FixVibe

// docs / changelog

Journal des modifications

FixVibe scan-engine updates: new coverage, safety improvements, and accuracy improvements. Newest entries first.

May 18, 2026

  • NOUVEAUelecterm dependency advisory check. GitHub repo scans can now flag npm manifests and lockfiles that pin or allow electerm versions affected by CVE-2026-41500 / GHSA-wxw2-rwmh-vr8f, with version-based advisory evidence rather than exploit confirmation.
  • NOUVEAUOpenCms dependency advisory check. GitHub repo scans can now flag Maven pom.xml files that pin or resolve org.opencms:opencms-core versions affected by CVE-2023-42344 / GHSA-rcc6-6q2f-m2cw, with version-based advisory evidence rather than XXE exploit confirmation.

May 17, 2026

  • NOUVEAUFUXA hardcoded JWT secret check. Verified active scans can now confirm CVE-2025-69971 exposure on FUXA instances that still trust the vulnerable fallback JWT signing configuration.
  • NOUVEAUCKAN DataStore SQL exposure check. Verified active scans can now confirm unauthenticated CKAN DataStore SQL access associated with CVE-2026-42031 and guide teams to patched CKAN release lines or safer DataStore configuration.

16 May 2026

  • NOUVEAUPDF.js dependency advisory check. GitHub repo scans can now flag npm manifests and lockfiles that pin or allow pdfjs-dist versions affected by CVE-2024-4367 / GHSA-wgrm-67xf-hhpq.
  • NOUVEAUActive scans via REST API and MCP. Active scans can now be triggered from REST and MCP against verified domains that have been explicitly authorized from the dashboard. Authorization is revocable at any time.
  • NOUVEAUSafer authorization levels for active scans. Domain authorization now distinguishes safer automated active checks from deeper active testing, so teams can automate the right level of verification for each domain.
  • NOUVEAUFirst-use webhook for API/MCP active scans. A webhook can notify teams the first time an API/MCP-triggered active scan runs against a newly authorized domain.
  • AMÉLIORÉImproved Referrer-Policy findings. Missing or weak Referrer-Policy results now separate URL-referrer leakage from broad information exposure, show document-response evidence, and include generic plus static-host remediation guidance.
  • AMÉLIORÉImproved Permissions-Policy findings. Missing or weak Permissions-Policy results now show feature-level evidence, separate broad feature allowlists from missing hardening, and include generic plus static-host remediation guidance for common hosts, proxies, and app servers.
  • AMÉLIORÉImproved clickjacking header prompts. Missing X-Frame-Options findings now point agents to CSP frame-ancestors as the modern protection, add Vercel/static SPA header guidance, and verify x-frame-options with CSP.
  • AMÉLIORÉCSP header evidence and fix prompts improved. Missing-CSP reports now include clearer hosting and response context plus safer framework-aware remediation guidance.
  • CORRIGÉVercel path-probe false positives reduced. FixVibe now requires stronger application-specific evidence before reporting exposed framework artifacts on deployments that rewrite unknown routes to the app shell.
  • CORRIGÉLes constats de conformitĂ© ne portent plus d'Ă©tiquettes CWE trompeuses. Le check legal-compliance Ă©tiquetait "politique de confidentialitĂ© manquante" et "CGU manquantes" avec CWE-359 (exposition d'IIP), ce qui ne dĂ©crit pas l'Ă©cart rĂ©el. Ces constats sont dĂ©sormais publiĂ©s sans CWE — ce sont des Ă©lĂ©ments de conformitĂ©, pas des faiblesses de sĂ©curitĂ© classifiables.

May 15, 2026

  • NOUVEAUAdditional research-informed checks. FixVibe shipped more coverage based on recent vulnerability research and mapped duplicate topics to existing scanner modules where coverage already existed.
  • NOUVEAUVĂ©rification de fuite de secrets dans le dĂ©pĂŽt. Les analyses de dĂ©pĂŽts GitHub peuvent dĂ©sormais signaler les clĂ©s de fournisseur codĂ©es en dur et les valeurs Ă  haute entropie ressemblant Ă  des secrets envoyĂ©es dans le code, avec les preuves masquĂ©es et l'invite de rotation standard FixVibe incluse.
  • NOUVEAUVercel deployment protection check. Passive scans can now flag public *.vercel.app generated deployment URLs that respond without Vercel Deployment Protection, while existing header checks continue to audit CSP, HSTS, and browser hardening.

May 14, 2026

  • NOUVEAULiteLLM dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow LiteLLM versions affected by CVE-2026-42208 / GHSA-r75f-5x8p-qvmc.
  • NOUVEAULibreNMS dependency advisory check. GitHub repo scans can now flag Composer manifests that pin or allow LibreNMS versions affected by CVE-2024-51092 / GHSA-x645-6pf9-xwxw.
  • AMÉLIORÉFirebase rules detection improved. BaaS scans now detect more Firebase app shapes and use read-only evidence to identify risky public data exposure.

