM) Prevent accidental rejection of access invitations: An extra confirmation step was added to the platform's invitation flow to avoid accidental rejections caused by automated email link scanning.
- (SAST) New rules:
- Go Insecure Temp File Creation
- Java Unrestricted File Upload Spring
- Java Ognl Expression Injection
- Java Observable Time Discrepancy
- Java Denial Of Service By Sleep
- JavaScript Httponly Flag Not Set
- JavaScript Insecure Samesite Cookie Attribute
- Typescript Httponly Flag Not Set
- Typescript Insecure Samesite Cookie Attribute
- Java One Way Hash Without Salt
- JavaScript Sensitive Information Weak Sha1
- JavaScript Sensitive Information Weak Md5
- Typescript Sensitive Information Weak Sha1
- Typescript Sensitive Information Weak Md5
- Java Cookie Without Validation
Release 3
- (ASPM) Warn users about potential additional costs when changing branches: A warning and checkboxes were added when users modify branches from a repository under the scope section to clarify that this action can impact the cost of the service.
- (SAST) New rules:
- Go Unencrypted Ftp Connection
- Go Unencrypted Telnet Connection
- Java Use Of Hardcoded Password
- JavaScript Insecure Sce Configuration
- Java Spring Session Fixation
- Java Empty Password Connection
- JavaScript Client CSS Injection
- Typescript Client CSS Injection
- Go Zip Slip Path Traversal
- Java Unvalidated Forwards Use
- JavaScript Email Headers Forgery
- Typescript Email Headers Forgery
Release 2
- (ASPM) Mark AI-detected vulnerabilities (AI SAST): Added a visual AI indicator to AI SAST findings to highlight the new technique.
- (SAST) New rules:
- Javascript Dom Stored Xss
- Typescript Dom Stored Xss
- Javascript Client Dom Xss
- Typescript Client Dom Xss
- Javascript Unsafe Deserialization Untrusted Data
- Javascript Unsafe Module Inclusion
- Javascript Unsafe Require Module Inclusion
- Typescript Unsafe Deserialization Untrusted Data
- Typescript Unsafe Module Inclusion
- Typescript Unsafe Require Module Inclusion
- Go Insecure Http Server
- Go Cleartext Sensitive Information
Release 1
(SAST) New rules:
- F064 Java session id not regenerated
- F014 Dart mirrors unsafe reflection
Free trial: Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.