Enterprise TruRisk™ Platform Release 10.38 API 

March 6, 2026

In the API Release Notes, <qualys_base_url> is used as a sample API request to represent the API server URL. To learn more about the API server URL for your environment, refer to the Know Your Qualys API Server URL section.

API versioning is supported across Qualys APIs. To learn more about versioning standards and deprecation timelines, refer to the Updates on API Versioning Standards & Deprecation Timelines blog.

Qualys Vulnerability Management (VM)

Extended SNMPv3 Algorithm Support in API Versions 2.0 and 3.0

With this release, we have expanded SNMPv3 Authentication and Encryption algorithm support. The API validation logic is updated to recognize new algorithm values for creating or editing SNMPv3 authentication records across API versions 2.0 and 3.0.

This update provides greater flexibility and compatibility with a wider range of SNMPv3 implementations.

The following APIs now accept the expanded algorithm values.

To support this improvement:

• The auth_alg parameter now recognizes the following new values in addition to the existing MD5 and SHA options:
  • SHA224
  • SHA256
  • SHA384
  • SHA512
• The priv_alg parameter now recognizes the following new values in addition to the existing DES and AES options:
  • AES128
  • AES192
  • AES192C
  • AES256
  • AES256C

The error messages in versions 2.0 and 3.0 are also updated to reflect the complete list of valid algorithms. Selecting Select with a username/password now triggers a validation error.

- The existing SNMPv3 records continue to display correctly.
- SNMP v1 and SNMP v2 configurations remain unchanged.
- Existing algorithms (MD5, SHA1, DES, AES) continue to function without change.

MHT Format Deprecated and Removed from Report APIs

With this release, we have removed support for the MHT report format from all report-related API endpoints. This change aligns with the deprecation of the MHT format following the end of Internet Explorer support.

What’s New

• Removed the MHT format from all report launch APIs.
• The output_format parameter now accepts only the following supported formats: PDF, HTML, ZIP, XML, and CSV (as applicable to the API version).

API calls that request the MHT format now return a validation error. If you re-run the report created in MHT format again, the format field is displayed as blank and must be updated to a supported format before launching the report.  

- All supported formats, PDF, HTML, ZIP, XML, and CSV continue to work without interruption.
- Existing reports save in the MHT format can still be downloaded because no format selection is required during download.

Enhanced Password Change Rate Limit Functionality

With this release, the password change functionality has been enhanced to enforce a rate limit of three password changes within a one‑hour period. You can change your password three times in an hour. If there is an attempt to exceed this limit,  an error is returned in the API response.

This rate limit applies in the following scenarios:

• When the Manager user changes the password of a sub-user using the MSP endpoint, /msp/password_change.php.
• When any user logs in to their subscription and changes their login password using the endpoint /api/2.0/fo/user/change_password/.

Sample - Change password of Sub User with MSP APISample - Change password of Sub User with MSP API

curl -s -S -H 'Requested-With:curl demo2' -u "<username>:<password>"  "<qualys_base_url>/msp/password_change.php?user_logins=uername&email=0"

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE PASSWORD_CHANGE_OUTPUT SYSTEM "<qualys_base_url>/password_change_output.dtd">
<PASSWORD_CHANGE_OUTPUT>
  <API name="password_change.php" username="xxx" at="2026-02-24T09:30:55Z" />
  <RETURN status="FAILED" number="1905">
    <MESSAGE><![CDATA[Invalid value for 'user_logins' : username. You’ve reached the maximum number of password reset attempts. Try again in 45 minutes to keep your account secure.]]></MESSAGE>
  </RETURN>
</PASSWORD_CHANGE_OUTPUT>

Sample - Change Password of your subscriptionSample - Change Password of your subscription

curl --location '<qualys_base_url>/api/2.0/fo/user/change_password/index.php' \
--header 'X-Requested-With: test' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic Encoded username:passwordstring' \
--data '{
    "newPassword": "xxxxxxx"
}

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE SIMPLE_RETURN SYSTEM "<qualys_base_url>/api/2.0/simple_return.dtd">
<SIMPLE_RETURN>
    <RESPONSE>
        <DATETIME>2026-02-25T05:51:34Z</DATETIME>
        <CODE>1905</CODE>
        <TEXT>You’ve reached the maximum number of password reset attempts. Try again in 60 minutes to keep your account secure.</TEXT>
    </RESPONSE>
</SIMPLE_RETURN>

New Region Codes Added for EC2 Scan Launch API

The EC2 scan launch API now supports additional AWS region codes to align with AWS’ recently added regions. These updates ensure that API calls using these region codes no longer trigger validation errors.

All supported API versions now accept the following region codes:

• ap-south-2
• ap-southeast-3
• ap-southeast-4
• ca-west-1
• eu-central-2
• me-central-1
• eu-south-2
• il-central-1

Passing any of the above region codes in the region_code parameter is now fully supported.

This enhancement eliminates region based validation failures for newly added AWS regions.

Qualys Policy Compliance (PC)

 For the list of features and improvements made in Policy Compliance/Policy Audit, refer to the Policy Audit API Release Notes for Release 1.9. 

Issues Addressed

The following reported and notable customer issues are fixed in this release: