• Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
• Fixed: Handling of parameter names containing non-ASCII characters.
• Fixed: Handling of non-ASCII characters in URLs to ensure proper request encoding.
• Revised: Refactored with improved page decompression and safer HTTP response handling.
• Revised: Refactored OS looping to respect user-specified targets or automatically iterate over supported OSes if none are specified or detected.
• Revised: Refactored User-Agent strings to be loaded from external files rather than being hardcoded.
• Revised: Improved handling of URL redirections and associated HTTP responses.
• Revised: Improved prompts when merging or applying server-set cookies.
• Added: New switch --http1.0 to force all outgoing requests to use HTTP/1.0 protocol.
• Revised: Enhanced validation of user-specified parameters by detecting and reporting those that are not part of any recognized testable source.
• Revised: Enhanced injection logic with better handling of custom injection marker (i.e. asterisk *) and improved tracking of tested parameters.
• Revised: Improved detection of custom injection marker (i.e. asterisk *) across HTTP input vectors (e.g., URL params, POST data, cookies, headers).
• Revised: Improved heuristics for processing custom HTTP headers to correctly handle injection markers (i.e. asterisk *).
• Revised: Enhanced target encoding detection with improved charset extraction and prioritization from HTTP headers and HTML meta tags.
• Added: Ability to verify target URL content stability by comparing responses across delayed requests.
• Revised: Improved session handler for enhanced stability and data integrity.
• Revised: Improved semiblind ("file-based") technique with filename customization prompt (random or user-defined).
• Fixed: Improved handling of non-ASCII characters in URL path and query components.
• Fixed: Improved handling of HTTP errors missing response codes during authentication.
• Fixed: Improved handling of URLError without HTTP response.
• Fixed: Minor bug fix for missing .txt files during setup/install.
• Revised: Minor code refactoring to enhance the authentication process with detailed HTTP traffic inspection.
• Fixed: Improved handling of terminal input to prevent encoding errors.
• Fixed: Minor bug-fix in parsing improperly padded Base64 in Authorization headers.
• Revised: Minor code refactoring to enhance file I/O reliability.
• Revised: Minor code refactoring to ensure compliance with PEP 440 versioning standards.
• Revised: Improved key transformation for nested structures using bracket notation and dot syntax.
• Fixed: Minor bug-fix in parsing improperly escaped characters in JSON objects.
• Fixed: Minor bug-fix in parsing empty or invalid JSON object.
• Added: New tamper script "randomcase.py" that replaces each character in a user-supplied OS command with a random case.
• Revised: Minor code refactoring regarding multiple tamper scripts.
• Revised: Minor code refactoring regarding payloads for time-related techniques (i.e. "time-based", "tempfile-based").
• Revised: Improvement regarding tamper script "backticks.py" for supporting time-related techniques (i.e. "time-based", "tempfile-based").

Note: For more check the detailed changeset.

• Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
• Revised: Minor bug-fix regarding tamper script "backticks.py"
• Revised: Improvements regarding shell options reverse_tcp, bind_tcp.
• Revised: Major code refactoring regarding session handler.
• Revised: Minor improvement regarding options --prefix, --suffix.
• Revised: Improvement regarding writing text to the stdout (console) stream.
• Fixed: Minor bug-fix regarding combining custom injection marker (i.e. asterisk *) with -p option.
• Revised: Improvement regarding specifying multiple injection points by appending custom injection marker (i.e. asterisk *).
• Fixed: Minor bug-fix regarding crawler (i.e. option --crawl).
• Updated: Six (third party) module has been updated (Python 3.12 support).
• Revised: Minor improvement regarding determining (passively) the target's underlying operating system.
• Revised: Minor improvement for enabling end-users to choose whether to skip or continue testing the remaining parameters, if one is found vulnerable.
• Revised: Minor improvements regarding semiblind (i.e. "file-based") technique.
• Fixed: Minor bug-fix regarding option --output-dir.
• Revised: Improvement regarding option --skip for excluding certain parameter(s) from testing.
• Revised: Improvement regarding specifying which parameter(s) to test (i.e. -p option).
• Revised: Improvement regarding processing / ignoring custom injection marker (i.e. asterisk *).
• Revised: Improvement regarding forcing usage of provided HTTP method (e.g. PUT).
• Revised: Improvement regarding parsing raw HTTP request from a file (i.e. -r option).
• Revised: Improvement regarding parsing JSON nested objects.
• Revised: Improvement regarding (basic) heuristic detection of WAF/IPS protection.
• Revised: Improvement regarding option --ignore-code for ignoring multiple (problematic) HTTP error codes.
• Added: New option --abort-code for aborting on (problematic) HTTP error code(s) (e.g. 401)
• Added: New option --time-limit for running with a time limit in seconds (e.g. 3600).

