2026

Last updated: Jun 24, 2026

---

June

Release 25

• (DAST-WEB) New rules:

  • Http Exposed Management Endpoint
  • Http Ssti In Body

• (SAST) New rules:

  • Dart Dio Cleartext Sensitive Information
  • Dart Io Insecure Channel Websocket
  • Javascript Vue Client Side Template Injection
  • Typescript Vue Client Side Template Injection
  • Yaml Ansible Not Validated Certificates

• (SS) New rules:

  • Aiven Api Key
  • Assemblyai Api Key
  • Aws Cognito Secret Key
  • Clarifai Api Key
  • Cohere Api Key
  • Deepgram Api Key
  • Elastic Api Key
  • Langchain Api Key
  • Langfuse Api Key
  • Mistral Api Key
  • MongoDB Connection String
  • New Relic API Key
  • Perplexity Api Key
  • Pinecone Api Key
  • PostgreSQL Connection String
  • Replicate Api Key
  • Scaleway Secret Key
  • Vultr Api Key

• (SCA) New support:

  • Ruby runtime CVE detection from .gemspec: Runtime CVE detection is now supported for Ruby projects using .gemspec files.
  • Python runtime CVE detection from Pipfile and Pipfile.lock: Runtime CVE detection is now supported for Python projects using Pipfile and Pipfile.lock.

• (Reachability) New rules:

  • CVE-2020-13756
  • CVE-2025-70974

Release 24

• (SCA) Runtime support for Go: Runtime reachability analysis is now supported for Go projects.

• (SCA) Runtime support for Ruby: Runtime reachability analysis is now supported for Ruby projects.

• (IDE Plugin) SCA custom fix in IntelliJ IDEA: Developers can now view the custom fix for SCA vulnerabilities directly from IntelliJ IDEA.

• (AI SAST) Expanded authorization coverage: The AI-assisted SAST scanner now detects additional authorization vulnerability patterns.

• (DAST-WEB) New rules:

  • Http Cross Origin Resource Policy Missing
  • Http Response Cache Not Restricted
  • Http Sensitive Persistent Cookie
  • Http Technical Info Leak
  • Ssl Tls Server Accepts Null Cipher Suite

• (SAST) New rules:

  • Dart Clipboard Sensitive Data
  • Dart Cryptography Argon2 Weak Memory
  • Dart Cryptography Argon2 Weak Hash Length
  • Dart Http Cleartext Sensitive Information
  • Dart Inappwebview Unsafe File Access
  • Dart Io Cleartext Sensitive Information
  • Dart Pointycastle Argon2 Weak Hash Length

• (SS) New rules:

  • Mailgun API Key
  • Mailgun API Key Legacy
  • MaxMind License Key
  • MessageBird API Key
  • Microsoft Webhook URL
  • Netlify Access Token
  • Netlify Personal Access Token
  • Notion API Token
  • NVIDIA API Key
  • Okta API Token
  • PagerDuty API Token
  • Plaid Access Token
  • PlanetScale API Token

• (Reachability) New rules:

  • CVE-2017-18349
  • CVE-2020-9547
  • CVE-2020-9548
  • CVE-2022-29078
  • CVE-2022-42889
  • CVE-2023-44467
  • CVE-2023-47248

Release 23

• (IDE Plugin) SCA autofix for Python: pip, Poetry, Pipenv, and uv are now supported, enabling one-click SCA dependency fixes for Python projects from the Fluid Attacks IDE extensions.

• (DAST-WEB) New rules:

  • Dns Missing Spf Record
  • Http Sensitive Fields In Response Body
  • Http Sensitive Info In Url
  • Ssl Tls Certificate Weak Signature Md5
  • Ssl Tls Certificate Weak Signature Sha1

• (DAST-API) New rules:

  • Api Sensitive Fields Unmasked

• (SAST) New rules:

  • Dart Cryptography Pbkdf2 Weak Key Length
  • Dart Ftp Unencrypted Connection
  • Dart Information Exposure In Query String
  • Dart Io Httpserver Insecure Bind
  • Dart Pointycastle Argon2 Weak Memory
  • Dart Shelf Server Insecure Bind
  • Dart Smtp Unencrypted Connection
  • Go Gin Insecure Samesite Cookie Attribute
  • Go Insecure Samesite Cookie Attribute
  • Go Mysql Empty Password In Dsn

• (SS) New rules:

  • DeepSeek API Key
  • HashiCorp Token
  • Heroku API Key
  • HubSpot API Token
  • HuggingFace Access Token
  • IBM API Key
  • Intercom API Key
  • JFrog API Key
  • JSON API Key
  • LaunchDarkly API Key
  • Linear API Token
  • Lob API Key
  • Mailchimp API Key
  • Mapbox API Token

May

Release 22

• (ASPM) Accuracy SLA now available on the platform: Customers with at least one group in the Advanced plan can now see their Accuracy SLA directly on the platform.

• (SCA) Elixir support: Hex is now supported as a package manager, enabling SCA scanning for Elixir projects.

• (SCA) Rust support: Cargo is now supported as a package manager, enabling SCA scanning for Rust projects.

