Release notes for 2025

v25.24 — 2025-12-16

Dashboard

Added

• The scan issue details panel now provides additional information about payloads.

Changes

• On the scan details page, the reports are now shown in a separate tab.

Bug fixes

• Fixed an error that occurred when calculating the number of issues for graphs, where several of them were marked as “Not an issue”. Now the total number of issues in the chart on the Overview page is always displayed correctly.

Server part

Added

• Added requests to retrieve the scan job log by module name:
  • GET /api/scans/{scanID}/jobs/{moduleName}/logs returns the log;
  • GET /api/scans/{scanID}/jobs/{moduleName}/logs/file returns the log as a file.

Changes

• The jobs field in the GET /api/scans/{id} request no longer includes information about the statistics for each module, such as the number of requests and response time.

• Added information about scan statistics to the GET /api/scans/{id} request. Now the average response time for the request and the total number of requests made during the scan are shown.

• The data about the list of scans for the target is excluded from the GET /api/targets/{id} request. To get a list of scans for the target, you can use a request with filters: GET /api/scans?targetID=eq:{id}. Added a scansCount parameter for this request, which represents the number of scans related to this target.

Bug fixes

• Fixed an error that occurred when calculating the number of issues for graphs, where several of them were marked as “Not an issue”.

SolidPoint CLI command line interface

Bug fixes

• Now if authentication is successful during the command run, the session will be saved, even if the command fails. Authentication error messages are no longer duplicated.

Scanner fuchsiad

Added

• Added the ability to download simultaneously the configuration of scan modules from multiple directories: /run/fuchsia/pipeline.d, /etc/fuchsia/pipeline.d, and /usr/lib/fuchsia/pipeline.d.. To do this, updating the /etc/fuchsia/config.yml configuration file is required.

Changes

• The accuracy of the modules work with RPS values has been improved. Previously, HTTP requests from modules were queued, which could negatively affect the development of attack techniques. Now, each running process of the module receives an individually calculated RPS value.

Bug fixes

• Fixed an issue with accessing scan logs that was causing a memory leak.

Static web crawling module

Changes

• Logs have become more clear and informative. If no resources are found, the log will show an error message with the corresponding text.

Dynamic web crawling module

Added

• The module can now accept settings for internal and external timeouts via the fuchsiactl console client parameters.

Changes

• A file upload restriction has been implemented to improve the security of the scanning process.

• The automatic content generation process for numeric fields has been improved. Now, the same number is used for all fields, preventing the creation of unnecessary endpoints.

• Now, when filling out forms, the algorithm presses the Enter key in each field only after filling in all fields on the page, which prevents the form to be submitted prematurely.

Bug fixes

• For the Stored XSS detection module, fixed issues that could cause scanning of some URLs with a single payload.

Client-side JavaScript code analysis module

Changes

• A file upload restriction has been implemented to improve the security of the scanning process.

GraphQL endpoint detection module

Added

• Now, if the GraphQL schema is successfully obtained, the module generates a description of the endpoints based on the data from the resulting schema.

Scan modules

Added

• The Nuclei extended template analysis module has been added to the standard package. This fuzzing module is used for actively scanning found endpoints and allows to set conditions for specific endpoints that determine whether they will be analyzed.

• For the unsafe deserialization in Java scanner, a search for endpoints with detected Java-serialized objects was added.

• For the SSTI scanner the ability to configure the minimum server waiting time for out-of-band attack validation was added.

Changes

• Logging has been improved for the unsafe deserialization in Java scanner: the volume of logs has been optimized.

• For the shell injection scanner implemented a check based on a delayed response from the server, using a generalized API and a statistical model.

Distribution for Docker Compose

Added

• Added the ability to dynamically change the limits for the number of completed tasks and scans using the fuchsiactl config command.

Changes

• Specific versions of PostgreSQL and MinIO are now enshrined in the Docker Compose package.

v25.23.1 — 2025-12-04

Scan modules

Added

• Added a Nuclei template for the CVE-2025-55182 vulnerability in React.

v25.23 — 2025-12-02

Dashboard

Added

• Added pop-up notifications that appear when targets are deleted.

Changes

• Syntax highlighting in the “Request” and “Response” fields of the issue details panel in the Validation tab is temporarily disabled when their encoded content exceeds 500000 characters.
• The scan details page is now split into tabs, allowing you to quickly navigate to the information you need.

Bug fixes

• Fixed an issue that occurred when processing a large response.blob field, which caused the issue details panel to become unavailable when the Validation tab was open.

Server part

Added

• Added GET /api/scans/{id}/jobs and GET /api/scans/{id}/jobs/{jobID}/issues requests, that return information about scan jobs and identified issues.

Changes

• Requests to verify LDAP authentication settings are now available only to users with the Super administrator role.
• Now, when creating a target via synchronization, it is assigned the parameters from the last scan.

Bug fixes

• Fixed an issue that could cause login, password and user existence checks to fail in some cases when using LDAP authentication.

SolidPoint CLI command line interface

Added

• Added the configuration of session control mechanisms for targets.
• Added authentication verification for commands. If authentication has not been completed, the interface prompts you to authenticate, after which the command is executed.

Scanner fuchsiad

Added

• You can now specify the desired maximum number of pages in the page deduplication settings in the scan request. The specified value may not always be achieved, however, when this limit is set, the algorithm operates more strictly, performing deduplication iteratively until the value is reached or until deduplication is no longer possible.

OpenAPI specifications import module

Added

• Added the ability to get the OpenAPI specification via a link.