Note: For more check the detailed changeset.

• Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
• Revised: Minor improvement regarding logging user-supplied command(s) (i.e. --os-cmd option) to a file.
• Revised: Improvement regarding parsing HTTP requests through Tor HTTP proxy (i.e. --tor switch).
• Added: New (hidden) option --ignore-stdin regarding ignoring STDIN input. (via @n00b-bot)
• Revised: Minor improvement regarding successfully completing the scanning process (i.e. in case that parameters with anti-CSRF tokens are omitted). (via @xerxoria)
• Revised: Minor improvement regarding Windows-based payloads for semiblind (i.e. "file-based") technique (i.e. command execution output).
• Revised: Minor improvement in semiblind (i.e. "file-based") technique, regarding defining the URL where the execution output of an injected payload is shown.
• Added: New switch --ignore-proxy to ignore the system default HTTP proxy.
• Revised: Minor improvement regarding parsing HTTP requests through HTTP proxy (i.e. --proxy option).
• Added: New switch --smart for conducting through tests only in case of positive heuristic(s).
• Added: Translation for README.md in Turkish. (via @Kazgangap)
• Revised: Minor improvement regarding parsing SOAP/XML POST data.

Note: For more check the detailed changeset.

• Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
• Revised: Minor improvement regarding parsing raw HTTP request from a file (i.e. -r option).
• Revised: Minor improvement regarding dynamic code evaluation technique (i.e. command execution output).
• Added: Translation for README.md in Farsi(Persian) (via @verfosec)
• Fixed: Minor bug-fix regarding --skip-empty flag, for skipping the testing of the parameter(s) with empty value(s).
• Revised: Minor improvement regarding tamper script "uninitializedvariable.py", for adding randomly generated uninitialized bash variables between the characters of each command of the generated payloads.
• Revised: Minor improvement regarding skipping further tests involving target that an injection point has already been detected.
• Revised: Minor code refactoring regarding multiple tamper scripts (i.e. "backslashes.py", "dollaratsigns.py", "doublequotes.py", "singlequotes.py", "uninitializedvariable.py").
• Added: New tamper script "rev.py" that reverses (characterwise) the user-supplied operating system commands.
• Fixed: Minor bug-fix regarding checking for similarity in provided parameter(s) name(s) and value(s).
• Fixed: Minor bug-fix regarding forcing usage of SSL/HTTPS requests toward the target (i.e. --force-ssl flag).
• Fixed: Minor bug-fix regarding setting custom output directory path (i.e. --output-dir option).
• Added: Support for Bearer HTTP authentication type.
• Revised: Minor improvement regarding tamper script "xforwardedfor.py" (that appends a fake HTTP header X-Forwarded-For).
• Fixed: Minor bug-fix regarding not ignoring specified injection technique(s) when --ignore-session or --flush-session options are set.
• Replaced: The --dependencies option has been replaced with --ignore-dependencies, regarding ignoring all required third-party library dependencies.
• Added: New option --alert to run host OS command(s) when injection point is found.

Note: For more check the detailed changeset.

• Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
• Added: Translation for README.md in Indonesian (via @galihap76)
• Revised: Improvements regarding parsing HTTP requests through HTTP proxy (i.e. --proxy option).
• Revised: Improvements regarding identifying injection marker (i.e. asterisk *) in provided parameter values (e.g. GET, POST or HTTP headers).
• Added: New option --crawl-exclude regarding setting regular expression for excluding pages from crawling (e.g. logout).
• Revised: Improvement regarding --crawl option, for skipping further tests involving target that an injection point has already been detected.
• Added: Support regarding combining --crawl option with scanning multiple targets given from piped-input (i.e. stdin).
• Revised: Minor improvement regarding adding PCRE /e modifier (i.e. dynamic code evaluation technique).
• Revised: Minor bug-fix regarding logging all HTTP traffic into a textual file (i.e. -t option).

Note: For more check the detailed changeset.

• Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
• Revised: Improvements regarding dynamic code evaluation heuristic check.
• Revised: Minor improvement regarding session handler.
• Revised: Minor improvement regarding --wizard option.
• Added: New tamper script "printf2echo.py" that replaces the printf-based ASCII to Decimal printf "%d" "'$char'" with echo -n $char | od -An -tuC | xargs.
• Revised: Minor improvement regarding parsing HTTP requests through HTTP proxy (i.e. --proxy option).
• Revised: Minor improvement regarding handling HTTP Error 401 (Unauthorized).

Note: For more check the detailed changeset.

• Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
• Revised: Improvements regarding Windows-based payloads for every supported technique.
• Revised: Improvement regarding alternative shell (i.e.--alter-shell) for generating Python 3x payloads.
• Removed: The deprecated modules "ICMP exfiltration" and "DNS exfiltration" have been removed.
• Revised: Improvement regarding identifying injection marker (i.e. asterisk) in provided options.
• Revised: Improvement regarding shellshock module.
• Added: Support regarding parsing target(s) from piped-input (i.e. stdin).
• Added: New option --answers to set user answers to asked questions during commix run.
• Added: Support regarding combining --crawl option with scanning multiple targets given in a textual file (i.e. via option -m).
• Added: Support for normalizing crawling results.
• Revised: Improvement regarding crawler.
• Revised: Minor bug-fix regarding --file-upload option.
• Revised: Minor improvement regarding identifying Hex and/or Base64 encoded parameter(s) value(s).
• Added: New option --no-logging for disabling logging to a file.
• Revised: Minor improvement regarding redirect handler.
• Updated: Minor update regarding scanning multiple targets given in a textual file (i.e. via option -m).
• Added: Support for heuristic detection regarding command injections.
• Revised: Ιmprovement regarding --level option, which not only adds more injection points (i.e. Cookies, HTTP headers) but also performs more tests for each injection point.
• Revised: Improvement regarding injecting into custom HTTP Header(s).

Note: For more check the detailed changeset.

• Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
• Fixed: Bug-fix regarding forcing usage of provided HTTP method (e.g. PUT).
• Fixed: Bug-fix regarding parsing raw HTTP headers from a file (i.e. -r option).
• Fixed: Minor bug-fix regarding parsing JSON objects.
• Added: New option --drop-set-cookie for ignoring Set-Cookie HTTP header from response.
• Added: Support for checking for not declared cookie(s).
• Added: New (hidden) option --smoke-test that runs the basic smoke testing.
• Revised: Improvement regarding mechanism which nagging if used "dev" version is > 30 days old.
• Revised: Improvements regarding dynamic code evaluation heuristic check.
• Replaced: The --encoding option has been replaced with --codec.

Note: For more check the detailed changeset.

• Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
• Fixed: Minor bug-fix regarding scanning multiple targets given in a textual file (i.e. via option -m).
• Removed: The "Regsvr32.exe application whitelisting bypass" attack vector has been removed.
• Updated: Minor update regarding web delivery script (i.e. Python meterpreter reverse TCP shell).
• Replaced: The --backticks switch has been replaced with "backticks.py" tamper script.
• Added: New tamper script "backticks.py" that uses backticks instead of $(), for commands substitution.
• Added: New option ( --skip-heuristic) for skipping dynamic code evaluation heuristic check.
• Added: Support for parsing custom wordlists regarding HTTP authentication (i.e. Basic, Digest) dictionary-based cracker.
• Revised: Improvements regarding dynamic code evaluation heuristic check.
• Fixed: Minor bug-fix regarding parsing SOAP/XML data via --data option.
• Revised: Minor improvement regarding parsing GraphQL JSON objects.
• Added: The .bat files command separator (i.e. %1a) has been added.
• Added: New option --method to force usage of provided HTTP method (e.g. PUT).

Note: For more check the detailed changeset.

• Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
• Added: New tamper script "slash2env.py" that replaces slashes (/) with environment variable value ${PATH%%u*}.
• Revised: Minor improvement regarding session handler for supporting Python 3.4+.
• Revised: Minor improvement regarding --web-root option.
• Added: New tamper script "uninitializedvariable.py" that adds uninitialized bash variables between the characters of each command of the generated payloads.
• Revised: Improvement regarding decompressing deflate, x-gzip and gzip HTTP responses.
• Fixed: Bug-fix regarding several charset-related unhandled exceptions.
• Revised: Improvements regarding dynamic code evaluation heuristic check.
• Fixed: Bug-fix regarding HTTP authentication (i.e. Basic, Digest) dictionary-based cracker.
• Fixed: Bug-fix regarding logging all HTTP traffic into a textual file.
• Revised: Improvement regarding crawler.
• Fixed: Multiple bug-fixes regarding supporting Python 3.9.
• Revised: Improvement regarding mechanism which nagging if used version is > 30 days old.
• Fixed: Multiple bug-fixes regarding the shellshock module.
• Revised: Improvement regarding Python 3.4+ for using the html.unescape() function for converting HTML entities to plain-text representations.
• Updated: Minor update regarding smartphones to imitate, through HTTP User-Agent header.
• Fixed: Bug-fix regarding setting suitable HTTP header User-Agent, when combining --random-agent or --mobile switch with -r option.
• Fixed: Bug-fix regarding Hex encoding/decoding.
• Added: New option ( --timeout) for setting a number of seconds to wait before timeout connection (default 30).
• Revised: Increased default timeout to 30 seconds.
• Fixed: Bug-fix regarding Basic HTTP authentication.
• Fixed: Bug-fix regarding connection problems (via @fuero).

Note: For more check the detailed changeset.