• (DAST-WEB) New rules:

  • Http Insecure Digest Auth
  • Http Insecure Form Action To Http
  • Http Mixed Content
  • Http X Chromelogger Data Leak
  • Ssl Tls Server Accepts Short Rsa Key

• (DAST-API) New rules:

  • Api Default Credentials Accepted
  • Api Empty Credential Login
  • Api Weak Password Policy

• (SAST) New rules:

  • Dart Cryptography Pbkdf2 Weak Iterations
  • Dart Grpc Client Insecure Connection
  • Dart Grpc Server Insecure Connection
  • Dart Inappwebview Insecure Mixed Content
  • Dart Pointycastle Pbkdf2 Weak Iterations
  • Dart Pointycastle Pbkdf2 Weak Key Length
  • Dart Postgres Insecure Connection
  • Dart Postgres Ssl Verification Bypass
  • Go Deprecated Encryption Function Use
  • Go Deprecated Pemblock Encryption Functions
  • Go Hardcoded Salt In Pbkdf2
  • Go Insufficient Bcrypt Cost
  • Go Insecure Scrypt Parameters
  • Go Jwt Without Claims Validation
  • Go Pbkdf2 Insufficient Iteration Count
  • Go Redos Vulnerable Regex

• (SS) New rules:

  • Dynatrace API Token
  • Facebook Access Token
  • Fastly API Token
  • Figma Personal Access Token
  • Flutterwave Secret Key
  • FrameIO API Token
  • GCP API Key
  • GCP Service Account Key
  • GitLab Personal Access Token
  • GitLab API Token
  • GoCardless API Token
  • Grafana API Token
  • Grafana API Key
  • Grafana Token
  • Groq API Key

Release 21

• (DB) Common name search for weaknesses: Users can now search weaknesses in the Database using common vulnerability names such as IDOR, BOLA, or Broken Access Control, without needing to know their formal name.

• (DAST-WEB) New rules:

  • Http Content Type Header Missing
  • Http Serves Content Over Http

• (SAST) New rules:

  • Dart Cryptography Hardcoded Salt
  • Dart Cryptography Weak Rsa Key Size
  • Dart Grpc Ssl Verification Bypass
  • Dart Pointycastle Argon2 Hardcoded Salt
  • Dart Pointycastle Weak Rsa Key Size
  • Dart Webview Flutter Ssl Verification Bypass
  • Go Deprecated Dsa Functions Use
  • Go Gorm Plaintext Storage Of Password
  • Go Hardcoded Aws Secret Access Key
  • Go Insufficient Kdf Output Length
  • Go Sql Plaintext Storage Of Password
  • Go Unsafe Logger Injection
  • Javascript Express Directory Listing
  • Ruby Debugger Mode Use
  • Ruby Error Information Disclosure
  • Ruby Xss In Raw Helper
  • Typescript Express Directory Listing

• (SS) New rules:

  • Azure API Key
  • DigitalOcean Personal Access Token
  • Discord Webhook URL
  • Doppler Token
  • DroneCI Access Token
  • Dropbox Access Token
  • Duffel API Token

Release 20

• (IDE Plugin) Right-click link to criteria, platform and vulnerability description in IntelliJ IDEA: Right-clicking a vulnerability in the IntelliJ IDEA plugin now provides a direct link to its criteria page, platform entry, and vulnerability description on db.fluidattacks.com, improving developer context while triaging findings.

• (ASPM) Scope banner with registered inputs count: A new informational banner in the Scope section now displays a count summary of all registered inputs, giving teams an at-a-glance view of their attack surface coverage.

• (DB) Filter rules by weakness: The rules filter in the Database now supports filtering by weakness, allowing users to quickly narrow down rules associated with a specific security weakness.

• (DB) Improved KEV exploit source count: The KEV signal now shows the number of independent sources that report an existing exploit (0–n sources), replacing the previous binary display to support clearer vulnerability prioritization.

• (DB) Reachability support filter: A new filter for reachability support has been added to the Database, enabling users to surface only vulnerabilities for which reachability analysis is available.

• (DB) Events filter: A new Events filter has been added to the Database, allowing users to filter vulnerabilities that have associated news articles or external internet references.

• (DAST-WEB) New rules:

  • Http Cors Wildcard Origin
  • Http Open Redirect In Query Params
  • Http Ssti In Query Params

• (SAST) New rules:

  • Dart Cryptography Insecure Random Key Generation
  • Dart Inappwebview Ssl Verification Bypass
  • Dart Io Ssl Verification Bypass
  • Dart Weak Hash Md5
  • Dart Weak Hash Sha1
  • Go Sensitive Information In Logs
  • Go Trust Proxy On
  • Go Unsafe Open Redirect
  • Javascript Bunyan Sensitive Information In Logs
  • Javascript Jwt Lack Of Expiration
  • Javascript Log4Js Sensitive Information In Logs
  • Javascript Pino Sensitive Information In Logs
  • Javascript Sensitive Information Get Request
  • Javascript Sensitive Information In Url
  • Javascript Sensitive Information Indexeddb
  • Javascript Winston Sensitive Information In Logs
  • Ruby Logger Injection In Rails
  • Ruby Sensitive Information In Logger
  • Ruby Sensitive Persistent Cookie
  • Ruby Session Jwt Lack Of Expiration
  • Ruby Use Of Insecure Random Function
  • Ruby Use Of Marshal Dangerous Function
  • Scala Deprecated Defaulthttpclient Use
  • Scala Integer Overflow In Spring
  • Typescript Bunyan Sensitive Information In Logs
  • Typescript Jwt Lack Of Expiration
  • Typescript Log4Js Sensitive Information In Logs
  • Typescript Pino Sensitive Information In Logs
  • Typescript Sensitive Information Get Request
  • Typescript Sensitive Information In Url
  • Typescript Sensitive Information Indexeddb
  • Typescript Winston Sensitive Information In Logs