Scan modules

Added

• The unsafe deserialization in Java scanner can now detect time-based vulnerabilities.
• Added support for the doT template engine for the SSTI scanner.

v25.22.1 — 2025-11-21

Server part

Bug fixes

• Fixed an “invalid memory alloc 1200570220 request size in line 0” issue which could occur due to incorrect processing of large logs.

v25.22 — 2025-11-18

Dashboard

Added

• Added the ability to filter the Issues table by severity level.

Bug fixes

• Fixed horizontal scrolling of tables with data in the Firefox browser.

Server part

Added

• Added the GET /api/scans/{id}/jobs/{jobID}/logs/file request, which allows you to download a file in NDJSON format containing the full log of the scan module.
• Added the GET /api/restrictions/string-params request, which allows you to get string constraints for all possible fields.

Changes

• User authentication parameters, except for login, are no longer logged.
• Scan module logs are now processed, stored, and read in chunks. When requesting such a log, the output is limited to a maximum of the 1024 most recent records.
• A log type restriction has been set for the GET /api/scans/{id}/jobs/{jobID}/logs request, with the default being standard.

Bug fixes

• Fixed an issue that occurred when the number of characters in input fields was exceeded when creating users, targets and tokens.

Scanner fuchsiad

Added

• The anomaly checker can now abort scans when certain anomalies are detected.

Dynamic web crawling module

Changes

• Sending navigation requests is no longer blocked in the Stored XSS search mode, the response is now ignored by the browser.

Scan modules

Added

• The SSTI scanner now sends payloads without encoding in the body and parameters of POST requests.

Changes

• Increased the severity level of the insecure deserialization in Java vulnerability from high to critical.

Bug fixes

• Fixed a “Protocol error: Unsafe header” issue for the Reflected XSS scanner. The module now considers it unsafe to inject the same set of headers as the Chromium browser into HTTP requests and will no longer do so.

v25.21.1 — 2025-11-11

Server part

Bug fixes

• Fixed an issue in targets and their technologies synchronization.
• Fixed an issue that could cause synchronization of scan tags from different scanners to work incorrectly.

v25.21 — 2025-11-04

Dashboard

Changes

• Scans in the Modules card on the scan details page are now sorted by the module launch order.

Server part

Added

• Added the ability to identify and update technologies used by the target.

Bug fixes

• Fixed an issue due to which scans created via the fuchsiactl console client without the static web crawling module could synchronize with the withDirbuster option.
• Fixed the scan request's dependence on the URL's letter case.

OpenAPI specifications import module

Bug fixes

• Fixed an issue that occurred in console client mode when passing a specification without the servers field.

HAR file import module

Added

• Added filtering of endpoints by domain.

Scan modules

Changes

• For the shell injection scanner, payloads can now be sent without escaping special shell characters.

v25.20 — 2025-10-21

Dashboard

Bug fixes

• Fixed an issue that sometimes caused an incorrect RPS limit field to block the Create and Edit Target wizard for further changes.

Server part

Added

• Added support for a HAR endpoint import module
• Added support for raw scan requests for users with the super administrator role. A raw request is transmitted directly to the scanner without standard validation by the server part.
• Now the scan list contains the following settings: authentication data, API specification, and the SolidWall WAF integration module configuration.

Changes

• When creating a new scan based on the ID of the previous one, the current target parameters are now applied.

SolidPoint CLI command line interface

Added

• Added support for authentication via local storage.

Scanner fuchsiad

Added

• Added the ability to download a partial log via the Fuchsiad.GetJobLog gRPC method.
• The generalized API logs now contain the request ID.
• When running a scan via fuchsiactl using a JSON file, it is now possible to specify not only a regular expression for the URL to block requests by, but also a regular expression for the request body.
• The server for validating out-of-band attacks is now configured centrally via the fuchsiad configuration file for all modules that detect this type of attack.

Changes

• The default timeout for the authentication verification mechanism's verification request has been increased from 10 to 30 seconds.

Bug fixes

• Fixed the “publicsuffix: empty label in domain” error, which sometimes caused scanning to fail when requests to the server were found.
• Fixed an issue due to which the authentication verification mechanism's verification request timeout could not exceed 10 seconds.

Dynamic web crawling module

Changes

• Improved operational stability:
  • added protection against errors that occur when an internal timeout is triggered during the processing of internal pages.
  • added protection against errors that occur due to redirects caused by the client code of the analyzed page.

Scan modules

Added

• Added a check based on the server response delay using a generalized API for the shell injection scanner.

Changes

• Fixed the CVSS score for the NoSQL vulnerability.
• Fixed the CWE for the Weak Password vulnerability.

Bug fixes

• The “SignatureDoesNotMatch” error, which sometimes occurs when working with Ceph, has been fixed for the controlled serialized data and Powby2 template analysis modules

v25.19.1 — 2025-10-13

Scanner fuchsiad

Bug fixes

• Fixed an issue due to which the dynamic page analysis modules were inoperable.

v25.19 — 2025-10-07

Dashboard

Changes

• Added grab-based horizontal scrolling for large data tables.
• Changed the step order in the scan creation wizard: now the target selection occurs before the scan type selection.
• You can now start scanning from the scan creation wizard immediately after selecting a target, without going through all the steps.

Server part

Added

• Added automatic retry of failed migration when the service is restarted.
• Added the GET /api/scans/{id}/software-versions request to get a list of software identified during the scan.

SolidPoint CLI command line interface

Added

• Added flag support for commands that only operate in the interactive mode.

Changes

• Authentication is no longer mandatory in single-user mode, and multi-user authentication error messages have been made more specific.

Scanner fuchsiad

Added

• Added a HAR endpoint import module to the standard set of modules.
• Added the ability to restart a scan via fuchsiactl.
• The authentication verification mechanism now logs response bodies that fail to meet the authentication criteria in Base64 format.

Bug fixes

• Fixed an issue due to which the root URL of the scan was not always ignored when deduplicating pages.

