In the previous release, we introduced new API filter operators such as greater-than and not-equal. A bug in that implementation caused some API integrations to break when multiple filter values were used. Previously, a filter like filter[severity]=1,2 returned results where severity = 1 OR severity = 2. Due to the bug, this was incorrectly evaluated as severity = 1 AND severity = 2, resulting in no matches. This issue has now been fixed. Multiple filter values once again default to OR behavior.
In addition to this fix, we added support for more advanced filtering. Filters prefixed with and_ require all conditions to be met, enabling use cases such as “not 1 AND not 2.” For example: filter[and_severity]=<>1,<>2.
Other Improvements
Improved several UI interactions with checklists:
You can now collapse categories while filtering.
You can now stop editing test cases by clicking on them.
Test case finding link now has a visual indicator that findings are a link.
Those finding links now open in a new tab.
When the checklist is updated, test cases you are editing no longer reload.
Bug Fixes
Fixed unreliable syncing to Elasticsearch, causing some or all results to be missing from search results.
Fixed the "Add Target" button in the targets tab on the main assessment page.
Fixed a bug where non-markdown text fields, such as names and titles, that allow Todo tags, were saved HTML-encoded.
Fixed an issue where Elasticsearch would reindex every night for large databases.
Requesting a revision without text now correctly displays the validation error instead of reloading the page.
Tables in PDF reports no longer sometimes run off the page if there is a placeholder in them.
Breaking change, read the upgrade guide! - Likelihood of Impact: Very High
Reporter has been updated to use Elasticsearch 8 and Redis 8. You MUST upgrade to Elasticsearch 8 and Redis 8 as part of this upgrade! Reporter will not be compatible with Elasticsearch 7 after this upgrade.
Use the following instructions to set up Elasticsearch 8 and Redis 8:
You can now use comparison operators in API filters for exact fields by prefixing the field name. For example, filter[severity]=<2 returns records where severity is less than 2.
Operator
Description
Example
(none)
Equal to
filter[severity]=2
<>
Not equal to
filter[severity]=<>2
<
Less than
filter[severity]=<2
<=
Less than or equal to
filter[severity]=<=2
>
Greater than
filter[severity]=>2
>=
Greater than or equal to
filter[severity]=>=2
New checklist templates
The following checklist templates are now available:
OWASP AI Testing Guide - Version 1
OWASP Top 10 for LLM Applications - version 2025
OWASP Mobile Top 10 - version 2024
OWASP API Security Top 10 - version 2023
OWASP Top 10 CI/CD Security Risks - version 2023
OWASP Kubernetes Top 10 - version 2022
OWASP Cloud-Native Application Security Top 10 - version 2022
OWASP Top 10 - version 2021
OWASP Docker Top 10 - version 2020
OWASP Internet of Things Top 10 - version 2018
You can add any of the new templates if you are an admin or a checklist template manager by following these steps:
Go to the Checklist templates page.
Click Clone default template.
Select the template you want to add.
Click Create fresh copy of template.
Improvements
[todo] tags are now also rendered in text fields, for example, in the title of the finding (template) edit page.
The assessment wrench dropdown menu has been restructured for improved clarity.
Targets on the finding show page are now rendered as links. Clicking on a target opens a modal with its details.
Add storage and Elasticsearch info to the status report.
Bug Fixes
Updated several third-party dependencies.
Fixed inconsistent expand/collapse behaviour in the checklist table.
Fixed an error that occurred when loading the researcher panel in certain assessments.
Resolved out-of-memory issues and a MySQL packet limit issue with the tool import.
Fixed a bug where test cases on the finding show page would not open the checklist modal after using inline edit on another field.
Fixed an issue where unclosed callouts in markdown were not rendered properly or caused an error.
Fixed an error that caused documents to not be rendered correctly in the researcher panel target details.
Fixed a bug that prevented the project admins from seeing assessment activity.
Fixed a bug where filtering assessments by manager or researcher did not work.
Fixed broken links to "suggest" and "create templates from findings".
Fixed an error that occurred when trying to create a file custom field.
Fixed a bug that cause the result of a test case to become desynced from the related findings.
With just a few clicks, you can now duplicate entire assessments, making this functionality perfect for setting up recurring engagements. Create your assessment once, then clone it for each new iteration or project. All your targets, structure, and even unresolved findings can be carried over.
You can access the duplication feature from the Assessment dropdown on the main assessment page. When you duplicate an assessment, basic information and the assessment structure is always copied. Other elements, like the researcher briefing, targets, and unresolved findings, can be toggled. Duplicated assessments are always assigned a "Duplicated - Needs Review" tag, allowing you to find them easily. See the documentation for more details.
Targets in the Researcher Panel
Targets are now directly accessible from the Researcher Panel. Switch views using the new buttons in the top-left corner to easily jump between findings and targets.
In the Targets view, you can view details, create, edit, delete, and reorder targets without needing to refresh the page. This gives researchers and managers a smoother and more efficient experience.
Improvements
Added a new [mask] tag to the markdown editor that can be used to mask sensitive information, such as credentials, by default. An icon is displayed next to the mask, which can be used to reveal the contents.
Note that the content is not hidden in PDF reports!
Added retest icons to findings in the section view in the researcher panel that show the status of the latest retest.
Search indexing is now much faster. You should be able to use the search functionality much more quickly after a server restart.
Task indicators are now red if you have overdue tasks, and orange if you have tasks due today.
You can now assign assessment tasks to global admins who are not assigned to the particular assessment.
Non-client users, such as researchers and assessment managers, now consistently see unpublished findings in all draft reports and on the web interface. For example, unpublished findings are now counted in report components that count findings by severity.
Bug Fixes
Fixed an issue where the loading indicator didn't disappear in the finding search modal.
Applying filters in the multi-filter search on the assessment index page now properly updates the URL.
The assessment analytics chart (second chart on the analytics page) now has clickable links.
Sections with todo tags now again have warning icons.
Fixed a bug that would prevent the schedule from loading.
When creating a new finding, the "Found At" field is now correctly prefilled with the current time in the user's timezone.
Importing an assessment template with incomplete translations no longer causes an error.
Fixed a bug that caused the checklist template names not to appear in the assessment template form.
Fixed a bug that caused the assessment template edit page to sometimes not render properly.
Fixed some issues with finding template suggestions and linked findings.
Fixed a bug where some finding fields were missing from the API docs and Zapier integration
Made downloading findings as CSV a lot faster, preventing timeouts.
Fixed an issue where the reports table component would incorrectly show resolvers when used in markdown fields.
Tasks to revise an assessment section now complete when you request a new review.
Changing a reviewable from "Draft" to "Revision requested" now completes the task to complete the reviewable.
The assessment template editor has been completely redesigned. You can now configure the entire assessment template, including all its sections, in a single form. Sections can be reordered with drag-and-drop, properties can be modified on the spot, and translations can be added directly without leaving the page. All changes are saved at once, making it much easier to maintain templates.
Alongside the new editor, several new assessment templates have been added, and existing ones have been updated. To use them, click the 'Clone default template' button on the Assessment Templates page.
New assessment templates
The following templates are now available:
OWASP Top 10 for LLM Applications (2025)
OWASP Top 10 CI/CD Security Risks (2023)
OWASP Cloud-Native Application Security Top 10 (2022)
OWASP IoT Top 10 (2018)
Updated templates
The following templates have been updated:
Microsoft Cloud Security Benchmark (v1 → v2)
CWE SANS Top 25 (2022 → 2024)
OWASP Mobile Top 10 (2016 → 2024)
OWASP API Security Top 10 (2019 → 2023)
Syntax highlighting combined with mark tags
Syntax-highlighted code blocks now also support [mark] tag highlighting! Previously, [mark] highlighting only worked in plain code blocks without syntax highlighting. With this update, you can now combine the two, making it easy to call out specific parts of code, HTTP requests and responses, data snippets, and more, without sacrificing readability.
The tagging feature in the Markdown editor can now be accessed directly from a toolbar button, making it easier to add tags without remembering shortcuts.
The category name format in checklist tables is now customizable, just like the test case name format.
The default PDF report filename now includes the client’s name for easier identification and organization.
The checklist depth limit has been increased to 5, allowing more levels of nesting in checklist templates.
Findings from previous assessments can now also be imported into the current one via the Add finding dialog.
The order of severities in report components such as the "finding counts by severity" table, the "findings by severity" chart, and the "findings by severity and status" bar chart can now be reversed.
Bug fixes
Fixed a bug in the checklist table, where expanding or collapsing one category would sometimes cause a different category to be expanded or collapsed.