• (SS) New rules:

  • Azure DevOps Personal Access Token
  • Azure Blob SAS Token
  • Beamer API Token
  • Bitbucket App Password
  • Buildkite API Token
  • CircleCI API Token
  • Confluent Cloud API Key
  • Confluent Cloud API Secret

• (Reachability) New rules:

  • CVE-2011-4969
  • CVE-2012-6708
  • CVE-2015-6096
  • CVE-2015-9251
  • CVE-2016-10735
  • CVE-2018-14040
  • CVE-2018-14042
  • CVE-2018-20676
  • CVE-2018-20677
  • CVE-2019-11358
  • CVE-2019-12415
  • CVE-2019-20149
  • CVE-2019-8331
  • CVE-2020-11022
  • CVE-2020-11023
  • CVE-2020-12265
  • CVE-2020-15250
  • CVE-2020-15366
  • CVE-2020-23064
  • CVE-2020-28469
  • CVE-2020-28472
  • CVE-2020-36518
  • CVE-2020-7598
  • CVE-2020-7608
  • CVE-2020-7656
  • CVE-2020-7729
  • CVE-2020-7774
  • CVE-2020-7788
  • CVE-2020-9488
  • CVE-2021-23343
  • CVE-2021-23362
  • CVE-2021-23364
  • CVE-2021-23368
  • CVE-2021-23424
  • CVE-2021-29425
  • CVE-2021-32640
  • CVE-2021-32804
  • CVE-2021-33623
  • CVE-2021-37701
  • CVE-2021-37713
  • CVE-2021-3803
  • CVE-2021-3807
  • CVE-2021-43138
  • CVE-2022-0122
  • CVE-2022-0155
  • CVE-2022-0235
  • CVE-2022-0436
  • CVE-2022-0536
  • CVE-2022-1537
  • CVE-2022-23539
  • CVE-2022-24771
  • CVE-2022-24772
  • CVE-2022-24773
  • CVE-2022-24999
  • CVE-2022-25858
  • CVE-2022-25883
  • CVE-2022-33987
  • CVE-2022-3517
  • CVE-2022-36313
  • CVE-2022-37599
  • CVE-2022-37601
  • CVE-2022-37603
  • CVE-2022-38778
  • CVE-2022-38900
  • CVE-2022-45688
  • CVE-2022-46175
  • CVE-2023-0842
  • CVE-2023-26115
  • CVE-2023-26136
  • CVE-2023-26159
  • CVE-2023-36665
  • CVE-2023-44270
  • CVE-2023-45133
  • CVE-2023-5072
  • CVE-2024-11831
  • CVE-2024-21536
  • CVE-2024-28849
  • CVE-2024-28863
  • CVE-2024-29041
  • CVE-2024-29180
  • CVE-2024-29409
  • CVE-2024-37890
  • CVE-2024-4067
  • CVE-2024-4068
  • CVE-2024-43799
  • CVE-2024-43800
  • CVE-2024-45296
  • CVE-2024-47081
  • CVE-2024-47554
  • CVE-2024-47764
  • CVE-2024-52798
  • CVE-2024-55565
  • CVE-2025-12758
  • CVE-2025-12816
  • CVE-2025-13465
  • CVE-2025-15284
  • CVE-2025-22870
  • CVE-2025-27152
  • CVE-2025-27789
  • CVE-2025-32996
  • CVE-2025-32997
  • CVE-2025-46653
  • CVE-2025-47935
  • CVE-2025-47944
  • CVE-2025-48924
  • CVE-2025-48997
  • CVE-2025-50537
  • CVE-2025-58754
  • CVE-2025-5889
  • CVE-2025-62718
  • CVE-2025-64718
  • CVE-2025-65945
  • CVE-2025-66030
  • CVE-2025-66031
  • CVE-2025-66035
  • CVE-2025-66471
  • CVE-2025-68157
  • CVE-2025-69873
  • CVE-2025-7338
  • CVE-2025-7339
  • CVE-2025-7783
  • CVE-2025-9288
  • CVE-2026-21441
  • CVE-2026-23745
  • CVE-2026-2391
  • CVE-2026-23950
  • CVE-2026-24001
  • CVE-2026-24842
  • CVE-2026-25128
  • CVE-2026-25547
  • CVE-2026-25639
  • CVE-2026-25896
  • CVE-2026-26278
  • CVE-2026-26960
  • CVE-2026-26996
  • CVE-2026-2739
  • CVE-2026-27606
  • CVE-2026-27903
  • CVE-2026-27904
  • CVE-2026-27942
  • CVE-2026-29063
  • CVE-2026-2950
  • CVE-2026-29786
  • CVE-2026-31802
  • CVE-2026-31808
  • CVE-2026-32141
  • CVE-2026-32630
  • CVE-2026-33036
  • CVE-2026-33228
  • CVE-2026-33349
  • CVE-2026-33532
  • CVE-2026-33671
  • CVE-2026-33672
  • CVE-2026-33750
  • CVE-2026-33891
  • CVE-2026-33894
  • CVE-2026-33895
  • CVE-2026-33896
  • CVE-2026-33916
  • CVE-2026-33937
  • CVE-2026-33938
  • CVE-2026-33939
  • CVE-2026-33940
  • CVE-2026-34043
  • CVE-2026-3449
  • CVE-2026-39865
  • CVE-2026-40175
  • CVE-2026-41242
  • CVE-2026-4800
  • CVE-2026-4867
  • CVE-2026-4923