Static web crawling module

Changes

• Dirbuster logging has been redesigned to explicitly separate internal processes and simplify log reading.

Scan modules

Bug fixes

• Fixed an issue for the reflected XSS scanner that could cause the HTTP request body in the report to not contain the payload.
• Fixed the “URL not contains required param” error for the SSTI scanner, which could occur when updating a query string key.

v25.18 — 2025-09-23

Dashboard

Added

• Added markers to the scan list to indicate the severity of issues identified during the scan.

• Parameters inherited from the target address are now displayed if they were not specified separately, improving the display of authentication information. The host name and port are now always displayed if this type of authentication supports them.

Changes

• Now, users with unactivated accounts will see a message stating that they need to wait for the administrator to activate their account.

Bug fixes

• Fixed an issue that caused unreadable characters to be displayed in the “Request” and “Response” fields of the issue details panel.

• Fixed an issue that prevented changes from being saved in the scan creation wizard when a port was specified for authentication via the request header.

Scanner fuchsiad

Added

• You can now view information about the current and maximum number of tasks and scans performed, and customize their limits using fuchsiactl or gRPC.

Bug fixes

• Fixed an issue that caused scans to fail when there were links or requests with top-level domains in the web application (eTLD).

• Fixed an issue related to the lack of a home directory for updating authentication using a browser script. Now, temporary directories are created when the authenticator is started.

Dynamic web crawling module

Changes

• Now, the crawler checks the visibility of elements immediately before an interaction.

• The cookie input format has been simplified and made more user-friendly. Instead of an array of key-value pairs, only a string with the data is needed.

• Reduced the timeout for completing processes for a crawler that has completed all necessary actions. Now, the waiting time is no more than 1 minute.

Scan modules

Added

• For the SSTI scanner, information about the technique being tested is now logged. Errors are now logged with a special prefix.

v25.17.1 — 2025-09-21

Server part

Bug fixes

• Fixed an error due to which the script content was not sent to the scanner when scanning via the API for a target with authentication refresh using a browser script configured.

Scanner fuchsiad

Bug fixes

• Fixed errors in interaction with web applications via HTTP when authenticating using a browser script.

v25.17 — 2025-09-09

Dashboard

Added

• In the Create and Edit Target wizard, you can now add configurations for the authentication verification and refresh mechanisms when the scanner is working with the target.
• Added an animation for the progress bar to the scan details page.

Changes

• Optimized and accelerated data loading on the Overview page.
• Users with Administrator permissions can now change their email address in their profile settings.

Server part

Added

• Added requests to validate the authentication verification and refresh mechanisms' configurations.
• Added validation of the HTTP status code range, which is set as a verification success criterion in the authentication verification mechanism configuration.

Changes

• The /api/targets/files-info request now displays information about the format and size of the script expected to configure the authentication refresh mechanism using a browser script.
• Renamed the criterions field to criteria in the authentication refresh mechanism configuration.
• Now, when creating an existing target, the error message will include the target ID.

Bug fixes

• Fixed incorrect calculation of the total number of scans.

SolidPoint CLI command line interface

Added

• Added a check for the availability of the dashboard at the specified URL.

Scanner fuchsiad

Added

• For the fuchsiactl scan --modules= command, pressing Tab displays a list of available arguments.
• Added the ability to save cookies during redirects in the striker library.
• Replaced the content_type field in the parameters of HAR files accepted by modules with ContentType in the striker library.

Bug fixes

• Fixed an issue when launching the authentication verification and refresh mechanisms that could cause the algorithm to loop.

Dynamic web crawling module

Added

• Added interaction with buttons tagged with <button>.
• Added the ability to activate all checkboxes in the form.

Bug fixes

• Fixed an issue where active selectors were pressed repeatedly.

Client-side JavaScript code analysis module

Added

• Added support for declared class fields.

Bug fixes

• Fixed a “race condition” error that could lead to incorrect analysis or a crash.

Scan modules

• Additional authentication success checks have been added for the bruteforce attack scanner.

Distribution for Docker Compose

Changes

• Now data uploaded to MinIO is stored compressed again. Users with an active MinIO container are advised to recreate it using the docker compose up --force-recreate minio command for the changes to take effect.

v25.16 — 2025-08-26

Dashboard

Added

• Added pop-up notifications that appear when scans are interrupted.
• Added code block highlighting to the issue details panel.

Changes

• The light theme has become more contrasting and user-friendly.
• The Severity trend graph and the Vulnerability pie chart have been combined for a better representation of the output data.

Server part

Added

• Added the ability to schedule PDF report generation when creating a new scan.

Changes

• A POST /api/users/wizard/email-exists request is now available for the Administrator role to check whether an account with the specified email address exists in the database.
• Improved performance when requesting scan module logs.

SolidPoint CLI command line interface

Bug fixes

• Fixed an issue that caused the interactive mode to be enabled for commands with specified flags.

Scanner fuchsiad

Added

• Added the ability to set a timeout for the authentication verification mechanism.
• Added the ignore_redirects field to the authentication verification mechanism configuration, which allows you to control interactions with redirects.

Changes

• The Content-Type parameter (default text/plain) is now set for scanner logs to optimize storage.

Scan modules

Changes

• Standard Nuclei templates have been updated to the latest version.
• The http-missing-security-headers template is no longer ignored by default.

Distribution for Docker Compose

Changes

• Updated the base images from Debian Bullseye to Debian Bookworm.

Bug fixes

• Fixed a user ID issue that prevented the fuchsiad service from starting.
• Fixed an issue that caused the create_scanner.sh script to not wait for the scanner to start when launching a server container.

v25.15 — 2025-08-12

Dashboard

Added

• Added the ability to specify the connection port in the target authentication parameters.
• Added progress of modules to the scan details page.
• Added the ability to restrict URLs when scanning.

