// docs / changelog
Log perubahan
FixVibe pembaruan mesin pemindai: cakupan baru, peningkatan keselamatan, dan peningkatan akurasi. Entri terbaru terlebih dahulu.
2026-07-02
- DIPERBAIKILegal-link false positives reduced. Privacy and terms links that are visible after client-side rendering now count correctly, so SPA footers are not reported as missing when users can see those links.
30 Juni 2026
- BARULabel Studio CVE-2025-47783 reflected XSS check. Verified active scans now flag Label Studio upload-example responses when target-specific label_config evidence shows raw HTML metacharacter reflection, without executing JavaScript, using victim sessions, reading tokens, or storing project data.
- BARUAVideo CVE-2023-25313 / GHSA-pgvh-p3g4-86jw advisory. Repo scans flag affected wwbn/avideo Composer manifests and lockfiles below 12.4 with version-based evidence only; no AVideo login, video-link submission, video creation, request-delay checks, command execution, or runtime exploit claim.
- BARUGL.iNet GL-MT3000 CVE-2026-11451 advisory. Verified active scans flag GL.iNet GL-MT3000 firmware 4.4.5 as version-based advisory evidence only; no router authentication, FTP-setting changes, file writes, command input, or command-execution claim.
- DITINGKATKANCakupan reboot jarak jauh Schneider Modicon M221. Pemeriksaan firmware Modicon M221 pasif yang sudah ada kini mengorelasikan bukti HTTP publik yang kuat untuk produk dan versi firmware dengan CVE-2018-7789 bersama CVE-2018-7790, melaporkan konteks advisory berbasis versi tanpa mengirim probe reboot, menanyakan Modbus, melakukan replay autentikasi, mengunggah program PLC, atau mengklaim konfirmasi exploit.
- BARUMbed TLS CVE-2024-45159 repo advisory coverage. GitHub repo scans now flag source and build metadata for affected Mbed TLS 3.2.0 through 3.6.0 releases, reporting version-based advisory evidence without client-certificate probes, TLS handshake testing, or authentication-bypass confirmation.
- BARUOracle Java SE/GraalVM CVE-2022-21340 repo advisory coverage. GitHub repo scans now flag explicit Oracle Java SE or Oracle GraalVM Enterprise runtime metadata, reporting version-based advisory evidence without running Java, sandbox-code proof, denial-of-service traffic, or runtime exploit confirmation.
- BARUOpenSSL CMS CVE-2025-15467 advisory. GitHub repo scans now flag affected OpenSSL CMS release-line evidence and report branch-aware source/config evidence without crash, denial-of-service, or code-execution reproduction.
- BARUcodfish semantic-release GitHub Action compromise check. Repo scans can now flag workflow YAML references to codfish/semantic-release-action refs associated with the June 2026 compromise, reporting source/config evidence only. The check does not run GitHub Actions, read CI secrets, inspect runners, or claim credential theft.
- BARUSpring Data Commons property-path advisory coverage. GitHub repo scans now report Maven/Gradle dependency evidence for Spring Data Commons versions associated with CVE-2018-1274 / GHSA-5q8m-mqmx-pxp9. The finding stays version-based and does not run the app, probe Spring Data REST endpoints, send crafted property-path parameters, stress CPU or memory, or claim denial-of-service confirmation.
- BARUvm2 Promise species advisory coverage. GitHub repo scans now report npm manifest and lockfile evidence for vm2 versions associated with CVE-2026-47208 / GHSA-76w7-j9cq-rx2j. The finding stays version-based and does not run the app, execute sandbox-breakout proof-of-concept code, inspect live workers, or claim host command execution.
- BARUpyLoad /flashgot advisory coverage. GitHub repo scans now report Python manifest and lockfile evidence for pyload-ng versions associated with CVE-2024-47821 / GHSA-w7hq-f2pj-c53g. The finding stays version-based and does not run pyLoad, send /flashgot requests, change settings, download files, write script directories, or claim command execution.
- BARUSAP Cloud SDK for AI Python advisory check. GitHub repo scans now flag Python manifest and lockfile evidence for sap-ai-sdk-base versions affected by CVE-2023-25617 / GHSA-xxhh-59gh-6ffx as version-based advisory evidence, without running Python, connecting to SAP BusinessObjects, scheduling Program Objects, sending command-injection input, or claiming OS command execution.
- BARUGradio Windows/Python path traversal advisory check. GitHub repo scans now flag Gradio dependency evidence for CVE-2026-28414 / GHSA-39mp-8hj3-5c49 and raise confidence when repository configuration also points to Windows with Python 3.13+, without requesting Gradio file endpoints, sending traversal input, reading files, or claiming live arbitrary file read.
29 Jun 2026
- BARUMISP STIX import source advisory coverage. GitHub repo scans now report source evidence for CVE-2018-19908 in app/Model/Event.php when original STIX filenames flow into shell command construction. The check uses repository source evidence and does not run MISP, import files, or claim runtime command execution.
- BARUMindsDB status version advisory coverage. Verified active scans now include MindsDB /api/status version evidence for CVE-2026-27483 when the public status endpoint reports a release before 25.9.1.1. This read-only check does not upload files, send traversal filenames, or claim remote-code execution.