Release 19

• (DAST-WEB) New rules:
  • Http Path Traversal In Query Params
  • Http Path Traversal In Url Path
  • Http Directory Listing Enabled
  • Http Sensitive File Exposed
  • Http Sql Missing Validations Error Message
• (DAST-API) New rules:
  • Api Missing Authentication
• (SAST) New rules:
  • Dart Cryptography Hardcoded Nonce
  • Dart Insecure Storage Sql Injection
  • Go Hardcoded Amqp Password
  • Go Hardcoded Mongodb Password
  • Go Hardcoded Redis Password
  • Typescript Nest Mssql Injection
  • Java Server Information Exposure
  • Ruby Hardcoded Key For Token
  • Scala Hardcoded Key In Secretkeyspec
  • Scala Header Insecure Cors Configuration
  • Scala Random Hardcoded Seed
  • Scala Secure Random Hardcoded Seed Unsafe
  • Scala Hardcoded Keyparameter Use
  • Scala Hardcoded Password In Pbekeyspec
• (SS) New rules:
  • Airtable Personal Access Token
  • Algolia Admin API Key
  • Alibaba Cloud Access Key ID
  • Alibaba Cloud Access Key Secret
  • Atlassian API Token
  • AWS Secret Access Key
  • AWS Session Token Access Key ID

April

Release 18

• (Compliance) Enterprise-Grade Security & Compliance Certifications: Fluid Attacks achieved ISO/IEC 27001 and ISO/IEC 27701 certification, with controls aligned to ISO/IEC 27017 and ISO/IEC 27018, a SOC 2 attestation and SOC 3 report, PCI DSS validation, and measures designed to support GDPR compliance.
• (ASPM) The Health Check filter in the Git Repositories table now includes a third option: "Requested," which was previously missing. Filter labels have also been aligned with the values shown in the table column, changing "Yes" / "No" to "Included" / "Not included" / "Requested" for consistency.
• (DB) Defines filters have been updated to recognize and expose the Rust ecosystem properly: Support for Rust advisories was previously available only at the data/source level; it is now fully reflected in the filter interface.
• (IDE Plugin) SCA autofix for JavaScript: npm, Yarn, and Bun are now supported, enabling one-click SCA dependency fixes for JavaScript projects from the Fluid Attacks IDE extensions.
• (SAST) New rules:
  • Dart Hardcoded Http client Credentials
  • Dart Jaguar Hardcoded Jwt Secret
  • Dart Jsonwebtoken Hardcoded Jwt Secret
  • Java Insecure File Permissions
  • Java Redos User Input In Compile
  • Java Unsafe Header X Frame Options
  • Java Use Of Insecure Random
  • Typescript Nest Typeorm Sql Injection
  • Dart Hardcoded Crypto Iv
  • Typescript Nest Mysql Injection
  • Typescript Nest Pg Sql Injection
  • Go Hardcoded PostgreSQL Password
  • Java Data Leak Through Persistent Cookie
  • Json Yaml Secrets Manager Privileges
  • Typescript Nest Oracle Sql Injection
  • Typescript Nest Sqlite Injection

Release 17

• (ASPM) Add filters.rootNickname in vulnerabilities: Added a filters.rootNickname parameter to group.vulnerabilities and finding.vulnerabilities, allowing API users to filter vulnerabilities by root directly instead of relying on ambiguous combinations of search, where, and whereStartsWith.
• (CI Gate) Add GitHub action: Added a custom GitHub Action for the CI Agent, enabling clients to integrate it directly into their CI pipelines without manual setup or configuration.
• (SS) New rules:
  • Anthropic API Key
  • Databricks Personal Access Token
  • GitHub Personal Access Token
  • npm Access Token
  • OpenAI API Key
  • PyPI Upload Token
  • RubyGems API Token
  • Slack Incoming Webhook URL
  • Stripe Live Secret or Restricted Key
  • Terraform Cloud API Token
• (DAST-WEB) New rules:
  • Http Trace Enabled
  • Ssl Tls Certificate Revocation Not Checked
• (SAST) New rules:
  • Java Vulnerable Spring Escape False
  • Php Unsafe Target Blank Use
  • Typescript Insecure Nest Injection
  • Typescript Nest Sequelize Sql Injection
  • Java Secure Random Hardcoded Seed Unsafe
  • Javascript Express Fetch SSRF
  • Javascript Express Http Https SSRF
  • Typescript Express Fetch SSRF
  • Typescript Express Http Https SSRF
  • Typescript Unsafe Nest Axios SSRF
  • Typescript Unsafe Nest Fetch SSRF
  • Typescript Unsafe Nest Http Https SSRF
  • Dart Webview Html Injection
  • Dart Xss Public Storage Webview Injection
  • Java Sensitive Information In Log4j Log
  • Java Sensitive Information In Slf4j Log
  • Java password field Missing Masking
  • Dart Hardcoded Password In Connection
  • Dart Smtp Hardcoded Password
  • Java Hardcoded Key parameter Use

