FixVibe

// docs / changelog

Changelog

FixVibe scan-engine updates: new coverage, safety improvements, and accuracy improvements. Newest entries first.

May 18, 2026

  • NEWelecterm dependency advisory check. GitHub repo scans can now flag npm manifests and lockfiles that pin or allow electerm versions affected by CVE-2026-41500 / GHSA-wxw2-rwmh-vr8f, with version-based advisory evidence rather than exploit confirmation.
  • NEWOpenCms dependency advisory check. GitHub repo scans can now flag Maven pom.xml files that pin or resolve org.opencms:opencms-core versions affected by CVE-2023-42344 / GHSA-rcc6-6q2f-m2cw, with version-based advisory evidence rather than XXE exploit confirmation.

May 17, 2026

  • NEWFUXA hardcoded JWT secret check. Verified active scans can now confirm CVE-2025-69971 exposure on FUXA instances that still trust the vulnerable fallback JWT signing configuration.
  • NEWCKAN DataStore SQL exposure check. Verified active scans can now confirm unauthenticated CKAN DataStore SQL access associated with CVE-2026-42031 and guide teams to patched CKAN release lines or safer DataStore configuration.

May 16, 2026

  • NEWPDF.js dependency advisory check. GitHub repo scans can now flag npm manifests and lockfiles that pin or allow pdfjs-dist versions affected by CVE-2024-4367 / GHSA-wgrm-67xf-hhpq.
  • NEWActive scans via REST API and MCP. Active scans can now be triggered from REST and MCP against verified domains that have been explicitly authorized from the dashboard. Authorization is revocable at any time.
  • NEWSafer authorization levels for active scans. Domain authorization now distinguishes safer automated active checks from deeper active testing, so teams can automate the right level of verification for each domain.
  • NEWFirst-use webhook for API/MCP active scans. A webhook can notify teams the first time an API/MCP-triggered active scan runs against a newly authorized domain.
  • IMPROVEDReferrer-Policy findings improved. Missing or weak Referrer-Policy findings now distinguish URL-referrer leakage from broader information exposure, include document-response evidence, and provide generic plus static-host fix guidance.
  • IMPROVEDPermissions-Policy findings improved. Missing or weak Permissions-Policy findings now include feature-level evidence, distinguish broad feature allowlists from missing hardening, and provide generic plus static-host fix guidance for Vercel, Netlify, Cloudflare Pages, proxies, and app servers.
  • IMPROVEDClickjacking header prompts improved. Missing X-Frame-Options findings now explain that CSP frame-ancestors is the modern control, include Vercel/static SPA header guidance, and verify x-frame-options alongside CSP.
  • IMPROVEDCSP header evidence and fix prompts improved. Missing-CSP reports now include clearer hosting and response context plus safer framework-aware remediation guidance.
  • FIXEDVercel path-probe false positives reduced. FixVibe now requires stronger application-specific evidence before reporting exposed framework artifacts on deployments that rewrite unknown routes to the app shell.
  • FIXEDCompliance findings no longer carry misleading CWE tags. The legal-compliance check previously tagged "missing privacy policy" and "missing terms of service" findings with CWE-359 (PII exposure), which doesn't describe the actual gap. Those findings now ship without a CWE β€” they're compliance/governance items, not classifiable security weaknesses.

May 15, 2026

  • NEWAdditional research-informed checks. FixVibe shipped more coverage based on recent vulnerability research and mapped duplicate topics to existing scanner modules where coverage already existed.
  • NEWRepository secret leak check. GitHub repo scans can now flag hardcoded provider keys and high-entropy secret-like values committed to source, with evidence masked and the standard FixVibe rotation prompt included.
  • NEWVercel deployment protection check. Passive scans can now flag public *.vercel.app generated deployment URLs that respond without Vercel Deployment Protection, while existing header checks continue to audit CSP, HSTS, and browser hardening.

May 14, 2026

  • NEWLiteLLM dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow LiteLLM versions affected by CVE-2026-42208 / GHSA-r75f-5x8p-qvmc.
  • NEWLibreNMS dependency advisory check. GitHub repo scans can now flag Composer manifests that pin or allow LibreNMS versions affected by CVE-2024-51092 / GHSA-x645-6pf9-xwxw.
  • IMPROVEDFirebase rules detection improved. BaaS scans now detect more Firebase app shapes and use read-only evidence to identify risky public data exposure.