The checklist editor no longer occasionally incorrectly fails validation with a "test case code is duplicate" error message.
In the PDF report's table of contents, dotted lines now appear after all sections, if that setting is enabled.
In the online report's table of contents, sections no longer overlap.
In the PDF report, all URLs now get the correct color.
In the online report, when inline editing Markdown fields, the assessment language is now used to render the result, instead of the default language.
When making a new assessment checklist, the IDs and codes now get correctly copied over from the template categories.
Report generation no longer crashes when a finding has a multiselect custom field where the "Show as a badge" option is set to false, or where specific enums (such as Assessment Status) are used for the values.
The "Download default SVG backgrounds" button that was removed from the theme editor is now added to the theme index page, under the "Theme" dropdown.
When editing a task, the description text area now expands to fit its contents.
If the user tries importing targets using an invalid CSV file, a validation error is now shown.
The "findings by import status" and "checklist table" components can now also be previewed in the context of an assessment template.
Report compilation no longer crashes on certain inline code fragments if the report language is not set to English.
In the API, includes can now again be passed using the "array notation" (?include[]=assessment&include[]=user). Due to a bug, only "comma-separated notation" (?include=assessment,user) would be accepted.
The "list custom fields" endpoint in the API now returns a paginated response, consistent with other "list" endpoints.
Report pages can now again be included with themes through the API
You can now insert fully custom pages anywhere in your report theme, each with its own layout, structure, and styling. This makes it easy to include elements like a disclaimer, cover letter, or dedicated contact page, designed exactly the way you want. Previously, text boxes and backgrounds could only be added to the front, back, and content pages.
Page Features
A page (like the content page) is rendered as one unit, but may span multiple physical pages in the PDF report. Each page includes the following options:
Visibility: Choose whether the page appears in the full report, the management report, or both.
Custom fields: Display content from a client-specific or assessment-specific custom field.
Backgrounds: Configure different backgrounds. These backgrounds can be overridden within an assessment.
Text boxes: Add static content to the page. For multipage pages, text boxes can be shown on all pages or restricted to just the first or last.
Margins: For content pages, you can now add extra top margin to the first physical page to make room for a text box that only appears there, such as a letterhead.
Highlighted HTTP requests and responses
Syntax highlighting for HTTP requests and responses has been added to code blocks. The body is highlighted based on the Content-Type header, making it easier to read and review. Naturally, this is also perfectly rendered in the reports.
👉 Also keep an eye out for the next release, we'll be adding support for working mark tags in syntax-highlighted blocks!
Improvements
Added 'Create Retest' buttons to the top of the finding page and retest requests for improved usability and clarity.
If you can't edit the status or severity of a finding due to a pending retest, a link is now shown to edit or create the retest.
You can now disable the priority and/or complexity columns in the 'Action Plan Table' component.
Moved the 'Table Styles' option from 'Templates' to 'Settings' in the main menu.
Removed unnecessary tooltips from the markdown editor.
Bug Fixes
Fixed a crash when creating findings due to duplicate IDs.
Fixed strange behavior when opening and closing checklist categories.
Fixed a bug in the findings table component where it displayed dummy targets instead of the assessment's targets.
Finding numbers now properly have leading zeroes in the findings table and action plan table components.
URLs in code captions now correctly open in a new tab.
Fixed a bug where the visibility settings of a section could be incorrect.
Fixed filtering models by tag.
Fixed certain modals not closing with the escape key.
Fixed a crash in the assessment template edit page when using the "show if has findings" visibility option.
H1 headers from markdown fields no longer have extra space above when they appear at the top of the page in the PDF report.
The margin below figure captions is now consistent with other captions in the PDF report.
Formatting shortcuts now work inside code block captions.
Floating edit buttons no longer hide behind callout blocks.
Fixed bug that caused suggestions to not load in the add finding modal.
Wide tables now always render full width the the HTML report.
You can force a table to be full-width by adding a large number of spaces to one of the cells. You can then control the relative size of the columns by changing the number of dashes in each row in the second line of the table.
Fixed simultaneous edit functionality for assessment custom fields
Limited report components are now available in finding templates and several other markdown fields outside of the assessment context.
The test cases field is no longer shown in the finding edit page when there are no test cases in the assessment.
Fixed an issue where the wrong names were shown in the non-PDF version of the 'Started On' component.
Fixed table of contents links to unnumbered sections in the PDF report.
