What changed

Nyx now has built-in caps and rule IDs for LDAP injection, XPath injection, header injection, open redirect, server-side template injection, XXE, and prototype pollution. Those rules ship across the supported language packs, with metadata for severity, OWASP mapping, and readable issue labels.

The release also adds two SSA sidecars for parser configuration. XML parser settings and XPath resolver setup are tracked through assignments and joins, so a hardened parser can clear the XXE or XPath finding instead of leaving a noisy alert behind.

Auth got sharper

FastAPI router dependencies now follow include_router chains across files. Module-level APIRouter(dependencies=[...]) checks lift onto attached routes, and scoped Security(...) is treated as authorization rather than a plain login dependency.

Go DAO helpers and Java Hibernate Criteria queries also get a false-positive pass. That clears a large cluster of noisy Go ownership findings and most of the openmrs Criteria API SQL cluster.

Small things that matter

  • nyx rules list now surfaces the built-in rule registry from the CLI.
  • The local UI got a brand refresh to match the site and docs.
  • The CVE corpus grew across Python, PHP, JavaScript, and C.
  • Open redirect validation now understands relative URL checks and host allowlists on the safe branch.

Release Notes for today's update can be found here.