Release 16

• (ASPM) Improve "Add environment" flow: reorder fields and add Frontend/Backend distinction: Restructured the “Add environment” modal to improve configuration flow, introducing a clearer order for environment type, connection method, production context, frontend/backend URL classification, and conditional authentication settings with contextual guidance.
• (CI GATE, CSPM, DAST, MAST, SCA, SAST) Deploy public container images to GHCR alongside DockerHub: Published public scanner images to GitHub Container Registry (GHCR) and migrated them to the centralized container-builder for unified CI workflows and multi-arch support.
• (DB) Enhancing EPSS Value with Temporal Context: Added a tooltip with a last-updated timestamp to the EPSS field, giving clear visibility into how current the data is and supporting more confident, informed vulnerability prioritization.
• (DB) Original filter for DB: Added an Original Severity filter to the vulnerabilities page, allowing users to filter by CVE source severity alongside the existing adjusted severity filter.
• (SS) Add secret scan github action: Added infrastructure and a GitHub Action for the new secret scanner, including Docker image creation and publishing to DockerHub and GHCR.
• (SS) New rules:
  • DOCKER HUB ACCESS TOKEN
  • EXPOSED CREDENTIALS
  • SLACK TOKEN
• (DAST-API) New rules:
  • API Permissive Cors Policy
• (DAST-WEB) New rules:
  • HTTP Cookie Missing Cache Control
• (SAST) New rules:
  • Go Hardcoded Cryptographic Key
  • Javascript Marsdb Nosql Injection
  • PHP Curl Unsafe X Frame Options
  • PHP Mb Send Mail Parameter Tampering
  • PHP Unsafe Header X Frame Options
  • Typescript Marsdb Nosql Injection
  • Javascript Insecure Deprecated Encryption
  • PHP Parse Value Shadowing
  • Typescript Insecure Deprecated Encryption
  • Go Email Content Forgery
  • Go Email Headers Forgery
  • Go Weak Rsa Key Size
  • Java Unsafe Logger Injection
  • Javascript Cryptojs Passphrase Mode
  • Javascript Injection Of Untrusted Content
  • Javascript Reflected Xss Protection Header
  • Typescript Cryptojs Passphrase Mode
  • Typescript Injection Of Untrusted Content
  • Typescript Reflected Xss Protection Header

Release 15

• (SCA) Add severity field and severity threshold to scanner output: Added cvss_v4_severity to scan results and a strictness_threshold config flag to fail pipelines only when vulnerabilities at or above the configured severity floor are found.
• (IDE Plugin) Improve authentication and loading messages in IntelliJ plugin: Added visual state indicators (spinner, alert, and check icons) and adjusted dark mode contrast using standardized colors for clearer feedback during authentication and vulnerability loading.
• (ASPM) Redesign Groups data panel to show attack surface and vulnerabilities: Added new Attack Surface and Vulnerability Summary sections, including repository coverage metrics (with/without OAuth) and a detailed breakdown of total vulnerabilities, CVSSF, and severity distribution.
• (ASPM) Migrate platform authentication to Auth0: Replaced in-house Google, Microsoft, and Bitbucket authentication flows with Auth0, enabling built-in MFA, OTP, and third-party integrations while reducing application complexity.
• (ASPM) Track severity updates in vulnerability and weakness history: Approving a severity update now records a timestamped entry in both the vulnerability and weakness tracking timelines.
• (SAST) New rules:
  • Javascript Crypto Unsafe Empty Password
  • Javascript Insecure Sensitive Information File Storage
  • PHP Ssl Verification Disabled Setopt
  • PHP Unsafe User Controlled Variable
  • Python Fastapi Html Injection
  • Python Starlette Html Injection
  • Typescript Crypto Unsafe Empty Password
  • Typescript Insecure Sensitive Information File Storage
  • Javascript Bcrypt Unsafe Empty Password
  • Javascript Jwt Unsafe Empty Password
  • Javascript Sensitive Information In Jwt
  • Javascript Sequelize Unsafe Empty Password
  • PHP Insecure Samesite Cookie Attribute
  • Typescript Bcrypt Unsafe Empty Password
  • Typescript Jwt Unsafe Empty Password
  • Typescript Sensitive Information In Jwt
  • Typescript Sequelize Unsafe Empty Password
  • Go Insecure Random Key Generation
  • Python Django Path Traversal
  • Python Django Reflected Xss
  • Python Fastapi Path Traversal
  • Python Starlette Path Traversal
  • Javascript Manual CSRF Token Handling Ajax
  • Javascript Manual CSRF Token Handling Axios
  • Javascript Manual CSRF Token Handling Fetch
  • Javascript Manual CSRF Token Handling Xhr
  • Javascript Unsafe Csv Injection Csv Writer
  • Javascript Unsafe Csv Injection Fast Csv
  • Javascript Unsafe Csv Injection Fs
  • PHP Regex With User Input
  • Typescript Manual CSRF Token Handling Ajax
  • Typescript Manual CSRF Token Handling Axios
  • Typescript Manual CSRF Token Handling Fetch
  • Typescript Manual CSRF Token Handling Xhr
  • Typescript Unsafe Csv Injection Csv Writer
  • Typescript Unsafe Csv Injection Fast Csv
  • Typescript Unsafe Csv Injection Fs
  • PHP Command Argument Injection
  • PHP Insecure Channel Use Websocket Client
  • PHP Mb Send Mail Header Injection
  • PHP Session Trust Boundary Violation
• (SS) New rules:
  • SONAR TOKEN
  • AWS KEY
  • DB CONNECTION STRING
  • PRIVATE PEM KEY
  • PRIVATE SSH KEY