- BARUNiceGUI upload filename source advisory check. GitHub repo scans now include CVE-2026-25732 coverage when affected NiceGUI dependency evidence appears with upload-handler source that saves paths built from client-supplied filenames. The check reports source/dependency evidence without uploading files, writing outside upload directories, or claiming code execution.
June 18, 2026
- BARUSillyTavern SearXNG SSRF active check. Verified active scans now report only direct evidence that a SillyTavern SearXNG search proxy fetched a FixVibe-controlled external callback URL. The probe avoids localhost, cloud metadata, private-network targets, and internal-service requests.
- BARUPemeriksaan paparan Glances REST API tanpa autentikasi. Pemindaian aktif terverifikasi kini dapat mengonfirmasi saat origin yang dipindai mengekspos identitas Glances REST API dan respons berbentuk metrik tanpa autentikasi. FixVibe hanya mencatat bentuk respons dan menghindari dump API luas, daftar proses, baris perintah, konfigurasi, atau secret.
- BARUSpring Data Commons + XMLBeam advisory coverage. GitHub repo scans now report paired Maven/Gradle dependency evidence for Spring Data Commons and XMLBeam versions associated with CVE-2018-1259 / GHSA-m929-7fr6-cvjg. The finding stays version-based and does not run the app, send XML payloads, probe endpoints, read local files, or claim SSRF confirmation.
- BARUPemeriksaan advisory dependensi Moby AuthZ. Pemindaian repo GitHub kini dapat menandai manifes modul Go yang mengarah ke versi Moby atau Docker Engine terdampak CVE-2026-34040 / GHSA-x744-4wpc-v9h2, sebagai bukti advisory berbasis versi tanpa terhubung ke Docker APIs, menguji plugin AuthZ, mengirim permintaan khusus, atau mengklaim konfirmasi bypass otorisasi.
- BARUNGINX rewrite-module config advisory check. GitHub repo scans can now correlate affected NGINX version evidence with rewrite-module configuration evidence for CVE-2026-42945, without running NGINX, sending traffic, or claiming memory-corruption proof.
- BARUSQLitePCLRaw NuGet advisory check. GitHub repo scans can now flag .NET project and NuGet lockfile evidence for affected SQLitePCLRaw native SQLite packages tied to CVE-2025-6965 / GHSA-2m69-gcr7-jv3q, without claiming memory-corruption proof.
- BARUgemini-mcp-tool CVE-2026-0755 advisory. Repo scans flag affected npm manifest and lockfile versions for GHSA-4h5r-5jm8-jxjm with repository version evidence only. The check does not run the MCP server, send command or @file probes, trigger callbacks, read local files, or assert runtime exploit confirmation.
- BARUMastra easy-day-js advisory check. GitHub repo scans flag easy-day-js manifest and lockfile evidence tied to the June 2026 Mastra npm incident. The finding stays limited to repository dependency evidence and does not verify stale npm owners, run package scripts, inspect hosts, or assert credential theft.
- BARUDrupal Core CVE-2026-9082 advisory check. GitHub repo scans flag Composer manifest and lockfile versions for GHSA-ghwc-95x2-682j with repository version evidence only. The check does not run Drupal, verify PostgreSQL, send SQL payloads, extract data, or assert runtime exploit confirmation.
- BARUParamiko SSH-server authentication advisory check. GitHub repo scans can now flag Python dependency files that resolve Paramiko releases affected by CVE-2018-7750 / GHSA-232r-66cg-79px, reporting version-based advisory evidence without starting an SSH server, sending bypass traffic, or claiming deployed server-mode exposure.
- BARUApache Tomcat HTTP/2 resource-consumption dependency advisory check. GitHub repo scans can now flag Maven and Gradle build files that resolve Tomcat releases affected by CVE-2020-11996 / GHSA-53hp-jpwq-2jgq, reporting version-based advisory evidence without running Tomcat, sending HTTP/2 denial-of-service traffic, generating high-CPU proof traffic, or claiming runtime availability impact.
- BARU@andrei-tatar/nora-firebase-common prototype-pollution advisory check. GitHub repo scans can now flag npm manifests and lockfiles that resolve @andrei-tatar/nora-firebase-common versions affected by CVE-2024-30564 / GHSA-jjff-q3q4-5hh8, reporting version-based advisory evidence without running the package, mutating Object.prototype, sending proof payloads, or claiming runtime exploit confirmation.
- BARUcordova-plugin-inappbrowser Android advisory check. GitHub repo scans can now flag npm manifests, lockfiles, and Cordova config.xml files that resolve cordova-plugin-inappbrowser versions affected by CVE-2019-0219 / GHSA-c6pw-q7f2-97hv, reporting version-based advisory evidence without building mobile binaries, loading proof content, exercising plugin bridge behavior, or claiming deployed Android exploitability.
- BARUNokogiri libxslt RubyGems advisory coverage. GitHub repo scans now report Gemfile, Gemfile.lock, and gemspec evidence for Nokogiri releases affected by CVE-2019-18197 / GHSA-242x-7cm6-4w8j. The check uses version-based RubyGems evidence and does not run Ruby, process XML or XSLT input, crash-test libxslt, or claim runtime exploit confirmation.
- BARUPerl GD CPAN advisory coverage. GitHub repo scans now report CPAN dependency evidence for Perl GD releases affected by CVE-2026-11526. The check uses version-based repository evidence and does not run Perl, process image files, pass crafted filenames to GD::Image constructors, or claim command-execution or file-overwrite confirmation.
