2026

Last updated: Apr 27, 2026

---

April

Release 18

• (Compliance) Enterprise-Grade Security & Compliance Certifications: Fluid Attacks achieved ISO/IEC 27001 and ISO/IEC 27701 certification, with controls aligned to ISO/IEC 27017 and ISO/IEC 27018, a SOC 2 attestation and SOC 3 report, PCI DSS validation, and measures designed to support GDPR compliance.

Release 17

• (ASPM) Add filters.rootNickname in vulnerabilities: Added a filters.rootNickname parameter to group.vulnerabilities and finding.vulnerabilities, allowing API users to filter vulnerabilities by root directly instead of relying on ambiguous combinations of search, where, and whereStartsWith.
• (CI Gate) Add GitHub action: Added a custom GitHub Action for the CI Agent, enabling clients to integrate it directly into their CI pipelines without manual setup or configuration.
• (SS) New rules:
  • Anthropic API Key
  • Databricks Personal Access Token
  • GitHub Personal Access Token
  • npm Access Token
  • OpenAI API Key
  • PyPI Upload Token
  • RubyGems API Token
  • Slack Incoming Webhook URL
  • Stripe Live Secret or Restricted Key
  • Terraform Cloud API Token
• (DAST-WEB) New rules:
  • Http Trace Enabled
  • Ssl Tls Certificate Revocation Not Checked
• (SAST) New rules:
  • Java Vulnerable Spring Escape False
  • Php Unsafe Target Blank Use
  • Typescript Insecure Nest Injection
  • Typescript Nest Sequelize Sql Injection
  • Java Secure Random Hardcoded Seed Unsafe
  • Javascript Express Fetch SSRF
  • Javascript Express Http Https SSRF
  • Typescript Express Fetch SSRF
  • Typescript Express Http Https SSRF
  • Typescript Unsafe Nest Axios SSRF
  • Typescript Unsafe Nest Fetch SSRF
  • Typescript Unsafe Nest Http Https SSRF
  • Dart Webview Html Injection
  • Dart Xss Public Storage Webview Injection
  • Java Sensitive Information In Log4j Log
  • Java Sensitive Information In Slf4j Log
  • Java password field Missing Masking
  • Dart Hardcoded Password In Connection
  • Dart Smtp Hardcoded Password
  • Java Hardcoded Key parameter Use

Release 16

• (ASPM) Improve "Add environment" flow: reorder fields and add Frontend/Backend distinction: Restructured the “Add environment” modal to improve configuration flow, introducing a clearer order for environment type, connection method, production context, frontend/backend URL classification, and conditional authentication settings with contextual guidance.
• (CI GATE, CSPM, DAST, MAST, SCA, SAST) Deploy public container images to GHCR alongside DockerHub: Published public scanner images to GitHub Container Registry (GHCR) and migrated them to the centralized container-builder for unified CI workflows and multi-arch support.
• (DB) Enhancing EPSS Value with Temporal Context: Added a tooltip with a last-updated timestamp to the EPSS field, giving clear visibility into how current the data is and supporting more confident, informed vulnerability prioritization.
• (DB) Original filter for DB: Added an Original Severity filter to the vulnerabilities page, allowing users to filter by CVE source severity alongside the existing adjusted severity filter.
• (SS) Add secret scan github action: Added infrastructure and a GitHub Action for the new secret scanner, including Docker image creation and publishing to DockerHub and GHCR.
• (SS) New rules:
  • DOCKER HUB ACCESS TOKEN
  • EXPOSED CREDENTIALS
  • SLACK TOKEN
• (DAST-API) New rules:
  • API Permissive Cors Policy
• (DAST-WEB) New rules:
  • HTTP Cookie Missing Cache Control
• (SAST) New rules:
  • Go Hardcoded Cryptographic Key
  • Javascript Marsdb Nosql Injection
  • PHP Curl Unsafe X Frame Options
  • PHP Mb Send Mail Parameter Tampering
  • PHP Unsafe Header X Frame Options
  • Typescript Marsdb Nosql Injection
  • Javascript Insecure Deprecated Encryption
  • PHP Parse Value Shadowing
  • Typescript Insecure Deprecated Encryption
  • Go Email Content Forgery
  • Go Email Headers Forgery
  • Go Weak Rsa Key Size
  • Java Unsafe Logger Injection
  • Javascript Cryptojs Passphrase Mode
  • Javascript Injection Of Untrusted Content
  • Javascript Reflected Xss Protection Header
  • Typescript Cryptojs Passphrase Mode
  • Typescript Injection Of Untrusted Content
  • Typescript Reflected Xss Protection Header