Changes

• The “Repeat” button on the scan details page has been moved to the General Info card.
• The “Settings” step in the Create and Edit Target wizard has been split into two steps. The “Limitations” step now contains the request limit and the list of URL restrictions. Uploading the API specification file is now a separate step.

Bug fixes

• Fixed an issue that prevented data from being displayed in the raw scan report if deps were received and resources were not.

Server part

Added

• Added the POST /api/targets/wizard/valid-url-restriction-list request to validate the list of URL restrictions.
• Added support for configuring the authentication update mechanism using a browser script.

Changes

• Changed the default port number for the PostgreSQL connection string from 5435 to 5432.
• Expanded permissions for the Administrator role to edit data and create users. For more information, see Roles and permissions.

Bug fixes

• Fixed an issue in the scan synchronization service that could occur when requesting recent scans.

SolidPoint CLI command line interface

Added

• Added the about command to check the product version.

Scanner fuchsiad

Added

• Added the ability to display detailed information about the request via the fuchsiactl console client.

Changes

• Enhanced deduplication of endpoints to accelerate scanning.
• The limit of simultaneous tasks on new installations is now equal to the number of CPU cores by default.

OpenAPI specifications import module

Added

• Added the --url flag to specify the base address from which endpoints are generated.

Changes

• The --use-urls-from-spec flag is no longer used.
• The full URL of the target is now used as the base URL for generating endpoints instead of the origin request header.

Client-side JavaScript code analysis module

Changes

• Improved stability and accuracy by discontinuing support for some JavaScript code features that were insignificant in terms of analysis results.

Scan modules

Added

• Added the ability to set a TCP timeout using a flag for the SQL injection scanner.

Changes

• Increased the client's default TCP timeout to 60 seconds for the SQL injection scanner.
• Optimized the logging process for the shell injection scanner and the path traversal vulnerability scanner.

Bug fixes

• Fixed an issue in the SQL injection scanner that occurred in case of problems with the TCP connection between the client and server parts of the module.
• Fixed the “Wrong path in JSON body” error for the SSTI scanner which occurred due to the payload being inserted into an incorrect location.

Distribution for Debian

Added

• The deb package of the fuchsiactl console client now includes shell auto‑complete configuration files.

v25.14.1 — 2025-08-11

Dashboard

Bug fixes

• Fixed an issue that could cause the target details page added in v25.14 to not open.

v25.14 — 2025-07-29

Dashboard

Added

• Added the target details page.

Server part

Added

• Added a comparison of normalized URLs to improve target validation when synchronizing scans.
• Added support for recording failed events in the audit log.
• Added the ability to check the product version using an HTTP request and a CLI command.
• Added progress of scan modules.

Changes

• Improved scan request performance.

Bug fixes

• There are no more duplicate values when requesting target issues.

SolidPoint CLI command line interface

Added

• Added handling of scan statuses that could have appeared in other components but were not added to the CLI.
• Added interactivity support for the scanner command.

Bug fixes

• Fixed incorrect processing of the “Paused” and “Warning” scan statuses, which occurred due to the absence of these statuses in the CLI.

Scanner fuchsiad

Added

• Added support for the TLS protocol in gRPC communication with the fuchsiactl console client, including optional verification of client certificates (mutual TLS).

Bug fixes

• Fixed an issue that could cause the service to crash during an update.

Client-side JavaScript code analysis module

Changes

• Optimized the analysis process by reusing objects. Reduced memory consumption and improved performance.
• Improved the analyzer's stability by adding protection against errors caused by redirects initiated by the client code of the analyzed page.

Bug fixes

• Fixed an issue that caused incorrect data to be mixed into sets of valid values, reducing the accuracy of the analysis.

Scan modules

Bug fixes

• Fixed the “Protocol error: Unsafe header: proxy-authorization” error for the Reflected XSS detection module, which caused the module to crash.
• Fixed memory errors for the SSTI scanner.
• Reduced the number of false positives for the SSTI scanner.
• An error in the generalized API no longer leads to a crash when searching for time-based issues in the PHP untrusted data deserialization scanner and the SSTI scanner. Now in this case, the method is skipped.

Distribution for Docker Compose

Changes

• To check database availability, the pg_isready utility is now used instead of wait-for-it.

v25.13.1 — 2025-07-21

Server part

Bug fixes

• Fixed an issue that occured when applying the IN and NOT IN filters.

v25.13 — 2025-07-15

Dashboard

Added

• Added filtering by target address to the scan table.

Changes

• The Issues pie chart now displays only unique data for the same period as the Severity trend graph.

Bug fixes

• Fixed issues that caused issue tag management interfaces for users with “Analyst” and “Read-only” roles to not match permissions.
• Fixed an issue that could cause scans on Quick Create to have the wrong type.

Server part

Added

• Added user settings storage.
• Added support for configuration of the authentication data update with HTTP requests mechanism.
• Added IN and NOT IN filters for entity lists that support filtering.

Changes

• Improved Swagger UI stability.
• Improved performance by updating the scan synchronization service.
• Now scans created using fuchsiactl with invalid URLs are displayed in the default tenant with an “invalid” label.

Bug fixes

• Fixed calculation of values for the GET /api/targets/severity-chart request.
• Fixed an issue that could cause the GET /api/targets/severity-trend request to return a null value for dates when no scans were performed.
• Fixed that issues with the “Not an issue” label could change status when the scan was repeated.

Scanner fuchsiad

Added

• Added support for the gRPC health check protocol.

Changes

• Removed filtering by the Content-Type header for modules to get the root page.
• Updated the default browser version to support the new headless mode.
• Pausing a scan is now faster, but intermediate results of modules are not saved.

