Product Updates

We are pleased to announce Snyk CLI release, v1.1305.2.

This release contains fixes and minor improvements. To learn more beyond what is highlighted below, please reference the full release notes.

This update includes the following:

• Bumped the Go runtime to version 1.26.4.

• Improved MCP logging and addressed security issues in the Snyk MCP Server.

• Fixed vulnerabilities:

  • CVE-2026-44705

  • CVE-2026-45570

  • CVE-2026-49982

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these improvements.

This month on Snyk Learn, we’ve added new AI security lessons covering the attacks that target agentic systems: getting agents to run code they shouldn't, poisoning their memory to bend their reasoning, and exploiting the gaps where agents talk to each other!

Security lessons

• [New][AI-Sec] Unexpected code execution (RCE) - tricking your agentic systems to execute code!

• [New][AI-Sec] Memory and Context Poisoning - how corrupted agent memory can silently reshape reasoning, decisions, and behavior.

• [New][AI-Sec] Insecure Inter-Agent Communication - exploiting weak communication protections between agents.

• [Updated] Generation of predictable numbers - how intruders can use weaknesses in random number generation to launch more successful attacks.

• [Updated] Uncontrolled recursion - how infinite loops can ruin your life and crash your systems.

Expanded framework & language coverage

We’ve also expanded Snyk Learn content to cover more of your tech stack:

• New/expanded language support:

  • Multiple lessons expanded into Python, Rust, and Ruby for the OWASP Top 10.

Each new/updated lesson above links directly to the relevant content so you can share it with your teams or assign it as part of your training program with the Snyk Learning Management Add-On.

Use Snyk Learn to help your security engineers and developers stay ahead of the latest risks!

Bonus Content

Snyk is also publishing videos on AI coding and AI security on our YouTube channel! If you would like to see content like this on Snyk Learn, use the feedback button on Snyk Learn to let us know.

Snyk YouTube

A cluttered PR backlog slows everyone down.

Following a successful Early Access, automatic closing of Open Source Fix PRs is now generally available. What's more, this feature will be turned on by default across all of our customers so your team spends less time triaging stale pull requests and more time shipping.

Whether a developer manually applied a fix, removed the dependency, or a transitive update resolved the issue, Snyk catches it during your next recurring test and closes the outdated PR. We also drop a comment on the PR explaining exactly which issues were resolved, so your team always has the right context without the extra noise.

How it works:

• Snyk checks your open Fix PRs during recurring tests.

• If the targeted dependency was removed, updated transitively, or fixed manually, the PR is automatically closed.

• Snyk leaves a comment detailing the resolved issues so your team knows exactly why it was closed.

• A Fix PR is only closed if all issues are resolved—if some remain, Snyk leaves the PR open so nothing falls through the cracks.

What's new at GA: With the general availability rollout, this feature is now enabled by default for all organizations. Administrators who prefer to manage closures manually can opt out from the settings page. You can now also configure the maximum number of obsolete PRs Snyk will close per day. giving you control of your workflow, a top piece of feedback from Early Access.

We hope you enjoy cleaner, more actionable backlogs!

The upcoming improvements for our Snyk Code: June Update will be postponed from June 15 to June 22. We're running a final round of quality validation to make sure these updates deliver the most accurate results.

These updates, including broader TLS and cryptographic detection for .NET and expanded PHP SQL injection coverage, will now go live on June 22.

We are thrilled to announce that the Prevention Report is now available in Early Access!

Measuring the true impact of "shifting left" has traditionally been a challenge. We designed the Prevention report to give you clear, actionable visibility into the effectiveness of security adoption directly within your development lifecycle.

This new report tracks the vulnerabilities developers proactively remediate at the point of creation in Snyk Code and Secrets—long before those issues ever reach a pull request or production environment. Data is seamlessly captured in the background as your team works across our developer surfaces, including Snyk Studio (MCP), IDE plugins and extensions, and the CLI.

The Prevention report enables you to:

• Measure proactive security: Track the total number of raw fixes and monitor your fix rate over time using our new prevention key performance indicators (KPIs).