Release 15

• (SCA) Add severity field and severity threshold to scanner output: Added cvss_v4_severity to scan results and a strictness_threshold config flag to fail pipelines only when vulnerabilities at or above the configured severity floor are found.
• (IDE Plugin) Improve authentication and loading messages in IntelliJ plugin: Added visual state indicators (spinner, alert, and check icons) and adjusted dark mode contrast using standardized colors for clearer feedback during authentication and vulnerability loading.
• (ASPM) Redesign Groups data panel to show attack surface and vulnerabilities: Added new Attack Surface and Vulnerability Summary sections, including repository coverage metrics (with/without OAuth) and a detailed breakdown of total vulnerabilities, CVSSF, and severity distribution.
• (ASPM) Migrate platform authentication to Auth0: Replaced in-house Google, Microsoft, and Bitbucket authentication flows with Auth0, enabling built-in MFA, OTP, and third-party integrations while reducing application complexity.
• (ASPM) Track severity updates in vulnerability and weakness history: Approving a severity update now records a timestamped entry in both the vulnerability and weakness tracking timelines.
• (SAST) New rules:
  • Javascript Crypto Unsafe Empty Password
  • Javascript Insecure Sensitive Information File Storage
  • PHP Ssl Verification Disabled Setopt
  • PHP Unsafe User Controlled Variable
  • Python Fastapi Html Injection
  • Python Starlette Html Injection
  • Typescript Crypto Unsafe Empty Password
  • Typescript Insecure Sensitive Information File Storage
  • Javascript Bcrypt Unsafe Empty Password
  • Javascript Jwt Unsafe Empty Password
  • Javascript Sensitive Information In Jwt
  • Javascript Sequelize Unsafe Empty Password
  • PHP Insecure Samesite Cookie Attribute
  • Typescript Bcrypt Unsafe Empty Password
  • Typescript Jwt Unsafe Empty Password
  • Typescript Sensitive Information In Jwt
  • Typescript Sequelize Unsafe Empty Password
  • Go Insecure Random Key Generation
  • Python Django Path Traversal
  • Python Django Reflected Xss
  • Python Fastapi Path Traversal
  • Python Starlette Path Traversal
  • Javascript Manual CSRF Token Handling Ajax
  • Javascript Manual CSRF Token Handling Axios
  • Javascript Manual CSRF Token Handling Fetch
  • Javascript Manual CSRF Token Handling Xhr
  • Javascript Unsafe Csv Injection Csv Writer
  • Javascript Unsafe Csv Injection Fast Csv
  • Javascript Unsafe Csv Injection Fs
  • PHP Regex With User Input
  • Typescript Manual CSRF Token Handling Ajax
  • Typescript Manual CSRF Token Handling Axios
  • Typescript Manual CSRF Token Handling Fetch
  • Typescript Manual CSRF Token Handling Xhr
  • Typescript Unsafe Csv Injection Csv Writer
  • Typescript Unsafe Csv Injection Fast Csv
  • Typescript Unsafe Csv Injection Fs
  • PHP Command Argument Injection
  • PHP Insecure Channel Use Websocket Client
  • PHP Mb Send Mail Header Injection
  • PHP Session Trust Boundary Violation
• (SS) New rules:
  • SONAR TOKEN
  • AWS KEY
  • DB CONNECTION STRING
  • PRIVATE PEM KEY
  • PRIVATE SSH KEY