Bug fixes

• Fixed a memory leak that occured when a scan using the anomaly checker was created.

Dynamic web crawling module

Bug fixes

• Fixed an issue that caused an incorrect number of HAR files collected by the module to be displayed.
• Fixed the mechanism for tracking processed URLs.

Client-side JavaScript code analysis module

Bug fixes

• Added a restriction, the absence of which could sometimes cause the analyzer to crash.

Scan modules

Changes

• The Nuclei active signature analysis module now always runs on the URL of the target being scanned.
• The SSTI scanner now uses a generic API for time-based vulnerability checks.

Distribution for Docker Compose

Added

• Added BACKEND_LISTEN_PORT, BACKEND_ADDR and FUCHSIAD_SOCKET_ADDR environment variables for easier configuration. More information can be found in section.

Changes

• The nginx web server configuration files are now stored in the /tmp temporary directory.

v25.12.1 — 2025-07-07

PDF report generator

• Fixed the layout of PDF reports for the included by default browser.

v25.12 — 2025-07-01

Dashboard

Added

• The scan details now reflect information about which software was detected when scanning the target.
• Added the ability to label vulnerabilities detected during scanning.

Server part

Added

• Added the ability to set the configuration and filters for the SolidWall WAF integration module.

Changes

• The default browser for the report generator is now located in the /usr/bin/fuchsia-chrome directory.
• All fields containing the time are in UTC.
• Added the ability to disable the list of URL restrictions and validate each value in the list.
• Added a description field for groups of targets and scans.

Bug fixes

• Fixed an issue which sometimes caused the target to be incorrectly set when running a scan via fuchsiactl or another server part instance.
• When updating the server part package, the configured database address and report generator address are no longer reset.

Scanner fuchsiad

Added

• For the anomaly detector added the ability to analyze status codes and set the RPS parameter.

Changes

• The configuration file structure was redesigned for the anomaly detector.

Client-side JavaScript code analysis module

Bug fixes

• Added a restriction, the absence of which sometimes caused a freeze or an emergency shutdown of the analyzer.

Scan modules

Changes

• Changed the priority for the Stored XSS detection module, it is now launched later.
• Enabled page deduplication for the Stored XSS detection module.
• For the PHP untrusted data deserialization scanner, a generalized API is now used to search issues based on time checks.
• Optimized the number of requests for the SSTI scanner.

Distribution for Debian

Added

• Added support for Debian version 12 (“bookworm”).

v25.11.1 — 2025-06-23

Dashboard

Bug fixes

• Fixed an issue due to which the list of targets was not displayed in the quick scan creation modal window.

v25.11 — 2025-06-17

Dashboard

Bug fixes

• Fixed an issue due to which the bottom of the main menu was not visible on mobile devices.
• Fixed an issue in the creation wizard and the quick scan creation modal window due to which matches were not taken into account when searching through the list of targets if the target address was encoded.

Server part

Changes

• Improved filtering of severity trend data.

Bug fixes

• Fixed an issue due to which scans and targets could freeze in the deleted state because the scanner was reconnected.

Dynamic web crawling module

Bug fixes

• Fixed an issue which caused the module to crash in some cases due to a timeout, without waiting for internal processes to complete.

Client-side JavaScript code analysis module

Changes

• Improved analyzer running time on sites using Google reCAPTCHA.

Bug fixes

• Fixed a “RangeError: Invalid array length” issue, which sometimes caused an emergency shutdown of the analyzer.
• Fixed an issue which occurred when the analyzer worked with code processed by the module packager, which in rare cases resulted in an emergency shutdown.

Scan modules

Added

• For the Powby2 passive signature analysis module added notes on the categories of technologies to be identified: operating system, web server, content management system, and others.

Distribution for Docker Compose

Added

• Added new environment variables. Detailed information about them can be found in section.

Changes

• The nginxinc/nginx-unprivileged:stable-bullseye image is now used as the base image for the dashboard.

v25.10.1 — 2025-06-18

Server part

Bug fixes

• Fixed a request issue that occurred when there was no severity trend data.

v25.10 — 2025-06-03

Important

Starting from v25.10, PostgreSQL 16 with the TimescaleDB extension enabled must be used. Earlier versions or versions without the TimescaleDB extension are no longer supported. It is recommended to follow these instructions:

• Upgrading PostgreSQL for Docker Compose;
• Upgrading PostgreSQL for GNU/Linux;
• Installing the TimescaleDB extension.

Dashboard

Changes

• Endpoint details have been moved from the modal window to the sidebar.

Bug fixes

• Timestamps for severity trend data no longer depend on server time.

Server part

Added

• Added support for issue statuses: actual, falsePositive, confirmed, fixed, regression.
• The falsePositive status affects the display of issues in the Severity trend graph.
• Added support for the TimescaleDB extension. Starting from v25.10, its presence in the database is mandatory.
• Added support for requesting the severity trend of a specific target.
• Added support for working with time windows for points of the Severity trend graph. When requesting data via the HTTP API,resolution and timezone parameters can now be specified.
• Added support for additional parameters of the audit log, including the IP address of the user who performed the action.

Changes

• Starting from version 25.10, only PostgreSQL 16 with the TimescaleDB extension is supported. Earlier versions are no longer supported.
• Reduced resource usage in case of a failed attempt to re-synchronize scans.
• Removed the keepalive setting for the gRPC connection between the server part and the scanner to reduce the connection load.
• The server part now accepts messages from the scanner up to 50 MiB in size by default. If necessary, this value can be changed via the SCANNER_MAX_CALL_RECV_MSG_SIZE_MB environment variable.
• When building the severity trend graph, the current status and uniqueness of the targets' issues for a certain period are now taken into account: thus, the graph shows the change in the security state of the organization's targets.