• Analyze developer workflows: Break down fixes by surface area to understand exactly where your team prefers to resolve issues (MCP, IDE, or CLI).

• Identify trends and champions: Leverage the Fix-by-Developer leaderboard and detailed vulnerability breakdowns to see which types of vulnerabilities developers squash immediately, and which ones are detected but left unfixed.

• Enrich your Analytics Overview: Enable fix-by-surface KPIs and a new fix trends chart directly within your primary Analytics Overview dashboard for a comprehensive view of your security posture.

You can now directly measure the effectiveness of your IDE or MCP-based security efforts. By tracking vulnerabilities remediated early in the development lifecycle, you gain the data needed to prove the success of your security programs and validate your application security strategy.

To learn more, visit our Snyk User Documentation.

We are pleased to announce Snyk CLI release, v1.1305.1

This release contains fixes and minor improvements. To learn more beyond what is highlighted below, please reference the full release notes.

This update includes the following:

• Improved rate-limit handling: the CLI now respects the X-RateLimit-Reset header when it is rate limited by the API, so retries wait the correct amount of time. This improves the reliability of scans in high-volume and CI/CD environments.

• Fixed vulnerabilities:

  • CVE-2026-39827

  • CVE-2026-39831

  • CVE-2026-33186 (IaC extensions)

If you have any questions, feel free to reach out to the Snyk support team. We encourage everyone to upgrade to the latest version to take advantage of these improvements.

We are excited to announce a redesign of the Snyk User Docs site, introducing a new structure built around site sections.

What's changed?

The docs are now reorganized into six clearly defined site sections:

• Discover Snyk: An introduction to the platform, capabilities, and supported languages.

• Platform administration: Settings, user management, Org configuration, and more.

• Scan, fix, and prevent: Snyk core security scanning, fixing and prevention workflows

• Developer tools: CLI, IDE integrations, related tooling, and more

• Agent security: Agentic and AI-powered security features.

• Snyk data and governance: Data handling, compliance, and policies.

In addition, there are dedicated sections for Getting started guides and Implementation guides to support onboarding and deployment workflows.

Why have we made this change?

We know that it can be difficult to quickly understand where you are in the product ecosystem when searching for information, with docs feeling fragmented across products and feature areas. This update aims to align content with your real user workflows, reduce the cognitive load of finding information, and improve the overall experience when navigating the docs.

We're expanding Snyk Code analysis for the .NET (C# and VB) ecosystem with broader detection across TLS configuration, cryptographic algorithms, and third-party crypto libraries. We built these improvements to surface a wider range of crypto-related security issues in .NET codebases while keeping false positives in check. Coverage extends across the standard library and the most common third-party crypto packages, so customers using BouncyCastle see the same depth of detection as native .NET code.

We're also expanding PHP coverage for SQL injection, Snyk Code now detects interfile taint flow when the SQL sink is wrapped in a database-access class. These improvements arrive with the June release on 15 June 2026.

What's changing

New TLS vulnerability detection for .NET (CWE-326)

Snyk Code now identifies insecure TLS protocol configuration across the most common .NET HTTP and network stacks: ServicePointManager, HttpClientHandler, WinHttpHandler, SocketsHttpHandler, Kestrel, and SslStream. Only TLS 1.2 and 1.3 are considered safe. Earlier protocols are flagged as vulnerable, including bitwise flag combinations.

Broader Insecure Cipher coverage for .NET (CWE-327)

Generalised cipher detection for C# and VB, with new third-party support via BouncyCastle. Algorithms now flagged: PAKE, Triple DES, DES, Skipjack, RC4, RC2, MD-5, and SHA-1.

Expanded weak-key-size detection for .NET (CWE-326)

Native standard-library coverage added for ECDHE, ECDH, ECDSA, RSA, AES (GCM), and HMAC-SHA1, HMAC-SHA2, and HMAC-SHA3 across Base, Windows, and Linux .NET types. Third-party support was added for DH, DHE (BouncyCastle), AES-XTS (BouncyCastle), and CMAC-AES (BouncyCastle).