Release 14

• (DB) Improve Fixes section: Reorganized the Fixes section with top-level groupings (Code, Infrastructure, Packages), introducing a dedicated SCA navigation model (Ecosystem → Fix) with initial coverage for TypeScript, Python, and Kotlin.
• (DB) Add Exploit signal (ordinal) and improve EPSS display: Added exploit availability as an ordinal signal (0–n sources) with filterable groupings and simplified EPSS display format to support clearer vulnerability prioritization.
• (SAST) New rules:
  • Html Import Map Missing Integrity
  • Javascript Kony Browser Html String
  • PHP Laravel Open Redirect
  • Python SSRF Session Unvalidated Url
  • Typescript Kony Browser Html String
  • Go Smtp Hardcoded Password
  • Go Use Of Hardcoded Password
  • PHP Mail Header Injection
  • PHP Unsafe Open Redirect
  • PHP Unsafe Parameter Tampering
  • Python Jwt Decode Without Verification
  • Python Jwt None Algorithm
  • Javascript Bunyan Log Forging
  • Javascript Log4Js Log Forging
  • Javascript Pino Log Forging
  • Javascript Winston Log Forging
  • PHP Sensitive Information Stored In Log
  • PHP User Input In Danger Function
  • Typescript Bunyan Log Forging
  • Typescript Log4Js Log Forging
  • Typescript Pino Log Forging
  • Typescript Winston Log Forging
• (SS) New rules:
  • WGET PASSWORD
  • ENV VALUE
  • HARDCODED CREDENTIALS

March

Release 13

• (IDE Plugin) Remove redundant repository selection pop-up when project is already open in IDE: Now our VSCode and Cursor extensions auto-detect the active repository when a project is already open, eliminating the repository selection pop-up.
• (ASPM) Standardize file input experience in Add File modal: Processing is now indicated via the Upload button loading state, with the modal closing on completion and feedback shown through global notifications.
• (ASPM) Minimum privilege for organizations and groups: Introduced per-organization and group activity tracking to replace the global last-activity check, enforcing least privilege by revoking access only for inactive orgs/groups while preserving access where the user remains active.
• (ASPM) Restrict environment and repository exclusion to privileged roles only: Restricted scope exclusion permissions to group managers only, preventing users and vulnerability managers from excluding environments or repositories and reinforcing least-privilege governance.
• (DB) Improve detail panel structure to show Base vs Adjusted CVSS + vectors: Scope now shows both Base (source) and Adjusted CVSS (Fluid) with vectors, clearly differentiating them to improve traceability and clarity.
• (SAST) New rules:
  • Dart Get Storage Insecure Data Storage
  • PHP Hardcoded Cryptographic Key
  • Scala Hardcoded Salt In Hash
  • Scala Hash Without Salt
  • PHP Hardcoded Salt In Hash
  • PHP Weak Encryption Size
  • Python Httpx Cleartext Sensitive Information
  • Dart Insecure Storage Of Sensitive Data
  • Go Path Traversal Open File
  • PHP Hardcoded Cryptographic Iv
  • Dart File Storage Of Sensitive Data
  • PHP Insufficiently Protected Credentials
  • Python Aiohttp Cleartext Sensitive Information
  • Python Urllib3 Cleartext Sensitive Information

Release 12

• (ASPM) Add supported and tested columns to Lines table: Added language support and Machine testing status columns to the Lines table for file-level visibility.
• (ASPM) Improve Groups filters: Updated Groups section filters to be functional and aligned with the target registration flow improvements.
• (ASPM) Add Cursor to Integrations: Added Cursor as an available option in the platform Integrations section.
• (ASPM) Restrict environment exclusion toggle to authorized roles: Limited the environment URL exclusion toggle to authorized roles, preventing unauthorized scope changes and vulnerability closures.
• (CI Gate) Show EPSS and reachability in SCA execution logs: Added EPSS score and reachability status to execution logs for SCA vulnerabilities.
• (SAST) New rules:
  • Scala Logging Of Sensitive Data
  • Swift Sensitive Data In External Storage
  • Swift Sensitive Data In Keyboard Logging
  • C Sharp User Input Generate Improper Output
  • C Sharp User Input In Content
  • Python Unencrypted Ftp Connection
  • Scala Redos With Untrusted Input
  • Scala Spring Session Fixation
  • PHP Unlink Path Traversal
  • Python Insecure Snmp Connection
  • Python Unencrypted Telnet Connection
  • Scala Hardcoded Password In Connection
  • Scala Unsafe Parameter Tampering
  • PHP Sensitive Information In Jwt
  • PHP Syslog Log Injection
  • PHP Use Of Hardcoded Password
  • PHP User Input Storage Sensitive Data
  • Python Requests Cleartext Sensitive Information