May 13, 2026

  • NOUVEAURepo Supabase RLS migration check. GitHub repo scans can now flag Supabase SQL migrations that create public tables without a matching ALTER TABLE ... ENABLE ROW LEVEL SECURITY statement.
  • NOUVEAUSupabase Storage posture check. Passive scans can now review public Supabase Storage buckets and anonymous object-listing exposure alongside existing RLS and key checks.
  • NOUVEAUAI-generated code guardrail check. GitHub repo scans can now flag missing security automation around code scanning, secret scanning, dependency updates, and AI-agent instructions.

May 12, 2026

  • NOUVEAURepo web-app risk checklist. GitHub repo scans can now flag high-confidence OWASP-style code risks such as raw SQL interpolation, unsafe HTML sinks, credentialed wildcard CORS, disabled TLS verification, and weak JWT secret fallbacks.
  • NOUVEAUNext.js middleware-bypass check. Active scans for verified domains can now confirm CVE-2025-29927 exposure on middleware-protected routes before reporting it, and reports include the standard FixVibe AI fix prompt for remediation.

9 mai 2026

  • SÉCURITÉCross-origin scope hardening. Active scans and client-asset checks now stay within the authorized target scope and avoid carrying customer-provided credentials across cross-origin redirects.
  • CORRIGÉSupabase RLS check is now strictly read-only. Supabase posture checks now avoid write attempts and focus on safe exposure signals. Verified-domain active testing remains the boundary for deeper confirmation.
  • AMÉLIORÉLes constats d'en-tĂȘtes de sĂ©curitĂ© ne s'appliquent qu'aux rĂ©ponses HTML racine. Une CSP, Permissions-Policy, X-Frame-Options ou Referrer-Policy manquante sur un 204, une API JSON, un tĂ©lĂ©chargement de fichier ou une 404 ne produit plus de constat. HSTS et X-Content-Type-Options restent Ă©valuĂ©s sur toutes les rĂ©ponses.
  • AMÉLIORÉAuth-flow and rate-limit checks now require stronger evidence. FixVibe now reports these issues only when the application behavior clearly supports the finding, reducing noise from generic error pages and unsupported methods.
  • AMÉLIORÉFile-upload findings tier by exploitability evidence. File-upload reports now separate low-confidence acceptance signals from stronger evidence of risky serving behavior, reducing over-severity on benign upload handlers.

7 mai 2026

  • CORRIGÉThreat-intel listing accuracy improved. FixVibe now distinguishes real blocklist evidence from resolver diagnostics so threat-intel findings do not over-report on infrastructure-side lookup responses.
  • NOUVEAUScans de dĂ©pĂŽts GitHub. Connecte un dĂ©pĂŽt et FixVibe vĂ©rifie le source pour repĂ©rer les clĂ©s de service Supabase divulguĂ©es, les tokens admin Firebase, les fichiers de workflow risquĂ©s et les dĂ©pendances obsolĂštes, sans jamais charger ton site dĂ©ployĂ©. Consulte Types de scan.
  • NOUVEAUChecks SAST pour JavaScript risquĂ©. Les scans de dĂ©pĂŽt signalent dĂ©sormais new Function() et setTimeout("string") : les deux Ă©quivalent Ă  eval() quand ils reçoivent une entrĂ©e non fiable.
  • CORRIGÉFaux constats « fichier exposĂ© » sur les sites Vercel / Cloudflare. Les rĂ©ponses nues 403 Forbidden ne sont plus signalĂ©es comme « fichier existant » : la plupart des fournisseurs edge renvoient 403 pour des chemins suspects, que le fichier existe ou non. Nous exigeons maintenant un signal HTTP positif avant de signaler.
  • CORRIGÉRepo-code false positives reduced. Repo scans now avoid flagging security terms in comments, documentation, test helpers, and clearly server-only contexts for several high-signal code checks.
  • CORRIGÉUne clĂ© anon Supabase dans localStorage n'est plus signalĂ©e comme constat JWT-in-storage : la clĂ© anon est le token client prĂ©vu pour ĂȘtre public. Les vrais tokens service-role dans le stockage navigateur sont maintenant critical avec un titre plus clair.
  • CORRIGÉCSP weakness detection improved. Content-Security-Policy checks now catch more permissive source policies while keeping evidence and remediation focused on the effective browser policy.
  • CORRIGÉReflected-XSS check tightened. Active scans now require stronger reflection evidence before reporting executable-context risk, reducing false positives from unrelated markup on the page.
  • CORRIGÉLa vĂ©rification de domaine gĂšre correctement les redirections apex ↔ www et indique plus clairement quelle valeur mettre dans le champ Host de l'enregistrement TXT.

Format

Chaque entrée est étiquetée pour que tu puisses parcourir rapidement :

  • NOUVEAU Un nouveau check, une nouvelle surface ou une nouvelle fonctionnalitĂ©.
  • AMÉLIORÉ Un comportement existant s'est amĂ©liorĂ© : plus prĂ©cis, plus rapide, plus clair.
  • CORRIGÉ Un bug que nous avons livrĂ© puis corrigĂ©.
  • SÉCURITÉ Durcissement, corrections de vulnĂ©rabilitĂ©s ou changements de conformitĂ©.

Tu vois quelque chose qui s'est cassĂ© et n'est pas listĂ© ici ? Écris Ă  support@fixvibe.app.

Journal des modifications — Docs · FixVibe