Bug fixes

• Fixed an issue that could cause the server part to crash if the connection to the database was lost.
• Fixed an issue that in rare cases could cause scans to freeze in the active state due to deletion.

Scanner fuchsiad

Changes

• The fuchsiactl scan_stats command now displays the actual running time of the modules, which does not include pauses.

Dynamic web crawling module

Bug fixes

• Fixed an issue due to which the crawler continued to run after reaching the execution timeout.

Distribution for Docker Compose

Changes

• The database images for the fuchsiad scanner and the server part now use timescale/timescaledb:latest-pg16.

v25.9 — 2025-05-20

Dashboard

Added

• Added status “With warnings” for scans, indicating that the scan has been completed successfully, but not all modules were run.

Bug fixes

• Fixed an issue that could cause cyclical page reloading.

Server part

Added

• Added support for the DATABASE_URI_FILE environment variable, which allows the database connection string to be read from a file.
• Added support for the LOG_FILE environment variable, which specifies the file for server part logging in JSON format.
• Added support for the new scan status DONE_WITH_WARNINGS.
• Added support for viewing scan module logs.
• Added support for setting the report generator address via debconf.

Bug fixes

• Fixed an issue that occurred in v25.7, due to which an /api/scans/{id} HTTP request did not return endpoint IDs.

Scanner fuchsiad

Added

• Added the ability to pass fuchsiad paths to multiple configuration files. In case of overlapping fields, priority will be given to the values in the last passed file.
• Added support for enabling the traffic anomaly detector via fuchsiactl.
• Added a new scan status DONE_WITH_WARNINGS.
• Added a Stored XSS detection module to the standard set of modules.

Client-side JavaScript code analysis module

Added

• Increased analyzer coverage by adding support for the built-in Object.defineProperty function.

Changes

• Increased analyzer coverage due to improved axios library detection.

Scan modules

Added

• For the Powby2 passive signature analysis module, added support for signature relationships: dependencies of one signature on another, mutual exclusion and automatic detection of one signature based on detection of another.

Changes

• Now the SSTI scanner is terminated with a zero code if an error occurs when sending a request to calculate the base response time.

v25.8 — 2025-05-06

Dashboard

Changes

• The tooltip for the severity trend graph now contains more details.

Bug fixes

• Fixed an issue which caused the PDF report size to be incorrectly displayed if its generation failed.

Server part

Added

• Added support for checking report generator activity.

Changes

• Changed the implicit method of creating the first scanner via the FUCHSIAD environment variable. The default scanner can now be created using an HTTP API call or through the SolidPoint CLI.
• Improved the operation of the scan synchronization service and increased the responsiveness of the server part to changes in the state of the scan being performed.
• Improved performance by reducing the number of requests to the scanner during scan synchronization.

Bug fixes

• Fixed the uniqueness check of authentication data values. The “hostname + path” uniqueness check is available only for HTTP basic Auth.

PDF report generator

Added

• Added support for displaying the decoded URL in PDF reports.

Changes

• The PDF report generator now uses the included by default browser.

Scanner fuchsiad

Changes

• Now, scanning is not interrupted if the controlled serialized data and Powby2 template analysis modules crash.

Client-side JavaScript code analysis module

Changes

• Improved analyzer coverage by adding ky library support and the ability to call the renamed axios object as a function.

GraphQL endpoint detection module

Changes

• Revised the severity level of logging events for the GraphQL endpoint detection module.

Scan modules

Added

• Added support for “meta” Wappalyzer templates for the Powby2 passive template analysis module.

Distribution for Debian

Changes

• The default scanner is now created via the SolidPoint CLI.

Distribution for Docker Compose

Changes

• Now, when the system starts, the presence of a scanner is checked. If the scanner has not been created yet, it is created via an HTTP API call with the address specified in the FUCHSIAD_ADDR variable in the docker-compose.yml configuration file.
• SolidPoint Compose services are no longer started by a superuser (root).

v25.7 — 2025-04-22

Server part

Added

• Added support for special characters for URL filtering.
• Added the decodedUrl parameter for public target and scan models, and the decodedHostname and decodedPath parameters for target and scan authentication data. These parameters display the decoded version of the URL (or parts of it), if it is encoded. (Punycode, URL-encoded format, etc.).
• Added the isValidUrl parameter for public target and scan models, which determines whether the URL is valid.

Bug fixes

• Fixed an issue that caused the “PENDING” status to be displayed for scans not yet started or paused.
• Fixed behavior that prevented editing of a target with an invalid URL. Now the description and parameters unrelated to the URL can be edited for such targets.
• Fixed “#” anchor validation for URLs. Now the path (minimum: “/”) is required when adding an anchor, the anchor value itself may be empty.

PDF report generator

Added

• The PDF report now shows information about the use of authentication via local storage.

Bug fixes

• Fixed an issue that caused the PDF report to include information about the target's authentication methods, which were disabled during scanning.

Dynamic web crawling module

Bug fixes

• Fixed an issue that caused the output of different endpoints to be mixed in some cases.

Scan modules

Added

• Added support for “dom” Wappalyzer templates for the Powby2 passive template analysis module.

Distribution for Docker Compose

Changes

• The CHANNEL environment variable now uses stable as the default value.

v25.6.1 — 2025-04-11

Dashboard

Bug fixes

• Cascading fix of an issue that was resolved in v25.4.1.

v25.6 — 2025-04-08

Dashboard

Changes

• When launching a scan from the target list, a full scan with DirBuster is now launched by default.
• Pop-up notifications are now displayed when attempting to run a scan on a target with an incorrect address format.

Bug fixes

• Fixed an issue which caused the DirBuster usage parameter to be disregarded when repeating a scan.
• Fixed behavior which could cause the scan status to be mistakenly displayed as “Pausing”.
• Fixed an issue due to which users with the “Analyst” and “Read only” roles could not manage access tokens.

Server part

Added

• Added a unified mechanism for tracking background actions for scans and targets.

Bug fixes

• Fixed behavior that could cause the scan tracking mechanism to mistakenly save its background status as “Pausing”.

PDF report generator

Added

• Added information about the total number of requests and the average response time to PDF reports.

Scanner fuchsiad

Added

• Added the fuchsiactl --version version display command to the fuchsiactl console client.
• Added the ability to view the number of status codes during scanning depending on the time in minute increments to the fuchsiactl console client. The fuchsiactl scan_stats command is used for this purpose.

Changes

• The executable file of the fuchsiactl console client now contains its version.

Bug fixes

• Fixed an issue due to which authentication update settings could be mistakenly included in subsequent scans.
• Fixed an issue that prevented scans performed using the authentication refresh mechanism from being deleted..

Dynamic web crawling module

Bug fixes

• Fixed possible freezing of the module when the analysis process crashed.

Client-side JavaScript code analysis module

Changes

• Improved the analysis accuracy due to better “,” operator handling.

Scan modules

Added

• Added the ability to mark signature triggers in a special way that carry information about third-party servers, but the resources from which are used on the pages of the analyzed application for the Powby2 passive signature analysis module.
• Added DOM XSS sink processing of the jQuery library's to the dynamic page analysis module.

v25.5.1 — 2025-04-11

Dashboard

Bug fixes

• Cascading fix of an issue that was resolved in v25.4.1.

v25.5 — 2025-03-25

Dashboard

Added

• Added a transition to the Create Scan wizard from the Quick Create Scan modal window.

Changes

• Modules for custom scan types are now sorted alphabetically in the Create Scan wizard.
• Pop-up notifications are now displayed when creating scans.
• Added routing to the existing modal windows and wizards for creating and editing entities: scans, targets, and tokens. All pop-up windows now have a URL through which they can be accessed.
• Removed the counter of completed modules from the scan information card on the scan details page.

Bug fixes

• Fixed an issue that made it impossible to delete a scan report whose generation failed.
• Fixed an issue that caused the scan creation date to be cut off in the scan list under certain conditions.

Server part

Added

• Added support for a GraphQL endpoint detection module.
• Added the ability to edit the profile for users with the “analyst” and “read only” roles.

Changes

• Reduced the load on the fuchsiad scanner when interacting with new scans.

Bug fixes

• Fixed an issue due to which running a scan with an invalid URL would return an incorrect HTTP status code.

PDF report generator

Added

• Added information about the scan type, DirBuster usage, scan ID and target ID to the PDF reports.

Bug fixes

• Added permission to generate reports for users with the “analyst” role.

Scanner fuchsiad

Added

• Added a GraphQL endpoint detection module to the standard set of modules.

Bug fixes

• Fixed “string field contains invalid UTF-8” error when receiving log files.

SolidWall WAF integration module

Added

• Added the ability to pass a configuration file to the module for connecting to the SolidWall WAF using fuchsiactl. If a configuration file was not passed this way, the module will take it from the standard path.

Changes

• The module now receives a database connection string from the fuchsiad configuration file instead of its own configuration file.
• The module now receives masking filters from a separate configuration file, which can be passed using fuchsiactl. If it is absent, the module will take the configuration file from the standard path.

Dynamic web crawling module

Changes

• Reduced the time required to delete scans.

Bug fixes

• Fixed an issue due to which items with long loading times could be missed during analysis.

Scan modules

Changes

• Updated the selector format for both Reflected XSS detection modules.
• Reduced the sensitivity for time-based checks for the SSTI scanner in order to reduce the number of false positives.

Bug fixes

• Fixed a regression that occurred in v25.4 for the reflected-xss-cspp module. Now the module is started by the tags of the CSPP scan module again.
• Fixed an issue in the Nuclei active signature analysis module due to which temporary files were not deleted after the module's termination and in the case of its interruption.

v25.4.1 — 2025-04-11

Dashboard

Bug fixes

• Fixed an issue which caused switching between issue details tabs to fail for roles other than the super administrator.

v25.4 — 2025-03-11

Dashboard

Added

• Added pop-up notifications that are displayed when pausing or resuming scans.

Changes

• Added information about whether DirBuster was used to the scan details page.
• Added scan and target IDs to the scan details page.

Bug fixes

• Fixed an issue due to which a pop-up notification was not displayed when the report was re-generated.

Server part

Added

• Added support for a PHP untrusted data deserialization scanner.

Bug fixes

• Fixed an issue due to which scans launched via the dashboard used DirBuster regardless of the user's choice.

PDF report generator

Changes

• Information about issue details is no longer displayed in short PDF reports.

Scanner fuchsiad

Added

• Added a PHP untrusted data deserialization scanner to the standard set of modules.
• Added support for aggregation of templates triggers within a single resource to the Powby2 passive template analysis module.
• Added the ability to continuously synchronize local storage between the browser authenticator and browser-based scanning modules.

Changes

• For the SSTI scanner, when a redirect is detected, the number of concurrent threads to scan the corresponding HTTP request is reduced to one for reflected techniques.

Bug fixes

• Fixed an issue that caused a negative response time to be calculated when specifying blocked addresses.

Static web crawling module

Added

• Added an adaptive algorithm for changing the speed of sending requests in DirBuster, which reacts to server errors.

Changes

• Updated the DirBuster dictionary.
• Improved the algorithm for detecting “not found” pages in DirBuster.

Dynamic web crawling module

Changes

• Expanded the static rules for filtering endpoints.

Client-side JavaScript code analysis module

Changes

• Improved reliability in terms of matching the data output by the module to the correct format.

