Skip to content

v4.4.26

Choose a tag to compare

View all tags
@xalgord xalgord released this 29 May 16:37
· 72 commits to main since this release
v4.4.26
9549d93

Critical Fix

  • fix: prevent cross-scan data leakage in wildcard subdomain matching

Starting a new wildcard scan for a previously-scanned domain (e.g. yahoo.com) would instantly show all subdomains and findings from old scans. A 1-minute-old scan showed 424 completed subdomains and 16 findings that belonged to previous scans.

Root cause: isChildOfScan() matched by target name alone, so attachWildcardSubScans() absorbed every old subdomain record for the same domain into the new scan.

Fix: Require InstanceID match when the parent scan has one (all modern scans do). Old pre-instance scans still use the legacy target-name fallback.

Assets 3
Loading