Release 14

• (DB) Improve Fixes section: Reorganized the Fixes section with top-level groupings (Code, Infrastructure, Packages), introducing a dedicated SCA navigation model (Ecosystem → Fix) with initial coverage for TypeScript, Python, and Kotlin.
• (DB) Add Exploit signal (ordinal) and improve EPSS display: Added exploit availability as an ordinal signal (0–n sources) with filterable groupings and simplified EPSS display format to support clearer vulnerability prioritization.
• (SAST) New rules:
  • Html Import Map Missing Integrity
  • Javascript Kony Browser Html String
  • PHP Laravel Open Redirect
  • Python SSRF Session Unvalidated Url
  • Typescript Kony Browser Html String
  • Go Smtp Hardcoded Password
  • Go Use Of Hardcoded Password
  • PHP Mail Header Injection
  • PHP Unsafe Open Redirect
  • PHP Unsafe Parameter Tampering
  • Python Jwt Decode Without Verification
  • Python Jwt None Algorithm
  • Javascript Bunyan Log Forging
  • Javascript Log4Js Log Forging
  • Javascript Pino Log Forging
  • Javascript Winston Log Forging
  • PHP Sensitive Information Stored In Log
  • PHP User Input In Danger Function
  • Typescript Bunyan Log Forging
  • Typescript Log4Js Log Forging
  • Typescript Pino Log Forging
  • Typescript Winston Log Forging
• (SS) New rules:
  • WGET PASSWORD
  • ENV VALUE
  • HARDCODED CREDENTIALS

March

Release 13

• (IDE Plugin) Remove redundant repository selection pop-up when project is already open in IDE: Now our VSCode and Cursor extensions auto-detect the active repository when a project is already open, eliminating the repository selection pop-up.
• (ASPM) Standardize file input experience in Add File modal: Processing is now indicated via the Upload button loading state, with the modal closing on completion and feedback shown through global notifications.
• (ASPM) Minimum privilege for organizations and groups: Introduced per-organization and group activity tracking to replace the global last-activity check, enforcing least privilege by revoking access only for inactive orgs/groups while preserving access where the user remains active.
• (ASPM) Restrict environment and repository exclusion to privileged roles only: Restricted scope exclusion permissions to group managers only, preventing users and vulnerability managers from excluding environments or repositories and reinforcing least-privilege governance.
• (DB) Improve detail panel structure to show Base vs Adjusted CVSS + vectors: Scope now shows both Base (source) and Adjusted CVSS (Fluid) with vectors, clearly differentiating them to improve traceability and clarity.
• (SAST) New rules:
  • Dart Get Storage Insecure Data Storage
  • PHP Hardcoded Cryptographic Key
  • Scala Hardcoded Salt In Hash
  • Scala Hash Without Salt
  • PHP Hardcoded Salt In Hash
  • PHP Weak Encryption Size
  • Python Httpx Cleartext Sensitive Information
  • Dart Insecure Storage Of Sensitive Data
  • Go Path Traversal Open File
  • PHP Hardcoded Cryptographic Iv
  • Dart File Storage Of Sensitive Data
  • PHP Insufficiently Protected Credentials
  • Python Aiohttp Cleartext Sensitive Information
  • Python Urllib3 Cleartext Sensitive Information

Release 12

• (ASPM) Add supported and tested columns to Lines table: Added language support and Machine testing status columns to the Lines table for file-level visibility.
• (ASPM) Improve Groups filters: Updated Groups section filters to be functional and aligned with the target registration flow improvements.
• (ASPM) Add Cursor to Integrations: Added Cursor as an available option in the platform Integrations section.
• (ASPM) Restrict environment exclusion toggle to authorized roles: Limited the environment URL exclusion toggle to authorized roles, preventing unauthorized scope changes and vulnerability closures.
• (CI Gate) Show EPSS and reachability in SCA execution logs: Added EPSS score and reachability status to execution logs for SCA vulnerabilities.
• (SAST) New rules:
  • Scala Logging Of Sensitive Data
  • Swift Sensitive Data In External Storage
  • Swift Sensitive Data In Keyboard Logging
  • C Sharp User Input Generate Improper Output
  • C Sharp User Input In Content
  • Python Unencrypted Ftp Connection
  • Scala Redos With Untrusted Input
  • Scala Spring Session Fixation
  • PHP Unlink Path Traversal
  • Python Insecure Snmp Connection
  • Python Unencrypted Telnet Connection
  • Scala Hardcoded Password In Connection
  • Scala Unsafe Parameter Tampering
  • PHP Sensitive Information In Jwt
  • PHP Syslog Log Injection
  • PHP Use Of Hardcoded Password
  • PHP User Input Storage Sensitive Data
  • Python Requests Cleartext Sensitive Information