Release 11

• (MCP) SCA remediation with AI agents: Added repository context configuration to the MCP server, enabling autonomous SCA vulnerability remediation via AI agents.
• (ASPM) Display 'No fix available' guidance: Added actionable guidance when vulnerabilities have no remediation path (EOL packages, abandonware, pending fixes).
• (ASPM) Improve Location filter with selector and search options: Replaced free-text Location filter with a selector supporting nickname, base URL, prefix matching, and full-text search.
• (ASPM) Improve 'New Group' modal for target registration: Added target type and target evaluation stage fields to the New Group creation flow.
• (DB) Dynamic filter options: Filter options are now generated dynamically based on available results, preventing empty result combinations.
• (IDE Plugin) IDE SCA remediation options: Added multiple SCA remediation options to GenAI-powered fixes in the VSCode extension.
• (Docs) Add fix guide for transitive dependency vulnerabilities: Added guide covering lockfile refresh, overrides, and shrinkwrap removal strategies.
• (Docs) Add SAST and SCA GitHub Actions to CLI docs: Documented the new SAST and SCA GitHub Actions with auto-detected scan modes.
• (SAST) New rules:
  • Scala Ssl Hostname Verification Bypass
  • Scala Unsafe Xquery Injection
  • Scala Unsafe Xpath Injection
  • Scala Insecure Random Key Generation
  • Scala Cookie Missing Httponly
  • Scala Logging Of Sensitive Data
  • Swift Sensitive Data In Keyboard Logging
  • Swift Sensitive Data In External Storage

Release 10

(SAST) New rules:

• Python Django Open Redirect
• Python Fastapi Open Redirect
• Python Starlette Open Redirect
• Scala Use Unvalidated Forwards
• Swift User Input In Regular Expression
• Swift Information Exposure In Query String
• Python Fastapi Uncontrolled Format String
• Python Starlette Uncontrolled Format String
• Python Fastapi Sensitive Data Logging
• Python Starlette Sensitive Data Logging
• Scala Spring Unsafe Open Redirect
• Scala Spring Use Unvalidated Forwards
• Python Logging Config Insecure Listen
• Scala Secure Flag Not Set
• Swift Webview Xss Injection
• Javascript Unsafe Input Resource Injection
• Typescript Unsafe Input Resource Injection

February

Release 9

• (SCA) Add support for new package managers: Added support for CocoaPods (Podfile parser), Bun, and RubyGems (.gemspec) package managers.
• (SCA) Add SCA remediation options to vulnerability details: Added remediation options (closest min fix, safe fix, complete fix) for direct and transitive dependencies.
• (Docs & DB) Standardize central layout and sidebar widths: Constrained main content and sidebar widths on large screens to improve readability and layout consistency.
• (ASPM) Update Groups table to match new group modal: Updated the Groups section structure to align with the new group creation flow and target registration improvements.
• (ASPM) Allow editing environment authentication field: Enabled editing of the "Requires Authentication" field on existing environment records.
• (ASPM) Relocate CI Gate token and installation guide: Moved CI Gate token management and installation guide from Scope to DevSecOps section.
• (SAST) New rules:
  • Dart Unsafe Input Path Traversal Relative
  • Ruby Insufficiently Protected Credentials
  • Javascript Weak Password Encoding Base64
  • Python Boto3 Ssl Verification Bypass
  • Python Ssl Certificate Verification Bypass
  • Typescript Weak Password Encoding Base64
  • Python Aiohttp Ssl Verification Bypass
  • Python Websocket Ssl Verification Bypass
  • Ruby Hardcoded Session Secret Token
  • Scala Hardcoded Initialization Vector
  • Swift Hardcoded Password In Urlcredentials
  • Config Files Misconfiguration In Impersonation
  • Config Files Disabled Session Id Regeneration
  • Ruby Short Session Key
  • Scala Play Plaintext Storage Sensitive Data
  • Dart Tempfile Unencrypted Sensitive Information
  • Dart Native Language Cmd Injection
  • Scala Spring Plaintext Storage Sensitive Data
  • Scala Unsafe Open Redirect

