What's new

This section outlines the latest features, enhancements, fixes, important upcoming changes as well as deprecations across recent versions of AppScan Standard. Stay informed about the advancements that help you maintain a strong security posture.

New in HCL AppScan Standard

New in HCL AppScan Standard 10.10.0

November, 2025

  • DAST for LLM-augmented applications: Exposes LLM weaknesses before attackers do! Protect your Large Language Models (LLMs) with AppScan Dynamic Application Security (DAST), specifically engineered to identify critical vulnerabilities like Sensitive Information Disclosure, Prompt Injection, Misinformation, and more.
  • Custom scripts: The editor enhancements include improved autocomplete features. These enhancements provide additional JavaScript methods and types, as well as more activation triggers, such as starting a new word or typing a period ('.').
  • Multi-step enhancements: The user-interface is revamped for an enhanced user experience. Troubleshooting options added to view replayed requests (raw data and browser) and compare recorded vs. replayed requests, available only after sequence validation.
  • Compliance reports
    • New reports:
      • OWASP Top 10 for LLM Applications 2025
      • [Canada]- ITSG-33 industry standard report
    • Updated reports:
      • International Standard - ISO 27001:2022
      • International Standard - ISO 27002:2022
      • The Payment Card Industry Data Security Standard (PCI DSS) - V4.0.1
      • NIST Special Publication 800-53 - 5.2.0
      • [EU] Regulation 2016/679 Of The European Parliament And Of The Council (GDPR)
      • [US] Healthcare Services (HIPAA)
    • Compliance reports now include Fix recommendation details.
  • Masking improvements: Enhanced masking across AppScan for more consistent protection of sensitive information.
  • Automatic login improvements: AppScan now crawls Angular applications more reliably, fixes rare login recording failures, and adds a delay between actions on the second attempt after a playback failure, improving overall success rates.
  • Improved support for Single Page Applications (SPA) scans that use AngularJS framework.

Fixes and security updates

New security rules in this release include:

  • COOP - Missing or insecure Cross-Origin-Opener-Policy (COOP) header
  • CORP - Missing or insecure Cross-Origin-Resource-Policy (CORP) header
  • COEP - Missing or insecure Cross-Origin-Embedder-Policy (COEP) header
  • attCSPAPI - Missing or insecure "frame-ancestors" directive in CSP (for API endpoints)
  • attApacheOFBizRCECVE202445195 - Apache OFBiz RCE for CVE-2024-45195
  • attApacheOFBizRCECVE202445507 - Apache OFBiz RCE for CVE-2024-45507
  • attSpringFrameworkPathTraversalCVE202438816 - Spring Framework Path Traversal CVE-2024-38816 and CVE-2024-38819
  • attWordpressPiePluginAuthenticationBypassCVE202534077 - Wordpress Pie Register Insufficient Authentication CVE-2025-34077
  • attWordPressKubioPathTraversalCVE20252294 - Wordpress Kubio AI Page Builder plugin Path Traversal CVE-2025-2294
  • Vulnerable component database updated to version 1.8

For a complete list of fixes, new and updated security rules, and RFEs in this release, see AppScan Standard Fix List.

Changed in this release

  • AI configuration moved from Test Options to Tools > Options > AI settings.
  • To improve security, the following configurations are removed:
  • Recording login and multi-step actions with an external browser now supports action-based recording.
  • AppScan connect: ASoC users can now publish issues along with the scan file to ASoC which helps to rescan instead of creating a new scan thus saving time and resources.
  • URL limit changed to 4096 from 1024 characters.
  • Web API Wizard (OpenAPI) extension was removed.
  • AppScan Standard versions 10.6.0 and earlier reached End of Support (EOS) on June 30, 2025. The documentation for these versions is no longer available on the public documentation site.
  • Support for Microsoft® Windows® 10 was removed.
  • Windows 2025 support.
  • Option to capture human-readable license lease ID for server based licenses. For more information, see How to capture license lease ID in human-readable format for server based licenses.

Upcoming change

  • The report component will only be available through the product level (UI/AppScanCMD) and not at the SDK level.

New in HCL AppScan Standard 10.9.0

July, 2025

Attention: A new version of HCL AppScan Standard 10.9.1 is available. This update includes security fixes for multiple Chromium vulnerabilities, along with other improvements. It is recommended to upgrade to this version. For more information, see the Fix list and refer to 10.9.0 documentation.

June, 2025

  • Custom scripts enhanced with the following updates:
    • Code-editor: Improved syntax checking and enhanced auto-complete features for better usability.
    • Multi-step operations: Added support to dynamically adjust parameters using custom scripts.
    • Dynamic form-filler parameters: Introduced support for dynamic parameters in form-fillers.
  • Support for WebSocket protocol that uses JSON or XML messages for data exchange.
  • Compliance report updates:
    • [US] DISA's Application Security and Development STIG. V6R3
    • CWE Top 25 Most Dangerous Software Weaknesses 2024
  • Automatic Login improvements: AppScan can now perform automatic logins more accurately, which improves the overall success rate.
  • AppScan Unit-level DAST Intelligence Tester (AUDIT): A developer-focused DAST approach empowers developers to efficiently run targeted scans on specific endpoints and detect vulnerabilities early in the SDLC, seamlessly integrating within their IDE. For more information, see the article AppScan Unit-level DAST Intelligence Tester (AUDIT).
Fixes and security updates

New security rules in this release include:

  • attWordpressGalleryPluginPathTraversalCVE20233279 - Wordpress Gallery Plugin Path Traversal CVE-2023-3279
  • attWordPressBackupMigrationplugincve20235737 - WordPress Backup and Migration plugin Broken Access CVE-2023-5737
  • attMobileMouseRCECVE202331902 - Mobile Mouse Remote Command Execution CVE-2023-31902
  • attOpenWireApacheServerRCECVE202346604 - OpenWire Apache Server RCE for CVE-2023-46604
  • attApacheHugeGraphRCECVE202427348 - Apache HugeGraph RCE CVE-2024-27348 attApacheOFBizRCECVE202438856 - Apache OFBiz RCE for CVE-2024-38856 attCactiRCECVE202425641 - Cacti RCE CVE-2024-25641
  • attLMSBlindSqlInjectionTimeoutCVE20248529 - Wordpress Learnpress Plugin SQL Injection CVE-2024-8529
  • attWordPressUltimateExporterRCECVE202456278 - Wordpress Ultimate Exporter RCE for CVE-2024-56278
  • JwtWeakSecretKey - detect weak JWT secret keys
  • Vulnerable component database updated to version 1.7

For a complete list of fixes, new and updated security rules, and RFEs in this release, see AppScan Standard Fix List.

Changed in this release
Accessibility: significant enhancements to improve accessibility in our product. Key updates include:
  • Keyboard navigation: Improved functionality for easier navigation using keyboard shortcuts and keyboard.
  • Screen reader support: Enhanced compatibility to ensure UI elements are accessible.
  • Color Contrast: Increased contrast ratios for better visibility.
  • Font size: Enhanced accessibility with the ability to zoom up to 200% maximum.
  • A comprehensive VPAT assessment has been completed to document compliance with accessibility standards like Section 508 and WCAG. For more information, see Accessibility.

Upcoming change

  • AppScan Standard versions 10.6.0 and earlier will reach End of Support (EOS) by June 2025. It is recommended that you upgrade to the latest version available before then.
  • Support for Microsoft® Windows® 10 and Microsoft® Windows® Server 2019 will be removed in a future version of AppScan because they have reached the end of their main support period.
  • The Web API Wizard (OpenAPI) extension will be removed in a future version of AppScan.
  • The report component will only be available through the product level (UI/AppScanCMD) and not at the SDK level.

New in HCL AppScan Standard 10.8.0

April, 2025

Attention: A new version of HCL AppScan Standard 10.8.1 is available. This update includes fixes for the zero-day vulnerability CVE-2025-2783, along with other improvements. It is recommended to upgrade to this version. For more information, see the Fix list and refer to 10.8.0 documentation as there are no new documentation updates for 10.8.1.