Bug fixes

• Fixed an issue in the unpacking component of the code compiled using the module packager. The issue caused a crash when working with some types of packers.

Scan modules

Added

• Added Wappalyzer template support for the Powby2 passive template analysis module to recognize the technology stack of the scanned application. Supported template types: “headers”, “cookies”, “url”, “html”, “scripts”, “scriptSrc”.

v25.3 — 2025-02-25

Dashboard

Added

• Added validation of the “Path” field in the target's authentication data.
• Added the ability for a super administrator to generate reports for scans from outside their organization.
• Added information about the total number of requests and the average response time of the target to the scan details page.
• Added report type selection to the scan report generation modal window. Now short reports that do not contain large blocks of code can be generated.
• Added a light theme to the control panel. By default, the dark theme is used, the preferences can be changed in the settings.

Changes

• Improved interface behavior when validating the target address in the Create and Edit Target wizard and the Create Scan wizard.
• Improved interface behavior when filling in authentication data in the Create and Edit Target wizard.
• In the Create and Edit Target wizard, all authentication data is now displayed in the preview step, even if authentication is disabled.
• Added visual information to the target list and the Create and Edit Target wizard about whether a certain type of authentication has been added, as well as whether it is currently being applied to the target.
• The scan details page now explicitly indicates which authentication type was enabled and which was filled in but disabled during the scan.
• The report generation option is now available for all user roles except the “Read-only” role.

Bug fixes

• Fixed error handling when entering several invalid characters in a row in the email address field on the user authentication and registration pages.

Server part

Added

• Added support for HTTP request statistics for scanning modules.

Changes

• Updated URL validation, now URLs must match RFC 1035, RFC 3696 and RFC 3492 for IDN.
• Updated hostname validation for target authentication data.
• Updated uniqueness handling of target addresses, now they are not case-sensitive.
• Encoded and decoded forms of URLs are no longer considered different.
• The POST /api/targets/wizard/exist request is no longer case-sensitive.

SolidPoint CLI command line interface

Added

• Added a usage example for the scan new-ci command with the -s/--severity flag when calling -h/--help help.
• Added support for working with scanners.

Changes

• Fixed description for the scan new-ci command when calling -h/--help help: the severity level unknown for the -s/--severity flag is no longer listed as an option to select.

Scanner fuchsiad

Added

• Most scanning modules now report the progress of a job. The progress can be viewed in real time using the fuchsiactl list_scans command. Example of the command result: “RUNNING (30/47 done) path-traversal-scanner”.

Bug fixes

• Fixed “invalid character '(' looking for beginning of value” error when getting statistics for some scans.
• Fixed an issue that occured when deleting a paused scan.

Scan modules

Changes

• A new selector format is now used for the SQL injection scanner.

Client-side JavaScript code analysis module

Bug fixes

• Fixed an issue that caused the module to crash when processing code that created recursively nested arrays.

v25.2 — 2025-02-11

Dashboard

Added

• Added support for scans with dirbusting in the Create Scan wizard.
• Added the ability to set authentication via the browser's local storage in the Create and Edit Target wizard.

Changes

• Improved visualization of loading the list of vulnerabilities found during scanning.

Scan modules

Changes

• Updated the selector format for the XXE injection scanner.

Dynamic web crawling module

Bug fixes

• Fixed a regression in release 25.1 which resulted in a 5-minute limit on the total running time of the module.

v25.1 — 2025-01-28

Dashboard

Added

• Added a column with file sizes to the list of scan reports.
• Added the ability to disable severity level lines for the severity trend graph on the Overview page.
• Added operations to pause and resume scans from interfaces.
• Added the ability to generate PDF reports in Russian and Chinese.
• Added the ability to generate multiple PDF reports simultaneously.

Changes

• Scan type descriptions in the Create Scan wizard and quick scan creation modal window are now placed in the type selection drop-down list.
• Moved the authentication type descriptions from the accordion to the Add New Authentication drop-down list in the Create and Edit Target wizard.

Bug fixes

• The operations menu is no longer displayed for scans queued for deletion.
• Fixed localization of numbers in graphs and charts.
• Fixed an issue due to which some texts were duplicated in multiple languages when switching the interface language.

Server part

Added

• Added support for configuring the authentication check mechanism.

Changes

• The POST /api/targets/wizard/exist request is now case-insensitive.

SolidPoint CLI command line interface

Added

• Added the --severity flag for the scan new-ci command, which allows the scan to fail if an issue with the specified severity level or higher is detected.

PDF report generator

Added

• Added page numbering for PDF reports.
• Added a table of contents to PDF reports for PDF viewers, making it easier to navigate through the document.

Bug fixes

• Fixed a PDF report layout issue due to which some table headers overlapped with the content.
• Fixed status display for modules for PDF reports.

Scanner fuchsiad

Added

• Added support for authentication using a browser script. The script must be recorded with Chrome Recorder, exported as a JSON file, and specified during the scan configuration. Cookies and key-value pairs received from the local storage after script execution can be used to update scan authentication data, cookies, or other headers.
• Added methods to the gRPC API for getting scan statistics: total number of requests and average response time.

Static web crawling module

Bug fixes

• Fixed incorrect operation of the module when the default port is explicitly specified in the URL. (e.g. https://example.com:443/).

Scan modules

Added

• The controlled serialized data detection module now analyzes not only resource bodies and cookies, but also the parameters of the detected endpoints.

Changes

• The kernel version of Nuclei has been updated to 3.3.8 to eliminate CVE-2024-43405.
• Updated the Nuclei public templates to the current version.

Bug fixes

• Fixed an issue due to which the Description field was not filled in the report for the SQL injection scanner.

---

Release notes for previous year