Product Updates

The July release expands Snyk Code coverage for C++ with several new rules and broader native C++ detection, improves detection for several popular Java libraries, and adds a new Insecure Transmission rule for JavaScript and TypeScript. These changes arrive with the July release on 13 July 2026

What's changing

New rules

• Log Forging, C++ (CWE-117, high): flags untrusted user input reaching a logging sink, which can let an attacker forge or corrupt log entries.

• Improper Privilege Management, C++ (CWE-269, high): flags a privilege-dropping call whose result is not verified; a failed call can leave the process running with elevated privileges.

• Missing Authorization, C++ (CWE-862, CWE-732): flags overly permissive file permissions (world-writable or world-executable), and calls that pass root (UID or GID 0) to privilege-escalation or file-ownership functions.

• SSL/TLS Certificate Verification Bypass, C++ (CWE-295, medium): detects disabled certificate verification across seven TLS frameworks (OpenSSL, Qt, mbedTLS, libcurl, Boost.Asio, libpq, libpqxx), which exposes connections to man-in-the-middle attacks.

• Insecure TLS Configuration, C++ (CWE-327, high): detects insecure TLS configuration, such as enabling outdated TLS versions.

• Sensitive Cookie Without Secure Attribute, C++ (CWE-614, low): flags cookies that omit the Secure attribute, either by default or explicitly set to false, leaving them exposed to man-in-the-middle attacks.

• Insecure Transmission, JavaScript (CWE-319): detects cleartext transmission over insecure transports beyond HTTP. Initial coverage targets Redis clients (@redis/client, ioredis, redis) connecting over a non-TLS redis:// URL. New rule-key, separate from HttpToHttps.

New C++ coverage

Detection now extended to native C++ for:

• Code Injection (CWE-94): across six framework modules: dlopen, LoadLibrary, Lua, CPython, Duktape, QuickJS.

• Insecure Storage (CWE-922, info): sqlite, realm, leveldb, rocksdb, lmdb, Qt.

• Insecure Cipher (CWE-327): broader native C++ crypto coverage (OpenSSL, Botan, libsodium, libtomcrypt, libgcrypt, Crypto++, mbedTLS).

Expanded Java library coverage

Improved detection for code using these popular Java libraries:

• Azure SDK for Java (com.azure:azure-core)

• Logback (ch.qos.logback:logback-classic)

• Reactor Netty HTTP (io.projectreactor.netty:reactor-netty-http)

• Apache Kafka clients (org.apache.kafka:kafka-clients)

• Jackson (com.fasterxml.jackson.core: jackson-databind and jackson-core)

Important details to note

• C++ customers may see new findings after the July release, in particular from the new rules above.

• TLS rule reclassification: the existing TLS rule (Inadequate Encryption Strength) is moving from CWE-326 to CWE-327 across C++, Groovy, Java, Kotlin, Python, Scala and Swift. Customers with policies or ignores tied to the TLS rule under CWE-326 should review them. The TLS detection has also been refactored, so customers may see a change in the volume of TLS-related findings.

• The C++ Insecure Storage rule is info-level and may increase findings, including some false positives (early triage sampled 50 of 491 new findings: 47 true positives, 3 false positives).

• The JavaScript Insecure Transmission rule ships as a new rule-key, separate from HttpToHttps, so ignore and policy scoping stays clean.

To learn more, visit our Snyk User Documentation.

On July 27, 2026, Snyk updates the default setting for issue alert emails to ensure every notification you receive is relevant to your work. These emails alert you to newly detected vulnerabilities and license violations.

Summary of changes

If you have never manually configured your notification preferences, you stop receiving these emails after July 27, 2026. This update moves issue alert notifications to an opt-in model so they only reach you if they are useful to your workflow. If you have already chosen which emails you receive, your preferences do not change and remain preserved exactly as they are.

Manage your preferences

You can keep receiving these emails by saving your preferences before the July 27 deadline, or you can re-enable them at any time afterward. Wherever you can set issue alert notifications, a banner appears in the Snyk web UI. To opt in instantly, click Keep my current selections in the banner.

You can also manually manage your settings:

• For personal preferences: Navigate to Account Settings, click Notifications, find the issue alert emails for the relevant Organizations, and save your preference.

• For Organizations admins: Navigate to Organization Settings, click Notifications, and update the default for all members of your organization.

• For Groups admins: Navigate to Group, click Notifications, and manage issue alert settings across every organization in the Groups from a single page.