Release 8

(SAST) New rules:

• Python Http Uncontrolled Cors Origin
• Python Wsgiref Uncontrolled Cors Origin
• C Sharp Sensitive Information In Logs
• C Sharp Jwt Sensitive Information Exposure
• Python Django Sensitive Data Logging
• Ruby Ssl Certificate Verification Bypass
• Scala Jwt Sensitive Information Exposure
• C Sharp CSRF Protection Disabled
• Python Django Uncontrolled Cors Origin
• Ruby Unsafe Open Redirect
• Config Files Insecure Cookieless Configuration
• Python Urllib3 Ssl Verification Bypass
• Python Hardcoded Password In Connection
• Ruby Sensitive Cookie Without Httponly
• C Sharp Hardcoded Credentials In Directory
• C Sharp Parameter Tampering In Email
• Python Httpx Ssl Verification Bypass

Release 7

• (DAST) Update scanner technique to MAST: Update APK scanner to replace DAST with MAST across the entire flow, including Docker image (mast scan config.yaml).
• (DB) Make general search bar index vulnerabilities: Extend the main search bar indexing to include vulnerabilities (e.g., CVE identifiers) for direct discovery and navigation.
• (DB) Add "View JSON" link to vulnerability's detail page: Add a "View JSON" link to vulnerability detail pages, pointing to the data.json endpoint and opening in a new tab.
• (DB) Improve Log in: Rename "Get started" to "Try for free" and add a clear ghost "Log in" button in the top bar. Align flow with design system, including avatar dropdown with user info and ghost "Log out."
• (DB) Scalable filter UX for Database: Group multiple vulnerability filters under the default Filter dropdown and remove highlighted filters. Reserve the highlighted filter for a single dominant case to ensure scalability and a clean hierarchy.
• (DB) LLMs.txt: Add an llms.txt endpoint to improve consumption of DB pages by LLMs.
• (IDE Plugin) Enhance IntelliJ sidebar: Add severity icons to the IntelliJ plugin sidebar, categorized by typology, to improve visual context and prioritization of weaknesses.
• (MCP) Add output file configuration to MCP scanner tool prompts: Add a default output section to YAML examples in MCP scanner tools to generate Fluid-Attacks-Results.csv instead of stdout-only results.
• (SAST) New rules:
  • C Sharp Session Cookie Injection
  • C Sharp Api Use Hardcoded Password
  • Ruby Sensitive Information Weak Sha1
  • Ruby Sensitive Information Weak Md5
  • Ruby Hardcoded Encryption Key
  • Ruby Weak Cipher Encryption
  • Ruby Weak Cipher Encryption Blowfish
  • Ruby Hardcoded Password In Connection
  • Ruby Unsafe Hardcoded Password
  • Python Flask Sensitive Data Logging
  • C Sharp Hardcoded Cryptographic Key

Release 6

• (Docs & DB) Add multiple authentication methods: Added Google, Microsoft, LinkedIn, Bitbucket, and internal login as authentication options.
• (DB) Add detection status to vulnerabilities: Added a flag indicating whether each vulnerability has been detected at least once.
• (ASPM) Add KEV and EPSS metrics to Package Details: Added KEV and EPSS metrics to the Package Details view to provide better vulnerability context for clients.
• (SAST) New rules:
  • JavaScript Dom Open Redirect
  • JavaScript Express Open Redirect
  • Typescript Dom Open Redirect
  • Typescript Express Open Redirect
  • Java Insufficiently Protected Credentials
  • Python Flask Uncontrolled Cors Origin
  • Java User Input Xquery Injection
  • Java Unsafe Parameter Tampering