- BARUkill-port-process CVE-2019-15609 advisory check. GitHub repo scans flag affected npm manifest and lockfile versions for GHSA-xp4x-j9vh-c3wf, reporting version evidence only. The check does not run the package, send command payloads, terminate processes, or assert runtime exploit confirmation.
- BARUproxy npm advisory coverage. GitHub repo scans can now report repository dependency evidence for proxy releases associated with CVE-2023-2968 / GHSA-mj6p-3pc9-wf5m. The finding stays version-based and does not run proxy, send crafted request traffic, crash-test services, or claim runtime denial-of-service confirmation.
- BARUApache ActiveMQ Artemis Jolokia dependency advisory check. GitHub repo scans can now flag Maven and Gradle build files that resolve org.apache.activemq:artemis-cli versions affected by CVE-2023-50780 / GHSA-443j-grxv-2pgv, reporting version-based advisory evidence without authenticating to Jolokia, enumerating MBeans, changing Log4J2 configuration, writing files, restarting services, or claiming live RCE confirmation.
- BARUApache ActiveMQ Artemis dependency advisory check. GitHub repo scans can now flag Maven and Gradle build files that pin or allow artemis-server versions affected by CVE-2026-27446 / GHSA-fw88-pf9m-p947, reporting version-based advisory evidence without connecting to brokers, triggering federation callbacks, or claiming message injection/exfiltration confirmation.
- BARUApache Spark UI dependency advisory check. GitHub repo scans can now flag Maven, Gradle, and PySpark dependency files that pin or allow Apache Spark versions affected by CVE-2022-33891 / GHSA-4x9r-j582-cgr8, reporting version-based advisory evidence without visiting Spark UI, sending active exploit probes, or claiming command-execution confirmation.
- BARUvLLM pickle-deserialization dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow vllm versions affected by CVE-2024-9053 / GHSA-cj47-qj6g-x7r4, reporting version-based advisory evidence without running vLLM, exposing AsyncEngineRPCServer, sending pickle payloads, or claiming runtime code-execution confirmation.
- BARUApache Airflow example-DAG advisory coverage. GitHub repo scans can now report repository dependency evidence for Airflow releases associated with CVE-2024-45498 / GHSA-c392-whpc-vfpr. The finding stays version-based and does not probe Airflow UI, trigger DAGs, run command payloads, or claim runtime exploit confirmation.
- BARUONNX download_model_with_test_data advisory coverage. GitHub repo scans now report Python dependency evidence for onnx releases affected by CVE-2024-5187 / GHSA-6rq9-53c3-f7vj and add source-call context when download_model_with_test_data appears. The check does not run Python, download or extract model archives, create malicious tar files, overwrite files, or claim runtime exploit confirmation.
- BARUYOURLS type-juggling dependency advisory check. GitHub repo scans can now flag Composer and YOURLS source-version evidence for yourls/yourls releases affected by CVE-2019-14537 / GHSA-vf23-f26f-mjj9, reporting version-based advisory evidence without calling the YOURLS API, sending authentication-bypass requests, probing admin pages, or claiming unauthorized access.
- BARUhttp4k-format-xml dependency advisory check. GitHub repo scans can now flag Maven and Gradle build files that resolve org.http4k:http4k-format-xml versions affected by CVE-2024-55875 / GHSA-7mj5-hjjj-8rgw, reporting version-based advisory evidence without sending XML payloads, SSRF callbacks, local-file reads, or denial-of-service traffic.
June 14, 2026
- DIPERBAIKIDOM XSS fragment probe stability fix. Verified active scans now skip the DOM fragment probe cleanly when browser automation is unavailable at startup, so reports no longer show internal browser-context errors for that check.
- DITINGKATKANExpanded Red Hat npm worm coverage. GitHub repo scans now include additional Wiz-reported @redhat-cloud-services package versions for the Miasma campaign, while still reporting repository dependency evidence without installing packages, executing lifecycle scripts, or claiming credential theft.
- BARUKnown npm typosquat package check. GitHub repo scans can now flag package manifests and lockfiles that resolve Microsoft-reported vpmdhaj npm typosquat package versions, reporting version-based advisory evidence without installing packages, executing lifecycle scripts, fetching tarballs, contacting attacker infrastructure, or claiming credential theft.
- BARUCodex Remote UI token-stealing npm package check. GitHub repo scans can now flag package manifests and lockfiles that resolve codexui-android 0.1.82 or newer, reporting version-based advisory evidence without installing the package, executing it, reading Codex auth files, contacting exfiltration infrastructure, or claiming token theft.
- BARUClaude Code GitHub Action workflow repo check. GitHub repo scans can now flag Claude Code Action workflows with mutable action refs, broad workflow token permissions, or risky access override inputs, reporting workflow YAML evidence without running Actions, executing Claude Code, reading CI secrets, or claiming prompt-injection exploitation.
- BARUonering Rust crate malware repo check. GitHub repo scans can now flag Cargo manifests or lockfiles that resolve onering 1.4.1 or the known compromised onering git commit, and can flag matching checked-in build.rs evidence, without running Cargo, executing build scripts, fetching crates, or claiming source exfiltration.
- BARUNode-gyp / Phantom Gyp npm worm repo check. GitHub repo scans can now flag package manifests or lockfiles that resolve known malicious npm package versions from the binding.gyp supply-chain campaign, or flag matching binding.gyp source evidence, without running npm install, executing node-gyp, downloading tarballs, or claiming credential theft.
