|
| 1 | +--- |
| 2 | +title: "ZAP Updates - February 2026" |
| 3 | +summary: > |
| 4 | + February was another busy month for the ZAP project, with improvements across browser automation, GraphQL and the Encode/Decode/Hash add-on. |
| 5 | +images: |
| 6 | +- https://www.zaproxy.org/blog/2026-03-02-zap-updates-february-2026/images/zapbot-monthly-updates.png |
| 7 | +type: post |
| 8 | +tags: |
| 9 | +- blog |
| 10 | +- update |
| 11 | +date: "2026-03-02" |
| 12 | +authors: |
| 13 | +- simon |
| 14 | +--- |
| 15 | + |
| 16 | +## Highlights |
| 17 | + |
| 18 | +February was another busy month for the ZAP project, with improvements across browser automation, GraphQL and the Encode/Decode/Hash add-on. |
| 19 | + |
| 20 | +### Circular Type References in GraphQL Detection |
| 21 | + |
| 22 | +At the start of the month [Akshath](/authors/akshath/) explained how you can now use ZAP to |
| 23 | +[Detect Circular Type References in GraphQL Schemas](/blog/2026-02-06-detecting-graphql-cycles/). |
| 24 | + |
| 25 | +These are a security concern because attackers can exploit these circular references to craft deeply recursive queries, potentially causing Denial of Service (DoS) conditions on your GraphQL server. |
| 26 | + |
| 27 | +### Using Encode/Decode/Hash Add-on with Cyber Chef |
| 28 | + |
| 29 | +[Rick](/authors/thorin/) wrote a detailed blog post which demonstrated how you can |
| 30 | +[use CyberChef with ZAP's Encode/Decode/Hash add-on](/blog/2026-02-17-encoder-cyberchef-via-scripts/). |
| 31 | + |
| 32 | +This gives you access to CyberChef's huge set of recipes right where you need them. |
| 33 | + |
| 34 | +### Custom Browser and Preferences Support |
| 35 | + |
| 36 | +Last week we added support for [Custom Browsers and Preferences](/blog/2026-02-24-custom-browsers-and-preferences/). |
| 37 | + |
| 38 | +This enhancement gives you far more control over how ZAP drives browsers for manual exploring, the modern spiders, automation, and authenticated testing scenarios. |
| 39 | + |
| 40 | +It is also key to our plans to provide much better support for 3rd party tools that run in the browser. |
| 41 | +More new about that hopefully soon! |
| 42 | + |
| 43 | +### Move to Java 21 |
| 44 | + |
| 45 | +We [announced](https://groups.google.com/g/zaproxy-users/c/HHJHAaq1V7g/m/xf7AoIq9AQAJ) that ZAP 2.18.0 will require a minimum of Java 21. |
| 46 | + |
| 47 | +This will allow us to use new Java features and performance improvements, as well as Java libraries which no longer support older versions. |
| 48 | + |
| 49 | +The nightly Docker image has been updated to Java 21, as will be today's weekly release. |
| 50 | + |
| 51 | +As long as no problems are reported then we plan to move the stable Docker image to use Java 21 as well, from the start of April. |
| 52 | + |
| 53 | +## Ongoing Work |
| 54 | + |
| 55 | +### Improved Modern App Crawling |
| 56 | + |
| 57 | +Ensuring that ZAP can crawl modern web apps as effectively as possible is a priority for us. |
| 58 | +Work is progressing well, but there is a lot to do, so we will post updates when there are new features available. |
| 59 | + |
| 60 | +### Scan Rules |
| 61 | + |
| 62 | +The [Cloud Metadata Potentially Exposed](/docs/alerts/90034/) rule has been updated to reduce |
| 63 | +false positives and to add support for cloud metadata from IBM and OpenStack. |
| 64 | + |
| 65 | +If you get any more false positives for this rule then please report them to us ASAP. |
| 66 | + |
| 67 | +As a reminder, if you get false positives with any of the scan rules then follow the FAQ: [How do I handle a False Positive?](/faq/how-do-i-handle-a-false-positive/) |
| 68 | + |
| 69 | +## New Contributors |
| 70 | +A very warm welcome to the people who started to contribute to ZAP this month! |
| 71 | + |
| 72 | +* [giveen](https://github.com/giveen) |
| 73 | +* [ceylanb](https://github.com/ceylanb) |
| 74 | +* [e1l1ya](https://github.com/e1l1ya) |
| 75 | +* [Arunodoy18](https://github.com/Arunodoy18) |
| 76 | +* [cx-daniel-gabay](https://github.com/cx-daniel-gabay) |
| 77 | +* [GerhardBotha97](https://github.com/GerhardBotha97) |
| 78 | + |
| 79 | +## GitHub Pulse |
| 80 | +Here are some statistics for the two main ZAP repositories: |
| 81 | + |
| 82 | +[zaproxy](https://github.com/zaproxy/zaproxy/pulse/monthly) |
| 83 | +Excluding merges, 5 authors have pushed 13 commits to main and 13 commits to all branches. On main, 39 files have changed and there have been 875 additions and 544 deletions. |
| 84 | + |
| 85 | +[zap-extensions](https://github.com/zaproxy/zap-extensions/pulse/monthly) |
| 86 | +Excluding merges, 7 authors have pushed 80 commits to main and 80 commits to all branches. On main, 879 files have changed and there have been 79,537 additions and 34,406 deletions. |
| 87 | + |
| 88 | +A total of [53 human PRs were merged](https://github.com/search?q=org%3Azaproxy+type%3Apr+-author%3Azapbot+-author%3Aapp%2Fdependabot+sort%3Aupdated-asc+closed%3A2026-02+is%3Amerged&type=pullrequests) on the ZAP repos. |
| 89 | + |
| 90 | +## Released Add-ons - Full Changelog |
| 91 | +In February 2026, we released updated versions of 11 add-ons: |
| 92 | + |
| 93 | +##### GraphQL Support |
| 94 | +**v0.31.0** |
| 95 | +Fixed |
| 96 | +- Tech Detection integration was not working due to handler reset on each run. |
| 97 | + |
| 98 | +**v0.30.0** |
| 99 | +Added |
| 100 | +- GraphQL Cycle detection: Imported schemas are processed for circular type references, and an alert is created for each unique circular relationship that is found. |
| 101 | + The cycle detection exhaustiveness and the maximum number of alerts raised are configurable. |
| 102 | + |
| 103 | +##### Linux WebDrivers |
| 104 | +**v184** |
| 105 | +Changed |
| 106 | +- Update ChromeDriver to 146.0.7680.31. |
| 107 | + |
| 108 | +**v183** |
| 109 | +Changed |
| 110 | +- Update ChromeDriver to 145.0.7632.117. |
| 111 | + |
| 112 | +**v182** |
| 113 | +Changed |
| 114 | +- Update ChromeDriver to 145.0.7632.77. |
| 115 | + |
| 116 | +**v181** |
| 117 | +Changed |
| 118 | +- Update ChromeDriver to 145.0.7632.76. |
| 119 | + |
| 120 | +**v180** |
| 121 | +Changed |
| 122 | +- Update ChromeDriver to 145.0.7632.67. |
| 123 | + |
| 124 | +**v179** |
| 125 | +Changed |
| 126 | +- Update ChromeDriver to 145.0.7632.46. |
| 127 | + |
| 128 | +**v178** |
| 129 | +Changed |
| 130 | +- Update ChromeDriver to 144.0.7559.133. |
| 131 | + |
| 132 | +**v177** |
| 133 | +Changed |
| 134 | +- Roll back ChromeDriver to 144.0.7559.109. |
| 135 | + |
| 136 | +##### OpenAPI Support |
| 137 | +**v52** |
| 138 | +Changed |
| 139 | +- Enable Swagger Secret Detector Script Scan Rule, the JS Engine memory leak has been addressed (Issue 9230). |