Release 11

• (MCP) SCA remediation with AI agents: Added repository context configuration to the MCP server, enabling autonomous SCA vulnerability remediation via AI agents.
• (ASPM) Display 'No fix available' guidance: Added actionable guidance when vulnerabilities have no remediation path (EOL packages, abandonware, pending fixes).
• (ASPM) Improve Location filter with selector and search options: Replaced free-text Location filter with a selector supporting nickname, base URL, prefix matching, and full-text search.
• (ASPM) Improve 'New Group' modal for target registration: Added target type and target evaluation stage fields to the New Group creation flow.
• (DB) Dynamic filter options: Filter options are now generated dynamically based on available results, preventing empty result combinations.
• (IDE Plugin) IDE SCA remediation options: Added multiple SCA remediation options to GenAI-powered fixes in the VSCode extension.
• (Docs) Add fix guide for transitive dependency vulnerabilities: Added guide covering lockfile refresh, overrides, and shrinkwrap removal strategies.
• (Docs) Add SAST and SCA GitHub Actions to CLI docs: Documented the new SAST and SCA GitHub Actions with auto-detected scan modes.
• (SAST) New rules:
  • Scala Ssl Hostname Verification Bypass
  • Scala Unsafe Xquery Injection
  • Scala Unsafe Xpath Injection
  • Scala Insecure Random Key Generation
  • Scala Cookie Missing Httponly
  • Scala Logging Of Sensitive Data
  • Swift Sensitive Data In Keyboard Logging
  • Swift Sensitive Data In External Storage

Release 10

(SAST) New rules:

• Python Django Open Redirect
• Python Fastapi Open Redirect
• Python Starlette Open Redirect
• Scala Use Unvalidated Forwards
• Swift User Input In Regular Expression
• Swift Information Exposure In Query String
• Python Fastapi Uncontrolled Format String
• Python Starlette Uncontrolled Format String
• Python Fastapi Sensitive Data Logging
• Python Starlette Sensitive Data Logging
• Scala Spring Unsafe Open Redirect
• Scala Spring Use Unvalidated Forwards
• Python Logging Config Insecure Listen
• Scala Secure Flag Not Set
• Swift Webview Xss Injection
• Javascript Unsafe Input Resource Injection
• Typescript Unsafe Input Resource Injection

February

Release 9

• (SCA) Add support for new package managers: Added support for CocoaPods (Podfile parser), Bun, and RubyGems (.gemspec) package managers.
• (SCA) Add SCA remediation options to vulnerability details: Added remediation options (closest min fix, safe fix, complete fix) for direct and transitive dependencies.
• (Docs & DB) Standardize central layout and sidebar widths: Constrained main content and sidebar widths on large screens to improve readability and layout consistency.
• (ASPM) Update Groups table to match new group modal: Updated the Groups section structure to align with the new group creation flow and target registration improvements.
• (ASPM) Allow editing environment authentication field: Enabled editing of the "Requires Authentication" field on existing environment records.
• (ASPM) Relocate CI Gate token and installation guide: Moved CI Gate token management and installation guide from Scope to DevSecOps section.
• (SAST) New rules:
  • Dart Unsafe Input Path Traversal Relative
  • Ruby Insufficiently Protected Credentials
  • Javascript Weak Password Encoding Base64
  • Python Boto3 Ssl Verification Bypass
  • Python Ssl Certificate Verification Bypass
  • Typescript Weak Password Encoding Base64
  • Python Aiohttp Ssl Verification Bypass
  • Python Websocket Ssl Verification Bypass
  • Ruby Hardcoded Session Secret Token
  • Scala Hardcoded Initialization Vector
  • Swift Hardcoded Password In Urlcredentials
  • Config Files Misconfiguration In Impersonation
  • Config Files Disabled Session Id Regeneration
  • Ruby Short Session Key
  • Scala Play Plaintext Storage Sensitive Data
  • Dart Tempfile Unencrypted Sensitive Information
  • Dart Native Language Cmd Injection
  • Scala Spring Plaintext Storage Sensitive Data
  • Scala Unsafe Open Redirect

Release 8

(SAST) New rules:

• Python Http Uncontrolled Cors Origin
• Python Wsgiref Uncontrolled Cors Origin
• C Sharp Sensitive Information In Logs
• C Sharp Jwt Sensitive Information Exposure
• Python Django Sensitive Data Logging
• Ruby Ssl Certificate Verification Bypass
• Scala Jwt Sensitive Information Exposure
• C Sharp CSRF Protection Disabled
• Python Django Uncontrolled Cors Origin
• Ruby Unsafe Open Redirect
• Config Files Insecure Cookieless Configuration
• Python Urllib3 Ssl Verification Bypass
• Python Hardcoded Password In Connection
• Ruby Sensitive Cookie Without Httponly
• C Sharp Hardcoded Credentials In Directory
• C Sharp Parameter Tampering In Email
• Python Httpx Ssl Verification Bypass