June 11, 2026
- DITINGKATKANMoxa NPort authentication advisory coverage. The existing verified-active Moxa NPort firmware check now correlates the same strong HTTP model and firmware evidence with CVE-2016-9361 as part of the MCSA-160401 advisory family, while still reporting a version-based advisory without attempting password retries, brute-force checks, firmware uploads, unauthenticated administrative actions, SNMP queries, serial-device protocol probes, crash tests, or exploit confirmation.
- DITINGKATKANMoxa NPort unauthenticated firmware-update advisory coverage. The existing verified-active Moxa NPort firmware check now correlates the same strong HTTP model and firmware evidence with CVE-2016-9369 as part of the MCSA-160401 advisory family, while still reporting a version-based advisory without attempting firmware uploads, unauthenticated administrative actions, SNMP queries, serial-device protocol probes, crash tests, or exploit confirmation.
- BARUSchneider Modicon M221 firmware advisory check. Passive scans can now flag strong public HTTP product and firmware-version evidence for Modicon M221 controllers associated with CVE-2018-7790, reporting version-based advisory context without capturing credentials, replaying authentication, querying Modbus, uploading PLC programs, or claiming unauthorized-access confirmation.
- BARULangflow CVE-2025-34291 CORS advisory check. Verified active scans can now flag affected Langflow instances when target-specific version evidence is paired with credentialed CORS origin reflection, without authenticating, reading tokens, triggering refresh flows, or claiming code-execution confirmation.
- BARUSiteOmat BOS version advisory check. Verified active scans can now flag public SiteOmat BOS version evidence associated with CVE-2017-14728 as a version-based advisory, without attempting default credentials, SSH login, broad port scans, state-changing management actions, or unauthorized access.
- BARUSiteOmat login SQL injection advisory check. Verified active scans can now flag public SiteOmat BOS version evidence associated with CVE-2017-14851 as a version-based advisory, without submitting login forms, sending SQL injection payloads, attempting authentication bypass, accessing post-login pages, or making state-changing management requests.
- BARUSiteOmat CGI buffer-overflow advisory check. Verified active scans can now flag public SiteOmat BOS version evidence associated with CVE-2017-14854 as a version-based advisory, without sending crafted CGI input, overflow payloads, crash tests, broad port scans, state-changing management actions, or exploit requests.
- BARUKubernetes externalIPs manifest advisory check. GitHub repo scans can now flag Kubernetes Service manifests that declare non-empty
spec.externalIPsas source/config hardening evidence for CVE-2020-8554, without inspecting live clusters, checking RBAC, sending traffic, or claiming traffic interception. - BARUApache Tomcat EncryptInterceptor dependency advisory check. GitHub repo scans can now flag Maven and Gradle files that resolve exact Tomcat releases associated with CVE-2026-34486 / GHSA-69r9-qgr7-g2wj, reporting version-based advisory evidence without running Tomcat, inspecting cluster traffic, sending crafted Tribes packets, or claiming plaintext-disclosure confirmation.
- BARUApache Tomcat h2c request mix-up dependency advisory check. GitHub repo scans can now flag Maven and Gradle files that resolve Tomcat embedded-core or Coyote versions affected by CVE-2021-25122 / GHSA-j39c-c8hj-x4j3, reporting version-based advisory evidence without running Tomcat, sending h2c upgrade requests, capturing traffic, or claiming information-disclosure confirmation.
- BARUPickleScan ZIP CRC dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow PickleScan versions affected by CVE-2025-10156 / GHSA-mjqp-26hc-grxg, reporting version-based advisory evidence without running PickleScan, creating corrupted archives, loading models, or claiming runtime code-execution confirmation.
- BARUNLTK Zip Slip dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow NLTK versions affected by CVE-2025-14009 / GHSA-7p94-766c-hgjp, reporting version-based advisory evidence without running Python or NLTK, calling nltk.download(), extracting packages, creating malicious archives, or claiming runtime code-execution confirmation.
- BARUTanStack ArkType adapter malware dependency check. GitHub repo scans can now flag package manifests and lockfiles that resolve @tanstack/arktype-adapter to malicious versions 1.166.12 or 1.166.15 from CVE-2026-45321 / GHSA-g7cv-rxg3-hmpx, reporting version-based advisory evidence without running npm install, executing lifecycle scripts, downloading tarballs, or claiming credential theft.
- BARUMbed TLS CVE-2021-44732 repo advisory check. GitHub repo scans can now flag source and build metadata that identify Mbed TLS versions affected by CVE-2021-44732, reporting version-based advisory evidence without running Mbed TLS, forcing out-of-memory behavior, calling session-copy APIs, or claiming live double-free confirmation.
- BARUIIS TRACK method exposure check. Verified active scans can now flag legacy TRACK echo behavior associated with CVE-2003-1567 using non-sensitive request evidence, without sending cookies, credentials, browser exploit pages, user traffic, or state-changing requests.
- BARURed Hat npm worm dependency advisory check. GitHub repo scans can now flag package manifests and lockfiles that resolve known compromised @redhat-cloud-services npm versions associated with the credential-stealing worm campaign, reporting dependency evidence without executing install scripts or claiming credential theft.