| 140 | + |
| 141 | +##### Passive scanner rules (beta) |
| 142 | +**v49** |
| 143 | +Changed |
| 144 | +- Insufficient Site Isolation Against Spectre Vulnerability alerts to have unique alert names. |
| 145 | + |
| 146 | +##### Retire.js |
| 147 | +**v0.54.0** |
| 148 | +Changed |
| 149 | +- Updated with upstream retire.js pattern changes. |
| 150 | +- Now only loads the data once (Issue 9103). |
| 151 | + |
| 152 | +##### Selenium |
| 153 | +**v15.44.0** |
| 154 | +Added |
| 155 | +- Support for custom browsers |
| 156 | +- Support for browser preferences |
| 157 | +Changed |
| 158 | +- Update Selenium to version 4.41.0. |
| 159 | +Removed |
| 160 | +- Support for IE and disabled Safari. |
| 161 | + |
| 162 | +##### Spider |
| 163 | +**v0.19.0** |
| 164 | +Changed |
| 165 | +- Maintenance changes. |
| 166 | + |
| 167 | +Fixed |
| 168 | +- Handle persistence errors and forced shutdown in automation job. |
| 169 | +- Address memory leak. |
| 170 | + |
| 171 | +##### Technology Detection |
| 172 | +**v21.53.0** |
| 173 | +Changed |
| 174 | +- Updated with enthec upstream icon and pattern changes. |
| 175 | +- Dependency update. |
| 176 | + |
| 177 | +##### Windows WebDrivers |
| 178 | +**v185** |
| 179 | +Changed |
| 180 | +- Update ChromeDriver to 146.0.7680.31. |
| 181 | + |
| 182 | +**v184** |
| 183 | +Changed |
| 184 | +- Update ChromeDriver to 145.0.7632.117. |
| 185 | + |
| 186 | +**v183** |
| 187 | +Changed |
| 188 | +- Update ChromeDriver to 145.0.7632.77. |
| 189 | + |
| 190 | +**v182** |
| 191 | +Changed |
| 192 | +- Update ChromeDriver to 145.0.7632.76. |
| 193 | + |
| 194 | +**v181** |
| 195 | +Changed |
| 196 | +- Update ChromeDriver to 145.0.7632.67. |
| 197 | + |
| 198 | +**v180** |
| 199 | +Changed |
| 200 | +- Update ChromeDriver to 145.0.7632.46. |
| 201 | + |
| 202 | +**v179** |
| 203 | +Changed |
| 204 | +- Update ChromeDriver to 144.0.7559.133. |
| 205 | + |
| 206 | +**v178** |
| 207 | +Changed |
| 208 | +- Roll back ChromeDriver to 144.0.7559.109. |
| 209 | + |
| 210 | +##### Zest - Graphical Security Scripting Language |
| 211 | +**v48.12.0** |
| 212 | +Added |
| 213 | +- UI support for Zest script options. |
| 214 | +- Now supports authentication for client side scripts. |
| 215 | + |
| 216 | +Fixed |
| 217 | +- Bug which prevented client side scripts from being recorded in ZAP. |
| 218 | + |
| 219 | +Changed |
| 220 | +- Update Zest library to 0.35.0: |
| 221 | + - Migrate JSON serialization from Gson to Jackson. |
| 222 | + |
| 223 | +##### macOS WebDrivers |
| 224 | +**v184** |
| 225 | +Changed |
| 226 | +- Update ChromeDriver to 146.0.7680.31. |
| 227 | + |
| 228 | +**v183** |
| 229 | +Changed |
| 230 | +- Update ChromeDriver to 145.0.7632.117. |
| 231 | + |
| 232 | +**v182** |
| 233 | +Changed |
| 234 | +- Update ChromeDriver to 145.0.7632.77. |
| 235 | + |
| 236 | +**v181** |
| 237 | +Changed |
| 238 | +- Update ChromeDriver to 145.0.7632.76. |
| 239 | + |
| 240 | +**v180** |
| 241 | +Changed |
| 242 | +- Update ChromeDriver to 145.0.7632.67. |
| 243 | + |
| 244 | +**v179** |
| 245 | +Changed |
| 246 | +- Update ChromeDriver to 145.0.7632.46. |
| 247 | + |
| 248 | +**v178** |
| 249 | +Changed |
| 250 | +- Update ChromeDriver to 144.0.7559.133. |
| 251 | + |
| 252 | +**v177** |
| 253 | +Changed |
| 254 | +- Roll back ChromeDriver to 144.0.7559.109. |
| 255 | + |
0 commit comments