January

Release 5

• (ASPM) Azure integration now supports Bug as a work item type: Our integration can create work items of type 'Bug', which is useful for users or clients whose projects do not have the 'Issue' type available.
• (SAST) New rules:
  • Java Uncontrolled Memory Allocation
  • JavaScript Kony Hardcoded Encryption Key
  • JavaScript Hardcoded Password In Connection
  • Typescript Kony Hardcoded Encryption Key
  • Typescript Hardcoded Password In Connection
  • Java Intent Sensitive Communication
  • JavaScript React Native Missing Masking
  • Typescript React Native Missing Masking
  • Python Django Uncontrolled Format String
  • Python Flask Uncontrolled Format String
  • Python Tornado Uncontrolled Format String
  • JavaScript Cordova Open Redirect
  • JavaScript Kony Url Injection
  • JavaScript SSL Verification Bypass
  • Typescript Cordova Open Redirect
  • Typescript Kony Url Injection
  • Typescript Ssl Verification Bypass
  • Java Unsafe Object Binding
  • Java Insecure Storage Sensitive Information
  • JavaScript Cordova File Manipulation
  • Typescript Cordova File Manipulation

Release 4

• (ASPM) Prevent accidental rejection of access invitations: An extra confirmation step was added to the platform's invitation flow to avoid accidental rejections caused by automated email link scanning.
• (SAST) New rules:
  • Go Insecure Temp File Creation
  • Java Unrestricted File Upload Spring
  • Java Ognl Expression Injection
  • Java Observable Time Discrepancy
  • Java Denial Of Service By Sleep
  • JavaScript Httponly Flag Not Set
  • JavaScript Insecure Samesite Cookie Attribute
  • Typescript Httponly Flag Not Set
  • Typescript Insecure Samesite Cookie Attribute
  • Java One Way Hash Without Salt
  • JavaScript Sensitive Information Weak Sha1
  • JavaScript Sensitive Information Weak Md5
  • Typescript Sensitive Information Weak Sha1
  • Typescript Sensitive Information Weak Md5
  • Java Cookie Without Validation

Release 3

• (ASPM) Warn users about potential additional costs when changing branches: A warning and checkboxes were added when users modify branches from a repository under the scope section to clarify that this action can impact the cost of the service.
• (SAST) New rules:
  • Go Unencrypted Ftp Connection
  • Go Unencrypted Telnet Connection
  • Java Use Of Hardcoded Password
  • JavaScript Insecure Sce Configuration
  • Java Spring Session Fixation
  • Java Empty Password Connection
  • JavaScript Client CSS Injection
  • Typescript Client CSS Injection
  • Go Zip Slip Path Traversal
  • Java Unvalidated Forwards Use
  • JavaScript Email Headers Forgery
  • Typescript Email Headers Forgery

Release 2

• (ASPM) Mark AI-detected vulnerabilities (AI SAST): Added a visual AI indicator to AI SAST findings to highlight the new technique.
• (SAST) New rules:
  • Javascript Dom Stored Xss
  • Typescript Dom Stored Xss
  • Javascript Client Dom Xss
  • Typescript Client Dom Xss
  • Javascript Unsafe Deserialization Untrusted Data
  • Javascript Unsafe Module Inclusion
  • Javascript Unsafe Require Module Inclusion
  • Typescript Unsafe Deserialization Untrusted Data
  • Typescript Unsafe Module Inclusion
  • Typescript Unsafe Require Module Inclusion
  • Go Insecure Http Server
  • Go Cleartext Sensitive Information

Release 1

(SAST) New rules:

• F064 Java session id not regenerated
• F014 Dart mirrors unsafe reflection