- BARUDICOM executable preamble check. GitHub repo scans can now flag committed DICOM files whose Part 10 preamble carries executable-file evidence, reporting static file evidence without executing the file or claiming production compromise.
June 10, 2026
- BARUMbed TLS CVE-2023-45199 repo advisory check. GitHub repo scans can now flag source and build metadata that identify Mbed TLS 3.2.x through 3.4.x, reporting version-based advisory evidence without sending TLS handshake payloads or claiming live memory corruption.
- BARURockwell MicroLogix 1100 advisory fingerprint. Passive scans can now flag strong public HTTP evidence of a Rockwell Automation MicroLogix 1100 controller associated with CVE-2021-33012, reporting advisory context without sending industrial protocol commands or claiming denial-of-service behavior.
- BARUMoxa NPort firmware advisory check. Verified active scans can now flag public HTTP model and firmware-version evidence for Moxa NPort devices associated with CVE-2016-9363, reporting version-based advisory context without sending crafted packets, querying SNMP, testing serial-device services, or claiming exploit confirmation.
- BARURockwell MicroLogix 1100 authentication-attempt advisory check. Verified active scans can now flag public HTTP model and firmware evidence for MicroLogix 1100 controllers associated with CVE-2017-7898, reporting version-based advisory context without attempting logins, brute force, or industrial protocol probes.
- BARULog4j 1.2 JDBCAppender advisory check. GitHub repo scans can now flag Log4j 1.2 dependency evidence paired with JDBCAppender SQL configuration for CVE-2022-23305 / GHSA-65fg-84f6-3jq3, reporting repository/config evidence without executing SQL, writing log events, or claiming runtime database compromise.
- BARULog4j 1.2 JMSAppender advisory check. GitHub repo scans can now flag Log4j 1.2 dependency evidence paired with JMSAppender configuration for CVE-2021-4104 / GHSA-fp5r-v3w9-4333, reporting repository/config evidence without contacting JNDI or JMS services or claiming runtime exploit confirmation.
- BARUMicrosoft ATL MS09-035 source advisory check. GitHub repo scans can now flag legacy Visual C++ ATL project metadata paired with ATL source usage associated with CVE-2009-0901/CVE-2009-2493/CVE-2009-2495, reporting source/build advisory evidence without inspecting build machines, sending malformed streams, probing information disclosure, or claiming live code-execution confirmation.
- BARULangflow CVE-2026-33017 version advisory check. Verified active scans can now flag public Langflow version evidence for CVE-2026-33017 / GHSA-vwmf-pq79-vjvx as a version-based advisory, without submitting flow data, building flows, executing code, or claiming public-flow exploit confirmation.
- BARUKeras CVE-2025-1550 dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow Keras versions affected by CVE-2025-1550 / GHSA-48g7-3x6r-xfhp, reporting version-based advisory evidence without loading model archives, generating payloads, or claiming runtime code-execution confirmation.
- BARUTLS RC4 negotiation advisory check. Verified active scans can now flag TLS endpoints that still select RC4 cipher suites associated with CVE-2015-2808, reporting confirmed RC4 support without capturing traffic or claiming plaintext recovery.
- BARUTLS Sweet32 DES/3DES advisory check. Verified active scans can now flag TLS endpoints that still select DES or 3DES 64-bit block cipher suites associated with CVE-2016-2183, reporting confirmed cipher negotiation without capturing traffic or claiming plaintext recovery.
- BARUSchneider PowerLogic EGX advisory check. Verified active scans can now flag public PowerLogic EGX100 firmware or EGX300 product evidence associated with CVE-2021-22765/CVE-2021-22767/CVE-2021-22768, reporting product/firmware advisory context without sending crafted HTTP packets, querying industrial protocols, crash-testing gateways, or claiming exploit confirmation.
May 27, 2026
- BARUArcserve UDP CVE-2025-34523 version advisory check. Verified active scans can now flag public Arcserve UDP version evidence for CVE-2025-34523 as a version-based advisory, without sending crafted heap-overflow input, crash-testing the service, authenticating to the console, or claiming command execution.
- BARULiferay Portal CVE-2010-5327 version advisory check. Verified active scans can now flag public Liferay Portal version evidence for CVE-2010-5327 as a version-based advisory, without authenticating, editing templates, sending template payloads, or claiming command execution.
- BARUws excessive-header DoS dependency advisory check. GitHub repo scans can now flag npm manifests and lockfiles that resolve ws versions affected by CVE-2024-37890 / GHSA-3h5v-q93c-6h6q, reporting version-based advisory evidence without sending denial-of-service traffic or claiming runtime WebSocket exposure.
May 25, 2026
- DITINGKATKANSPIP version advisory wording. Passive SPIP version findings now distinguish version-fingerprint advisory evidence for CVE-2016-7980 and CVE-2016-7998 from runtime exploit proof, without active CSRF, local-file validation, or template-execution reproduction.
- DIPERBAIKIActive scan reliability and SSTI accuracy fix. Active scans now safely store response-derived evidence that contains unsupported control characters, and SSTI reporting requires stronger target-specific template-evaluation evidence instead of common page or static-asset content.
May 24, 2026
- BARUWebdriverIO BrowserStack service dependency advisory check. GitHub repo scans can now flag npm manifests and lockfiles that resolve @wdio/browserstack-service versions affected by CVE-2026-25244 / GHSA-5c46-x3qw-q7j7, reporting version-based advisory evidence without running WebdriverIO, starting BrowserStack Local, or using command payloads.
- BARUWordPress REST API user-exposure check. Verified active scans can now report WordPress REST users endpoints that return public user slugs to unauthenticated clients, with medium-severity exposure wording that does not claim WordPress version proof or account compromise.
- BARUDjango CSRF dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow Django versions affected by CVE-2011-0696 / GHSA-5j2h-h5hg-3wf8, reporting version-based advisory evidence without running Django, probing state-changing routes, or claiming runtime CSRF exploitability.
- BARUTMT Lockcell SQL injection active check. Verified active scans can now report TMT Lockcell login surfaces whose responses change consistently with CVE-2023-3047, using a bounded login-response comparison that does not run timing delays, follow authenticated redirects, or extract database data.
- BARUOpenSSL PowerPC Poly1305 advisory check. GitHub repo scans can now correlate affected OpenSSL 3.x version evidence with PowerPC build/deployment evidence for CVE-2023-6129, reporting version-and-architecture advisory evidence without reproducing state corruption or denial-of-service behavior.
May 23, 2026
- BARUPemeriksaan advisori electerm untuk eksekusi perintah tanpa autentikasi. Pemindaian repo GitHub kini dapat menandai manifest npm dan lockfile yang menyematkan atau mengizinkan versi electerm yang terdampak CVE-2020-23256 / GHSA-x73w-g8hx-v7rp, melaporkan hasilnya sebagai advisori berbasis versi, tanpa menyondir atau menjalankan layanan electerm.
- BARUPemeriksaan advisori dependensi SaltStack Salt. Pemindaian repo GitHub kini dapat menandai bukti dependensi Python untuk versi Salt yang terdampak CVE-2017-12791 / GHSA-xxvj-8g5m-4qgw, melaporkannya sebagai advisori berbasis versi, tanpa menyondir handshake Salt master.
- BARUPemeriksaan paparan fsinfo rclone RC. Pemindaian aktif yang terverifikasi kini dapat mengonfirmasi paparan fsinfo tanpa autentikasi pada rclone Remote Control yang terkait dengan CVE-2026-41179 / GHSA-jfwf-28xr-xw6q, menggunakan bukti metadata terbatas tanpa eksekusi perintah.
- BARUPemeriksaan advisori persistensi sesi Apache Tomcat. Pemindaian repo GitHub kini dapat menandai berkas build Maven dan Gradle yang menyelesaikan versi Tomcat yang terdampak CVE-2020-9484 / GHSA-344f-f5vg-2jfj, dan memperkuat temuan ketika konfigurasi repo juga menunjukkan persistensi sesi PersistentManager berbasis FileStore.
- BARUNote Mark dependency advisory check. GitHub repo scans can now flag Go manifests that resolve Note Mark backend versions affected by CVE-2026-44522 / GHSA-g49p-4qxj-88v3, reporting the result as a version-based advisory without uploading files, triggering exports, or claiming live RCE confirmation.
20 Mei 2026
- BARUGogs dependency advisory check. GitHub pemindaian repo sekarang dapat menandai manifes Go yang menyematkan versi Gogs yang terpengaruh untuk CVE-2018-20303 / GHSA-9hxg-w7qf-hh93, dengan bukti saran berbasis versi, bukan konfirmasi penjelajahan jalur.
- BARUdeephas prototype-pollution advisory check. GitHub pemindaian repo sekarang dapat menandai manifes npm dan file kunci yang menyelesaikan versi deephas yang terpengaruh oleh CVE-2020-28271 / GHSA-4fr2-j4g9-mppf, dengan bukti penasehat berbasis versi dan bukan konfirmasi polusi prototipe runtime.
- BARUPemindaian repo OpenSSL TLSv1.3. Pemindaian repo GitHub sekarang dapat menghubungkan bukti versi OpenSSL yang terpengaruh dengan bukti konfigurasi sesi TLSv1.3 untuk CVE-2024-2511, yang melaporkan bukti sumber /config dengan tingkat kepercayaan sedang, bukan konfirmasi penolakan layanan langsung.
19 Mei 2026
- DITINGKATKANelecterm Linux install-script coverage. Penasihat ketergantungan electerm sekarang mencakup CVE-2026-41501 / GHSA-8x35-hph8-37hq bersama dengan penasihat skrip instalasi MacOS yang sudah ada, sehingga temuan ini tetap tercakup dalam manifes npm dan bukti lockfile daripada konfirmasi eksploitasi.
- BARUGeniXCMS author-route SQL injection check. Pemindaian aktif yang terverifikasi kini dapat mengonfirmasi perilaku kesalahan basis data gaya CVE-2017-5517- pada rute pembuat GeniXCMS dengan bukti spesifik target, tanpa ekstraksi data atau penyelidikan SQL yang merusak.
- BARUNetmaker DNS key authorization-bypass check. Pemindaian aktif terverifikasi kini dapat mengonfirmasi paparan CVE-2023-32077 pada penerapan Netmaker ketika DNS API hanya baca menolak permintaan dasar namun mengembalikan bukti catatan DNS melalui jalur otorisasi DNS yang lama, tanpa membuat, mengubah, atau menghapus catatan.
- BARUopenDCIM source command-injection check. GitHub pemindaian repo sekarang dapat menandai pola CVE-2026-28517 source/config di report_network_map.php dengan bukti kecocokan sumber, keyakinan, dan batas eksploitasi waktu proses alih-alih eksekusi perintah aktif.
- BARUSPIP valider_xml XSS check. Pemindaian aktif terverifikasi kini dapat mengonfirmasi CVE-2016-7981-gaya refleksi URL yang tidak lolos pada penerapan SPIP dengan bukti konteks HTML- spesifik target, tanpa menjalankan JavaScript di browser.
- BARUApache Tomcat Coyote dependency advisory check. GitHub pemindaian repo sekarang dapat menandai file build Maven dan Gradle yang menyelesaikan Tomcat Coyote atau versi inti tertanam yang terpengaruh oleh CVE-2025-48989 / GHSA-gqp3-2cvr-x8m3, dengan bukti saran berbasis versi dan bukan konfirmasi penolakan layanan waktu proses.
- BARUveraPDF XSLT dependency advisory check. GitHub pemindaian repo kini dapat menandai file build Maven dan Gradle yang menyelesaikan artefak veraPDF yang terpengaruh oleh CVE-2024-28109 / GHSA-qxqf-2mfx-x8jw, dengan bukti saran berbasis versi, bukan konfirmasi eksekusi XSLT.
18 Mei 2026
- BARUelecterm dependency advisory check. GitHub pemindaian repo dapat menandai manifes npm dan file kunci yang menyematkan atau mengizinkan versi electerm yang terpengaruh oleh CVE-2026-41500 / GHSA-wxw2-rwmh-vr8f dan CVE-2026-41501 / GHSA-8x35-hph8-37hq, dengan bukti penasehat berbasis versi dan bukan konfirmasi eksploitasi.
- BARUOpenCms dependency advisory check. GitHub pemindaian repo sekarang dapat menandai file Maven pom.xml yang menyematkan atau menyelesaikan versi org.opencms:opencms-core yang terpengaruh oleh CVE-2023-42344 / GHSA-rcc6-6q2f-m2cw, dengan bukti penasehat berbasis versi, bukan konfirmasi eksploitasi XXE.
- BARUMagicMirror /cors SSRF check. Pemindaian aktif terverifikasi kini dapat mengonfirmasi paparan CVE-2026-42281 pada instans MagicMirror ketika titik akhir /cors yang tidak diautentikasi mengambil panggilan balik eksternal yang dikontrol FixVibe, tanpa menyelidiki layanan internal.
17 Mei 2026
- BARUFUXA hardcoded JWT secret check. Pemindaian aktif terverifikasi kini dapat mengonfirmasi paparan CVE-2025-69971 pada instans FUXA yang masih mempercayai konfigurasi penandatanganan fallback JWT yang rentan.
- BARUCKAN DataStore SQL exposure check. Pemindaian aktif yang terverifikasi kini dapat mengonfirmasi akses CKAN DataStore SQL yang tidak diautentikasi terkait dengan CVE-2026-42031 dan memandu tim ke jalur rilis CKAN yang di-patch atau konfigurasi DataStore yang lebih aman.
16 May 2026
- BARUPDF.js dependency advisory check. GitHub pemindaian repo sekarang dapat menandai manifes npm dan file kunci yang menyematkan atau mengizinkan versi pdfjs-dist yang terpengaruh oleh CVE-2024-4367 / GHSA-wgrm-67xf-hhpq.
- BARUActive scans via REST API and MCP. Pemindaian aktif kini dapat dipicu dari REST dan MCP terhadap domain terverifikasi yang telah secara eksplisit diotorisasi dari dasbor. Otorisasi dapat dibatalkan kapan saja.
- BARUSafer authorization levels for active scans. Otorisasi domain kini membedakan pemeriksaan aktif otomatis yang lebih aman dari pengujian aktif yang lebih dalam, sehingga tim dapat mengotomatiskan tingkat verifikasi yang tepat untuk setiap domain.
- BARUWebhook yang pertama kali digunakan untuk pemindaian aktif API/MCP. Webhook dapat memberi tahu tim saat pertama kali pemindaian aktif API/MCP-triggered dijalankan pada domain yang baru diotorisasi.
- DITINGKATKANImproved Referrer-Policy findings. Missing or weak
Referrer-Policyresults now separate URL-referrer leakage from broad information exposure, show document-response evidence, and include generic plus static-host remediation guidance. - DITINGKATKANImproved Permissions-Policy findings. Missing or weak
Permissions-Policyresults now show feature-level evidence, separate broad feature allowlists from missing hardening, and include generic plus static-host remediation guidance for common hosts, proxies, and app servers. - DITINGKATKANImproved clickjacking header prompts. Missing
X-Frame-Optionsfindings now point agents to CSPframe-ancestorsas the modern protection, add Vercel/static SPA header guidance, and verifyx-frame-optionswith CSP. - DITINGKATKANCSP header evidence and fix prompts improved. Laporan yang hilang-CSP kini mencakup hosting yang lebih jelas dan konteks respons ditambah panduan remediasi yang lebih aman dan berbasis kerangka kerja.
- DIPERBAIKIVercel path-probe false positives reduced. FixVibe sekarang memerlukan bukti khusus aplikasi yang lebih kuat sebelum melaporkan artefak kerangka kerja yang terekspos pada penerapan yang menulis ulang rute yang tidak diketahui ke shell aplikasi.