February, 2025

  • Download AppScan Standard only through My HCLSoftware (MHS).
  • HCL MHS-based licensing: Download or configure your MHS license before upgrading. All your entitlements from the FlexNet Operations Portal (FNO) are migrated to MHS. Create new deployments in MHS, then assign and activate your license for AppScan. Devices and products that were activated through FNO does not work anymore. Only the licensing management platform is changed, there are no changes to the license metrics or any additional charges for your licenses migrated from FNO to MHS. For more information to set up license using MHS, see Set up floating license using Cloud or Local License Server and Set up a node-locked license.Video tutorials for setting up the license:
  • Auto-update: New feature to automatically apply new updates to AppScan by configuring the API key to connect with My HCLSoftware (MHS). For more information, see Auto-updates.
  • Custom scripts: Add dynamic behavior to your DAST scan with AppScan’s built-in JavaScript runtime. AppScan can run custom scripts before a request is sent or after a response is received during the scan. The script will be executed for each HTTP request and response.
  • Redesigned the Regular Expression dialog across scan configuration to improve usability.
  • Restored the option to access the AppScan SSL certificate section through Tools > Options > Recording proxy.
  • When a scan is configured for a Postman collection using a URL, rescanning will now fetch the updated Postman contents from that URL.
  • When using the Change Host/Scheme/Port option, issues marked as Noise now remain as Noise and do not reappear in the scan results.
  • Enhanced automatic login detection in the DAST engine.

Fixes and security updates

New security rules in this release include:

  • attAppMetricsDataExposed - Application Metrics endpoint exposed
  • attWordPressPluginXSSCVE20237246 - WordPress Plugin Cross-Site Scripting CVE20237246
  • attAtlassianConfluenceBrokenAccessCVE202322515 - Atlassian Confluence Broken Access CVE 2023 22515
  • SriValidation - Validation for SRI integrity check
  • CSP Rules - Reworked CSP evaluation, resulting in detection of 17 new Content-Security-Policy issues
  • Vulnerable component database updated to version 1.6

For a complete list of fixes, new and updated security rules, and RFEs in this release, see AppScan Standard Fix List.

Changed in this release

  • FlexNet Operations Portal (FNO) is decommissioned and will not be supported.

Upcoming change

  • AppScan Standard versions 10.6.0 and earlier will reach End of Support (EOS) by June 2025. It is recommended that you upgrade to the latest version available before then.
  • The Web API Wizard (OpenAPI) extension will be removed in a future version of AppScan.

New in HCL AppScan Standard 10.7.0

October, 2024

  • Azure OpenAI configuration enhances accuracy by implementing additional filters to refine the test results.
  • API scanning workflow is redesigned to provide a better user experience that includes automatic login support.
  • New Compliance reports:
    • [EU] Digital Operational Resilience Act (DORA)
    • OWASP Application Security Verification Standard
  • Updated Compliance reports:
    • [US] DISA's Application Security and Development STIG V6 Release 1
  • Reports creation now available from the main toolbar is redesigned for better accessibility and ease of use. The Regulatory compliance and Industry standard reports are merged as Compliance reports.
  • Downloads for AppScan Standard are available through FlexNet Operations Portal (FNO) and My HCL Software (MHS). You can try the new MHS portal as it will be used for future releases.
  • A series of enhancements and redesigns aimed at improving the usability of several scan configuration dialogs as follows:
  • Configuration presets
  • Login Management
  • Edit custom parameters
  • API

Fixes and security updates

New security rules in this release include:

  • attJiraCVE202014179 - Detection for CVE-2020-14179
  • Vulnerable component database updated to version 1.5
  • Additionally, many rules were modified with the help of AI to enhance accuracy.

For a complete list of fixes, new and updated security rules, and RFEs in this release, see AppScan Standard Fix List.

Changed in this release

  • HCLSoftware products are undergoing changes in license acquisition and management. For more information, refer to the Licensing Changes Announcement blog post.
  • Removed the option to install the AppScan SSL certificate, which was previously used to record traffic from SSL sites.

Upcoming change

  • AppScan Standard versions 10.6.0 and earlier will reach End of Support (EOS) by June 2025. It is recommended that you upgrade to the latest version available before then.
  • The Web API Wizard (OpenAPI) extension will be removed in a future version of AppScan.