To learn more, visit Manage notifications

We are pleased to announce Snyk CLI release, v1.1305.2.

This release contains fixes and minor improvements. To learn more beyond what is highlighted below, please reference the full release notes.

This update includes the following:

• Bumped the Go runtime to version 1.26.4.

• Improved MCP logging and addressed security issues in the Snyk MCP Server.

• Fixed vulnerabilities:

  • CVE-2026-44705

  • CVE-2026-45570

  • CVE-2026-49982

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these improvements.

This month on Snyk Learn, we’ve added new AI security lessons covering the attacks that target agentic systems: getting agents to run code they shouldn't, poisoning their memory to bend their reasoning, and exploiting the gaps where agents talk to each other!

Security lessons

• [New][AI-Sec] Unexpected code execution (RCE) - tricking your agentic systems to execute code!

• [New][AI-Sec] Memory and Context Poisoning - how corrupted agent memory can silently reshape reasoning, decisions, and behavior.

• [New][AI-Sec] Insecure Inter-Agent Communication - exploiting weak communication protections between agents.

• [Updated] Generation of predictable numbers - how intruders can use weaknesses in random number generation to launch more successful attacks.

• [Updated] Uncontrolled recursion - how infinite loops can ruin your life and crash your systems.

Expanded framework & language coverage

We’ve also expanded Snyk Learn content to cover more of your tech stack:

• New/expanded language support:

  • Multiple lessons expanded into Python, Rust, and Ruby for the OWASP Top 10.

Each new/updated lesson above links directly to the relevant content so you can share it with your teams or assign it as part of your training program with the Snyk Learning Management Add-On.

Use Snyk Learn to help your security engineers and developers stay ahead of the latest risks!

Bonus Content

Snyk is also publishing videos on AI coding and AI security on our YouTube channel! If you would like to see content like this on Snyk Learn, use the feedback button on Snyk Learn to let us know.

Snyk YouTube

A cluttered PR backlog slows everyone down.

Following a successful Early Access, automatic closing of Open Source Fix PRs is now generally available. What's more, this feature will be turned on by default across all of our customers so your team spends less time triaging stale pull requests and more time shipping.

Whether a developer manually applied a fix, removed the dependency, or a transitive update resolved the issue, Snyk catches it during your next recurring test and closes the outdated PR. We also drop a comment on the PR explaining exactly which issues were resolved, so your team always has the right context without the extra noise.

How it works:

• Snyk checks your open Fix PRs during recurring tests.

• If the targeted dependency was removed, updated transitively, or fixed manually, the PR is automatically closed.

• Snyk leaves a comment detailing the resolved issues so your team knows exactly why it was closed.

• A Fix PR is only closed if all issues are resolved—if some remain, Snyk leaves the PR open so nothing falls through the cracks.

What's new at GA: With the general availability rollout, this feature is now enabled by default for all organizations. Administrators who prefer to manage closures manually can opt out from the settings page. You can now also configure the maximum number of obsolete PRs Snyk will close per day. giving you control of your workflow, a top piece of feedback from Early Access.

We hope you enjoy cleaner, more actionable backlogs!

The upcoming improvements for our Snyk Code: June Update will be postponed from June 15 to June 22. We're running a final round of quality validation to make sure these updates deliver the most accurate results.

These updates, including broader TLS and cryptographic detection for .NET and expanded PHP SQL injection coverage, will now go live on June 22.

We are thrilled to announce that the Prevention Report is now available in Early Access!

Measuring the true impact of "shifting left" has traditionally been a challenge. We designed the Prevention report to give you clear, actionable visibility into the effectiveness of security adoption directly within your development lifecycle.

This new report tracks the vulnerabilities developers proactively remediate at the point of creation in Snyk Code and Secrets—long before those issues ever reach a pull request or production environment. Data is seamlessly captured in the background as your team works across our developer surfaces, including Snyk Studio (MCP), IDE plugins and extensions, and the CLI.

The Prevention report enables you to:

• Measure proactive security: Track the total number of raw fixes and monitor your fix rate over time using our new prevention key performance indicators (KPIs).

• Analyze developer workflows: Break down fixes by surface area to understand exactly where your team prefers to resolve issues (MCP, IDE, or CLI).

• Identify trends and champions: Leverage the Fix-by-Developer leaderboard and detailed vulnerability breakdowns to see which types of vulnerabilities developers squash immediately, and which ones are detected but left unfixed.

• Enrich your Analytics Overview: Enable fix-by-surface KPIs and a new fix trends chart directly within your primary Analytics Overview dashboard for a comprehensive view of your security posture.

You can now directly measure the effectiveness of your IDE or MCP-based security efforts. By tracking vulnerabilities remediated early in the development lifecycle, you gain the data needed to prove the success of your security programs and validate your application security strategy.

To learn more, visit our Snyk User Documentation.

We are pleased to announce Snyk CLI release, v1.1305.1

This release contains fixes and minor improvements. To learn more beyond what is highlighted below, please reference the full release notes.

This update includes the following:

• Improved rate-limit handling: the CLI now respects the X-RateLimit-Reset header when it is rate limited by the API, so retries wait the correct amount of time. This improves the reliability of scans in high-volume and CI/CD environments.

• Fixed vulnerabilities:

  • CVE-2026-39827

  • CVE-2026-39831

  • CVE-2026-33186 (IaC extensions)

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these improvements.

We are excited to announce a redesign of the Snyk User Docs site, introducing a new structure built around site sections.

What's changed?

The docs are now reorganized into six clearly defined site sections:

• Discover Snyk: An introduction to the platform, capabilities, and supported languages.

• Platform administration: Settings, user management, Org configuration, and more.

• Scan, fix, and prevent: Snyk core security scanning, fixing and prevention workflows

• Developer tools: CLI, IDE integrations, related tooling, and more

• Agent security: Agentic and AI-powered security features.

• Snyk data and governance: Data handling, compliance, and policies.

In addition, there are dedicated sections for Getting started guides and Implementation guides to support onboarding and deployment workflows.

Why have we made this change?

We know that it can be difficult to quickly understand where you are in the product ecosystem when searching for information, with docs feeling fragmented across products and feature areas. This update aims to align content with your real user workflows, reduce the cognitive load of finding information, and improve the overall experience when navigating the docs.

We're expanding Snyk Code analysis for the .NET (C# and VB) ecosystem with broader detection across TLS configuration, cryptographic algorithms, and third-party crypto libraries. We built these improvements to surface a wider range of crypto-related security issues in .NET codebases while keeping false positives in check. Coverage extends across the standard library and the most common third-party crypto packages, so customers using BouncyCastle see the same depth of detection as native .NET code.

We're also expanding PHP coverage for SQL injection, Snyk Code now detects interfile taint flow when the SQL sink is wrapped in a database-access class. These improvements arrive with the June release on 15 June 2026.

What's changing

New TLS vulnerability detection for .NET (CWE-326)

Snyk Code now identifies insecure TLS protocol configuration across the most common .NET HTTP and network stacks: ServicePointManager, HttpClientHandler, WinHttpHandler, SocketsHttpHandler, Kestrel, and SslStream. Only TLS 1.2 and 1.3 are considered safe. Earlier protocols are flagged as vulnerable, including bitwise flag combinations.

Broader Insecure Cipher coverage for .NET (CWE-327)

Generalised cipher detection for C# and VB, with new third-party support via BouncyCastle. Algorithms now flagged: PAKE, Triple DES, DES, Skipjack, RC4, RC2, MD-5, and SHA-1.

Expanded weak-key-size detection for .NET (CWE-326)

Native standard-library coverage added for ECDHE, ECDH, ECDSA, RSA, AES (GCM), and HMAC-SHA1, HMAC-SHA2, and HMAC-SHA3 across Base, Windows, and Linux .NET types. Third-party support was added for DH, DHE (BouncyCastle), AES-XTS (BouncyCastle), and CMAC-AES (BouncyCastle).

Generalised crypto rule templates for .NET (CWE-326, CWE-327)

The InsecureCipher, TooSmallKeySize, and WeakEccCurve rules have been refactored into unified report templates.

PHP SQL injection interfile taint flow through wrapper classes (CWE-89)

Snyk Code now detects SQL injection where the sink is defined in a wrapper class (single level: caller → wrapper → mysql_query)

Important details to note

• You may notice an increase in .NET vulnerability findings after the June release, particularly around TLS misconfiguration and weak cryptographic algorithms.

• RC2 is reclassified from TooSmallKeySize to InsecureCipher. Customers with ignores or policies tied to specific rule keys should be aware (Scope is .NET (C# and VB) only).

• A small number of CryptoServiceProviders false positives related to read-only KeySize properties will no longer fire. These were never actionable in the first place (Scope is .NET (C# and VB) only).

• PHP customers may see new SQL injection findings after the June release, particularly in codebases that route database calls through wrapper classes.

To learn more, visit our Snyk User Documentation.