Release of June 29, 2026

Enhancements

This release includes improvements to Jira integration, scan visibility, usability, and authentication configuration.

Better Jira updates

Bright now adds comments to linked Jira issues when a vulnerability is resolved, reopened, or ignored.

The comments include the action type (Manual or Automatic), resolution details (when relevant), and timestamp, helping development teams stay updated without leaving Jira. Bright adds comments only and does not change Jira issue statuses.


Better scan notifications and troubleshooting

Bright now makes it easier to understand why a task was paused.

  • When a Scan or Discovery reaches its configured duration limit, Bright automatically pauses it and adds a notification to the Engine Notifications page explaining why it stopped.
  • We've also updated the message shown when a task is paused because the target cannot be reached. The new message provides clearer guidance before resuming the task.
    • If your organization uses a custom support email, it will also be shown in the message.

Better usability and accessibility

We've made several improvements to make Bright easier to use.

  • Projects now include a new Task Activity tab that brings all scan-related activity into one place. This new area is designed to support additional capabilities in future releases.
  • Bright now shows a clear message when the maximum number of parallel scans is reached. Users can add the scan to the queue or cancel the action.
  • We've also updated icons, colors, and empty states across the application to create a more consistent experience and improve accessibility, including better support for users with color vision deficiencies.

Improved repeater validation for Authentication Objects

Authentication Objects now validate repeater selection the same way as Scans and Discoveries.

Users can only select repeaters that belong to the selected project or are configured as global. If a selected repeater is no longer valid because the project changes, the repeater is removed, or it becomes unavailable, Bright automatically clears the selection to prevent invalid configurations.


Security tests

This release includes new security checks and scan optimizations that improve detection quality and reduce scan time.

AESI for MCP

Bright now detects ANSI Escape Sequence Injection (AESI) in MCP tool, resource, and prompt entry points — including stored scenarios where malicious content written through one entry point later appears in MCP responses consumed by AI agents.


Secret tokens

The Secret Tokens test has been improved:

  • Each leaked token is now reported as a separate finding, giving full visibility when multiple secrets are exposed on the same page.
  • Detection of generic access tokens in application responses has been added.
  • Sonar token detection has been updated for current SonarQube and SonarCloud token formats.

XSS

Cross-Site Scripting (XSS) scanning is now more efficient. Bright selects payloads based on reflection context instead of blind spraying, maintaining comparable coverage with significantly fewer requests. DOM XSS testing is also faster through optimized browser session handling.


LFI

Local File Inclusion (LFI) scanning is faster in smart scan mode. Bright focuses testing on payloads most likely to produce meaningful results, reducing the number of requests per parameter while keeping application-level traversal coverage.


SQLi and FHIR

SQL Injection and dynamic parameter testing on FHIR endpoints are now more efficient. Bright detects when mutating a parameter produces an unrecoverable validation response — meaning further tampering cannot yield a useful security signal — and moves on to parameters that can still be meaningfully tested. This reduces unnecessary requests without reducing coverage on testable inputs.