May 13, 2026

  • NEWRepo Supabase RLS migration check. GitHub repo scans can now flag Supabase SQL migrations that create public tables without a matching ALTER TABLE ... ENABLE ROW LEVEL SECURITY statement.
  • NEWSupabase Storage posture check. Passive scans can now review public Supabase Storage buckets and anonymous object-listing exposure alongside existing RLS and key checks.
  • NEWAI-generated code guardrail check. GitHub repo scans can now flag missing security automation around code scanning, secret scanning, dependency updates, and AI-agent instructions.

May 12, 2026

  • NEWRepo web-app risk checklist. GitHub repo scans can now flag high-confidence OWASP-style code risks such as raw SQL interpolation, unsafe HTML sinks, credentialed wildcard CORS, disabled TLS verification, and weak JWT secret fallbacks.
  • NEWNext.js middleware-bypass check. Active scans for verified domains can now confirm CVE-2025-29927 exposure on middleware-protected routes before reporting it, and reports include the standard FixVibe AI fix prompt for remediation.

May 9, 2026

  • SECURITYCross-origin scope hardening. Active scans and client-asset checks now stay within the authorized target scope and avoid carrying customer-provided credentials across cross-origin redirects.
  • FIXEDSupabase RLS check is now strictly read-only. Supabase posture checks now avoid write attempts and focus on safe exposure signals. Verified-domain active testing remains the boundary for deeper confirmation.
  • IMPROVEDSecurity-header findings only apply to root HTML responses. Missing CSP, Permissions-Policy, X-Frame-Options, or Referrer-Policy on a 204, JSON API, file download, or 404 no longer produces a finding. HSTS and X-Content-Type-Options still grade across all responses.
  • IMPROVEDAuth-flow and rate-limit checks now require stronger evidence. FixVibe now reports these issues only when the application behavior clearly supports the finding, reducing noise from generic error pages and unsupported methods.
  • IMPROVEDFile-upload findings tier by exploitability evidence. File-upload reports now separate low-confidence acceptance signals from stronger evidence of risky serving behavior, reducing over-severity on benign upload handlers.

May 7, 2026

  • FIXEDThreat-intel listing accuracy improved. FixVibe now distinguishes real blocklist evidence from resolver diagnostics so threat-intel findings do not over-report on infrastructure-side lookup responses.
  • NEWGitHub repo scans. Connect a repo and FixVibe checks the source for leaked Supabase service keys, Firebase admin tokens, risky workflow files, and outdated dependencies β€” without ever loading your deployed site. See Scan types.
  • NEWSAST checks for risky JavaScript. Repo scans now flag new Function() and setTimeout("string") β€” both equivalent to eval() when fed untrusted input.
  • FIXEDFalse β€œexposed file” findings on Vercel / Cloudflare sites. Bare 403 Forbidden responses are no longer reported as β€œfile exists” β€” most edge providers return 403 for suspicious-looking paths whether the file is there or not. We now require a positive HTTP signal before flagging.
  • FIXEDRepo-code false positives reduced. Repo scans now avoid flagging security terms in comments, documentation, test helpers, and clearly server-only contexts for several high-signal code checks.
  • FIXEDSupabase anon key in localStorage no longer reports as a JWT-in-storage finding β€” the anon key is the publicly-intended client token. Real service-role tokens in browser storage are now critical with a clearer title.
  • FIXEDCSP weakness detection improved. Content-Security-Policy checks now catch more permissive source policies while keeping evidence and remediation focused on the effective browser policy.
  • FIXEDReflected-XSS check tightened. Active scans now require stronger reflection evidence before reporting executable-context risk, reducing false positives from unrelated markup on the page.
  • FIXEDDomain verification handles apex ↔ www redirects correctly and is clearer about which value goes in the TXT-record Host field.

Format

Each entry is tagged so you can skim:

  • NEW A new check, surface, or feature.
  • IMPROVED Existing behaviour got better β€” more accurate, faster, clearer.
  • FIXED A bug we shipped and then squashed.
  • SECURITY Hardening, vulnerability fixes, or compliance changes.

Spot something that broke and isn't logged here? Email support@fixvibe.app.

Changelog β€” Docs Β· FixVibe