Generalised crypto rule templates for .NET (CWE-326, CWE-327)

The InsecureCipher, TooSmallKeySize, and WeakEccCurve rules have been refactored into unified report templates.

PHP SQL injection interfile taint flow through wrapper classes (CWE-89)

Snyk Code now detects SQL injection where the sink is defined in a wrapper class (single level: caller → wrapper → mysql_query)

Important details to note

• You may notice an increase in .NET vulnerability findings after the June release, particularly around TLS misconfiguration and weak cryptographic algorithms.

• RC2 is reclassified from TooSmallKeySize to InsecureCipher. Customers with ignores or policies tied to specific rule keys should be aware (Scope is .NET (C# and VB) only).

• A small number of CryptoServiceProviders false positives related to read-only KeySize properties will no longer fire. These were never actionable in the first place (Scope is .NET (C# and VB) only).

• PHP customers may see new SQL injection findings after the June release, particularly in codebases that route database calls through wrapper classes.

To learn more, visit our Snyk User Documentation.

New Model & New Architecture

We're happy to announce we're upgrading Agent Fix to use the Claude family of models enhanced by Snyk's tooling and intelligence. This move delivers the following major improvements:

Security & Functional Enhancements

• Agentic Retries: Our new workflow now detects where code suggestions deviate from security best practices. Instead of discarding the result, the system analyzes the failure and injects tailored guidance into the agent's subsequent attempts. 

• Dynamic Few-Shot Prompting: We now use the same training set used to fine-tune our internal model to dynamically provide secure fix examples for the new model to follow. 

Expanded Support

• Full Language Coverage: We will enable support for all Snyk Code languages on Day 1, removing previous limitations on language availability.

• Comprehensive Rule Support: AI-powered fixes are now available for all supported rules and vulnerability types across the platform.

Measurable Impact

• Golden Test Benchmark: Both Sonnet 4.6 and Opus 4.6 saw improved performance against Snyk’s Golden Test benchmark (72.4% to 82.5% and 74.6% to 85.4% respectively) with this new architecture vs. the models on their own.

Check out the blog for more details. This update started rolling out on May 26th and will reach 100% by end of day on May 28th.

Snyk API & Web now supports the OWASP Top 10:2025 standard for compliance reporting. Users can generate compliance reports against either OWASP 2025 or OWASP 2021 — both versions remain available.

The OWASP Top 10 is the most widely referenced application security framework globally. It's used by enterprises for compliance programs, audit preparation, security training, and vulnerability prioritization.

The OWASP Top 10:2025 was officially published in November 2025 and is being adopted by enterprises, auditors, and compliance programs now. Organizations need their security tools to support the current standard for audit-ready compliance reports.

Without 2025 support, compliance teams face manual workarounds — exporting findings to spreadsheets and cross-referencing against the new standard — a time-consuming and error-prone process.

What changed in OWASP Top 10 2025:

• Two new categories: A03 (Software Supply Chain Failures) and A10 (Mishandling of Exceptional Conditions)

• Re-ranked categories: Security Misconfiguration moved from #5 to #2; Injection dropped from #3 to #5; Cryptographic Failures dropped from #2 to #4

• SSRF reclassification: Server-Side Request Forgery is now classified under A01 (Broken Access Control) instead of having its own category

You can now generate compliance reports against either OWASP 2025 or OWASP 2021 directly from the Snyk API & Web interface — both versions remain available.

How to use:

1. From the Scan Activity list or from your Scan details, click on the Reports button to expand it

2. Select the OWASP version you need:

   • OWASP Top 10 2025 — for audits, compliance programs, or reporting against the current standard

   • OWASP Top 10 2021 — for historical comparisons or programs that haven't migrated to the 2025 edition yet

3. Generate your report — all findings are automatically mapped to the selected standard

What you'll see:

• Compliance reports are clearly labeled with the selected OWASP version

• Versioned compliance labels throughout the product (target details, scan details, finding details) show which standard a finding is failing to comply with (e.g., OWASP 2025, OWASP 2021)

To learn more, visit Types of scan reports you can generate with Snyk API & Web in our user documentation.