Release notes for 2026
v26.2.1 — 2026-02-13
For dynamic page analysis modules, fixed a YAML configuration issue that was breaking interaction with shell.
v26.2 — 2026-02-10
The target details page now includes a tab showing a list of scans for selected target.
Added filtering by scan status to the scan list.
Removed the quick scan creation modal window.
Fixed an issue due to which the JSON file downloaded from the Raw Scan Report page contained an endpoints list instead of deps.
For GET /api/scans/{id} request added information about identified technologies.
For GET /api/scans/{id} and GET /api/scans added a counter for the number of generated PDF reports.
For GET /api/scans/{id} request scan jobs are now sorted not only by module type but also by execution start time. For GET /api/scans/{id}/jobs request this sorting can be applied using a withTypeAndTimeSort=true query parameter.
Fixed a database connection issue that could occur during migration.
Fixed an issue due to which the list of identified technologies was not updating during the scan for GET /api/scans/{id} request.
fuchsiad
Added the experimental automatic login module to the standard package.
Added the ability to save server responses during scanning.
Active scans are now paused (not canceled) on scanner shutdown and auto-resume on restart.
Fixed a scan statistics calculation issue that caused the request counter in the dashboard to stop and the fuchsiactl scan_stats command in the console client to fail.
Improved endpoint discovery by refining the endpoint generation mechanism.
Added an internal timeout system. A “soft” timeout is supported: when it is triggered, the analysis stops and a result based on the collected data is returned.
Improved endpoint discovery for web applications using Webpack.
For the Powby2 passive template analysis module, added support for Wappalyzer signatures of the requires_category type.
Dynamic page analysis modules are now split into 4 services: dynamic-page-analyzer-domxss-pages, dynamic-page-analyzer-domxss-tags, dynamic-page-analyzer-cspp-pages, dynamic-page-analyzer-cspp-tags. This is necessary for correctly pausing scans and for operation in the experimental breadth-first scan mode.
In the SSTI and Shell Injection scanner report details, the payload is now correctly displayed when a vulnerability was found in a key.
Implemented a check based on a delayed response from the server in the SSTI scanner using a generalized API and a statistical model.
v26.1 — 2026-01-27
On the scan details page:
added information about the scan status at the time of PDF-report generation to the Reports tab;
added information about the identified technologies during the scan of the target.
Added information about additional authentication data to the target details page.
All PDF-report bulk operations are temporarily hidden in the Reports tab.
Tabs without data are hidden in the details of completed scans.
The Reports tab is now available only for completed scans if at least one issue is identified.
Fixed an issue in handling endpoints where data of a non-string type was received.
Registration and account activation notifications sent via email now support Chinese.
Fixed an issue that could cause scan job logs to download incompletely.
Fixed an issue due to which filtering by scan status might not work.
fuchsiad
Added the ability to open a Go pprof endpoint (by default disabled). The scanner configuration file requires a value for the pprof_address field.
The initiator field now includes a complete call stack for dynamically sent requests.
Invalid HTTP methods are now excluded from discovered endpoints.
Enhanced the limitations on objects generated by the analysis to decrease the rate of false positives.
Improved Nuclei templates for CVE-2025-55182 . Added new payloads for vulnerability validation.
For the OpenAPI specification import module, fixed the header value type for endpoints. It is now always a string.
Fixed incorrect selector display for vulnerabilities in parameter names.
Fixed the way vulnerabilities are detected using payloads with delays, that caused false positives. Affects the following modules:
the PHP untrusted data deserialization scanner;
the shell injection scanner;
the unsafe deserialization in Java scanner;
the file upload vulnerability scanner.
Installation updates now run without additional interactive prompts.
Release notes for previous year