Fetching latest headlines…
Waymap v7.2.1: Thread-Safe Results, Hardened Security, and a Dozen Bug Fixes
NORTH AMERICA
🇺🇸 United StatesJuly 3, 2026

Waymap v7.2.1: Thread-Safe Results, Hardened Security, and a Dozen Bug Fixes

0 views0 likes0 comments
Originally published byDev.to

Author: Trix Cyrus

[🔹 Try My] Waymap Pentesting Tool

[🔹 Follow] TrixSec GitHub

[🔹 Join] TrixSec Telegram

Waymap v7.2.1 Released

Waymap is an open-source web vulnerability scanner for authorized security testing. It automates SQLi, XSS, RCE, LFI, CORS, CRLF, Open Redirect, API, Recon, Misconfiguration, and WordPress security checks with session-based results, multi-threading, crawling, authentication, and reporting.

Today we're releasing Waymap v7.2.1, a release focused entirely on stability, security hardening, and bug fixes.

No new scan types this time. Instead, we revisited every module to improve reliability and ensure they behave correctly under real-world conditions.

Why This Release Matters

Waymap v7.2.0 introduced:

  • Google Dork Discovery
  • WPScan Profiles
  • RCE Scanning
  • Secrets Management

After testing against real targets and incorporating community feedback, we identified several issues ranging from multi-threaded data races to SQL injection payload handling bugs.

v7.2.1 fixes them all.

What's Changed

Thread-Safe Result Saving

The biggest change is the introduction of a new ResultManager with file locking.

Previously, concurrent writes from multiple scanning threads could corrupt session JSON files.

Now every scanner uses the centralized ResultManager:

  • SQLi
  • XSS
  • LFI
  • CMDi
  • RCE
  • SSTI
  • CORS
  • CRLF
  • Open Redirect
  • Advanced
  • WPScan
  • Recon/Misconfiguration

Result writes are now properly synchronized.

Secure XML Parsing

The SQLi and CMDi scanners load payload definitions from XML files.

Previous releases used Python's built-in xml.etree.ElementTree, which is susceptible to XXE (XML External Entity) attacks if payload files are modified.

Waymap now uses:

  • defusedxml

which blocks XXE attacks by default.

The dependency has been added to requirements.txt.

SQL Injection Improvements

Boolean-based SQLi

Previously payloads were appended to the end of URLs instead of replacing actual parameter values.

This meant the scanner was testing incorrect requests.

Fixed.

Error-based SQLi

Single quotes were being stripped from payloads before injection, breaking quote-dependent payloads.

Removed.

Time-based SQLi

A baseline response time is now measured before testing.

This significantly reduces false positives caused by naturally slow servers.

CRLF Detection

Previously only HTTP response headers were checked.

Now Waymap checks:

  • Response headers
  • Response body

allowing more injection points to be detected.

Open Redirect

Redirect detection previously relied on external curl.

This caused failures on Windows systems without curl installed.

Waymap now uses Python Requests with:

allow_redirects=False

making the scanner fully cross-platform.

CMDi URL Handling

Payload injection previously relied on string replacement.

URLs containing multiple parameters or encoded characters could break.

Waymap now rebuilds URLs using proper query-string parsing.

Report Loading

A path resolution bug prevented reports from loading session JSON files.

This has been fixed for every supported report format:

  • HTML
  • CSV
  • Markdown
  • PDF

Other Fixes

  • Config paths now resolve from the project root instead of os.getcwd()
  • Fixed incorrect WAF detection import path
  • Improved Unicode rendering on Windows (no mojibake)

Installation

pip install waymap==7.2.1

Or install from source:

git clone https://github.com/TrixSec/waymap.git

cd waymap

pip install -r requirements.txt

python waymap.py --help

Quick Start

SQL Injection Scan

waymap --target "https://example.com/page?id=1" --scan sqli

Full Scan

waymap \
  --target https://example.com \
  --scan all \
  --crawl 2 \
  --threads 4 \
  --no-prompt \
  --report-format html,csv \
  --output-dir reports

Interactive Mode

waymap

Links

If you find Waymap useful, consider ⭐ starring the GitHub repository.

Bug reports, feature requests, and pull requests are always welcome.

Disclaimer

Waymap is intended for authorized security testing and educational purposes only.

Only scan systems that you own or have explicit permission to test.

~TrixSec

Comments (0)

Sign in to join the discussion

Be the first to comment!