Release 7

• (DAST) Update scanner technique to MAST: Update APK scanner to replace DAST with MAST across the entire flow, including Docker image (mast scan config.yaml).
• (DB) Make general search bar index vulnerabilities: Extend the main search bar indexing to include vulnerabilities (e.g., CVE identifiers) for direct discovery and navigation.
• (DB) Add "View JSON" link to vulnerability's detail page: Add a "View JSON" link to vulnerability detail pages, pointing to the data.json endpoint and opening in a new tab.
• (DB) Improve Log in: Rename "Get started" to "Try for free" and add a clear ghost "Log in" button in the top bar. Align flow with design system, including avatar dropdown with user info and ghost "Log out."
• (DB) Scalable filter UX for Database: Group multiple vulnerability filters under the default Filter dropdown and remove highlighted filters. Reserve the highlighted filter for a single dominant case to ensure scalability and a clean hierarchy.
• (DB) LLMs.txt: Add an llms.txt endpoint to improve consumption of DB pages by LLMs.
• (IDE Plugin) Enhance IntelliJ sidebar: Add severity icons to the IntelliJ plugin sidebar, categorized by typology, to improve visual context and prioritization of weaknesses.
• (MCP) Add output file configuration to MCP scanner tool prompts: Add a default output section to YAML examples in MCP scanner tools to generate Fluid-Attacks-Results.csv instead of stdout-only results.
• (SAST) New rules:
  • C Sharp Session Cookie Injection
  • C Sharp Api Use Hardcoded Password
  • Ruby Sensitive Information Weak Sha1
  • Ruby Sensitive Information Weak Md5
  • Ruby Hardcoded Encryption Key
  • Ruby Weak Cipher Encryption
  • Ruby Weak Cipher Encryption Blowfish
  • Ruby Hardcoded Password In Connection
  • Ruby Unsafe Hardcoded Password
  • Python Flask Sensitive Data Logging
  • C Sharp Hardcoded Cryptographic Key

Release 6

• (Docs & DB) Add multiple authentication methods: Added Google, Microsoft, LinkedIn, Bitbucket, and internal login as authentication options.
• (DB) Add detection status to vulnerabilities: Added a flag indicating whether each vulnerability has been detected at least once.
• (ASPM) Add KEV and EPSS metrics to Package Details: Added KEV and EPSS metrics to the Package Details view to provide better vulnerability context for clients.
• (SAST) New rules:
  • JavaScript Dom Open Redirect
  • JavaScript Express Open Redirect
  • Typescript Dom Open Redirect
  • Typescript Express Open Redirect
  • Java Insufficiently Protected Credentials
  • Python Flask Uncontrolled Cors Origin
  • Java User Input Xquery Injection
  • Java Unsafe Parameter Tampering

January

Release 5

• (ASPM) Azure integration now supports Bug as a work item type: Our integration can create work items of type 'Bug', which is useful for users or clients whose projects do not have the 'Issue' type available.
• (SAST) New rules:
  • Java Uncontrolled Memory Allocation
  • JavaScript Kony Hardcoded Encryption Key
  • JavaScript Hardcoded Password In Connection
  • Typescript Kony Hardcoded Encryption Key
  • Typescript Hardcoded Password In Connection
  • Java Intent Sensitive Communication
  • JavaScript React Native Missing Masking
  • Typescript React Native Missing Masking
  • Python Django Uncontrolled Format String
  • Python Flask Uncontrolled Format String
  • Python Tornado Uncontrolled Format String
  • JavaScript Cordova Open Redirect
  • JavaScript Kony Url Injection
  • JavaScript SSL Verification Bypass
  • Typescript Cordova Open Redirect
  • Typescript Kony Url Injection
  • Typescript Ssl Verification Bypass
  • Java Unsafe Object Binding
  • Java Insecure Storage Sensitive Information
  • JavaScript Cordova File Manipulation
  • Typescript Cordova File Manipulation

Release 4

• (ASPM) Prevent accidental rejection of access invitations: An extra confirmation step was added to the platform's invitation flow to avoid accidental rejections caused by automated email link scanning.
• (SAST) New rules:
  • Go Insecure Temp File Creation
  • Java Unrestricted File Upload Spring
  • Java Ognl Expression Injection
  • Java Observable Time Discrepancy
  • Java Denial Of Service By Sleep
  • JavaScript Httponly Flag Not Set
  • JavaScript Insecure Samesite Cookie Attribute
  • Typescript Httponly Flag Not Set
  • Typescript Insecure Samesite Cookie Attribute
  • Java One Way Hash Without Salt
  • JavaScript Sensitive Information Weak Sha1
  • JavaScript Sensitive Information Weak Md5
  • Typescript Sensitive Information Weak Sha1
  • Typescript Sensitive Information Weak Md5
  • Java Cookie Without Validation

Release 3

• (ASPM) Warn users about potential additional costs when changing branches: A warning and checkboxes were added when users modify branches from a repository under the scope section to clarify that this action can impact the cost of the service.
• (SAST) New rules:
  • Go Unencrypted Ftp Connection
  • Go Unencrypted Telnet Connection
  • Java Use Of Hardcoded Password
  • JavaScript Insecure Sce Configuration
  • Java Spring Session Fixation
  • Java Empty Password Connection
  • JavaScript Client CSS Injection
  • Typescript Client CSS Injection
  • Go Zip Slip Path Traversal
  • Java Unvalidated Forwards Use
  • JavaScript Email Headers Forgery
  • Typescript Email Headers Forgery

Release 2

• (ASPM) Mark AI-detected vulnerabilities (AI SAST): Added a visual AI indicator to AI SAST findings to highlight the new technique.
• (SAST) New rules:
  • Javascript Dom Stored Xss
  • Typescript Dom Stored Xss
  • Javascript Client Dom Xss
  • Typescript Client Dom Xss
  • Javascript Unsafe Deserialization Untrusted Data
  • Javascript Unsafe Module Inclusion
  • Javascript Unsafe Require Module Inclusion
  • Typescript Unsafe Deserialization Untrusted Data
  • Typescript Unsafe Module Inclusion
  • Typescript Unsafe Require Module Inclusion
  • Go Insecure Http Server
  • Go Cleartext Sensitive Information

Release 1

(SAST) New rules:

• F064 Java session id not regenerated
• F014 Dart mirrors unsafe reflection