- DIPERBAIKICompliance findings no longer carry misleading CWE tags. Pemeriksaan kepatuhan hukum sebelumnya menandai temuan "kebijakan privasi tidak ada" dan "persyaratan layanan tidak ada" dengan paparan
CWE-359(PII), yang tidak menggambarkan kesenjangan sebenarnya. Temuan tersebut kini dikirimkan tanpa CWE โ temuan tersebut merupakan item kepatuhan/governance, bukan kelemahan keamanan yang dapat diklasifikasikan.
15 Mei 2026
- BARUAdditional research-informed checks. FixVibe mengirimkan lebih banyak cakupan berdasarkan penelitian kerentanan terbaru dan memetakan topik duplikat ke modul pemindai yang ada yang cakupannya sudah ada.
- BARUPemeriksaan kebocoran rahasia di repositori. Pemindaian repositori GitHub kini dapat menandai kunci penyedia yang hardcoded dan nilai berentropi tinggi mirip-rahasia yang dikomit ke sumber, dengan bukti yang disamarkan dan permintaan rotasi standar FixVibe disertakan.
- BARUVercel deployment protection check. Pemindaian pasif sekarang dapat menandai URL penerapan publik
*.vercel.appyang dihasilkan yang merespons tanpa Vercel Penerapan Protection, sementara pemeriksaan header yang ada terus mengaudit CSP, HSTS, dan pengerasan browser.
14 Mei 2026
- BARULiteLLM dependency advisory check. GitHub pemindaian repo sekarang dapat menandai file ketergantungan Python yang menyematkan atau mengizinkan versi LiteLLM yang terpengaruh oleh CVE-2026-42208 / GHSA-r75f-5x8p-qvmc.
- BARULibreNMS dependency advisory check. GitHub pemindaian repo sekarang dapat menandai manifes Komposer yang menyematkan atau mengizinkan versi LibreNMS yang terpengaruh oleh CVE-2024-51092 / GHSA-x645-6pf9-xwxw.
- DITINGKATKANPemindaian Firebase rules detection improved. BaaS kini mendeteksi lebih banyak bentuk aplikasi Firebase dan menggunakan bukti hanya-baca untuk mengidentifikasi paparan data publik yang berisiko.
13 Mei 2026
- BARURepo Supabase RLS migration check. GitHub pemindaian repo sekarang dapat menandai migrasi Supabase SQL yang membuat tabel publik tanpa pernyataan
ALTER TABLE ... ENABLE ROW LEVEL SECURITYyang cocok. - BARUSupabase Storage posture check. Pemindaian pasif kini dapat meninjau keranjang penyimpanan Supabase publik dan paparan daftar objek anonim bersama dengan RLS dan pemeriksaan kunci yang ada.
- BARUAI-generated code guardrail check. GitHub pemindaian repo kini dapat menandai hilangnya otomatisasi keamanan seputar pemindaian kode, pemindaian rahasia, pembaruan ketergantungan, dan instruksi AI-agent.
12 Mei 2026
- BARUPemindaian repo Repo web-app risk checklist. GitHub sekarang dapat menandai risiko kode gaya OWASP- berkeyakinan tinggi seperti interpolasi SQL mentah, sink HTML yang tidak aman, wildcard yang diberi kredensial CORS, verifikasi TLS yang dinonaktifkan, dan fallback rahasia JWT yang lemah.
- BARUNext.js middleware-bypass check. Pemindaian aktif untuk domain terverifikasi kini dapat mengonfirmasi paparan CVE-2025-29927 pada rute yang dilindungi middleware sebelum melaporkannya, dan laporan menyertakan permintaan perbaikan standar FixVibe AI untuk remediasi.
9 Mei 2026
- KEAMANANCross-origin scope hardening. Pemindaian aktif dan pemeriksaan aset klien kini tetap berada dalam cakupan target resmi dan menghindari membawa kredensial yang disediakan pelanggan di seluruh pengalihan lintas asal.
- DIPERBAIKISupabase RLS check is now strictly read-only. Supabase pemeriksaan postur sekarang menghindari upaya menulis dan fokus pada sinyal paparan yang aman. Pengujian aktif domain terverifikasi tetap menjadi batasan untuk konfirmasi lebih dalam.
- DITINGKATKANTemuan header keamanan hanya berlaku untuk respons HTML root. CSP, Permissions-Policy, X-Frame-Options, atau Referrer-Policy yang hilang pada 204, JSON API, unduhan file, atau 404 tidak lagi menghasilkan temuan. HSTS dan X-Content-Type-Options tetap dinilai di semua respons.
- DITINGKATKANAuth-flow and rate-limit checks now require stronger evidence. FixVibe sekarang melaporkan masalah ini hanya ketika perilaku aplikasi secara jelas mendukung temuan tersebut, mengurangi gangguan dari halaman kesalahan umum dan metode yang tidak didukung.
- DITINGKATKANFile-upload findings tier by exploitability evidence. Laporan unggahan file kini memisahkan sinyal penerimaan dengan tingkat kepercayaan rendah dari bukti kuat mengenai perilaku penayangan yang berisiko, sehingga mengurangi tingkat keparahan yang berlebihan pada penangan unggahan yang tidak berbahaya.
7 Mei 2026
- DIPERBAIKIThreat-intel listing accuracy improved. FixVibe kini membedakan bukti daftar blokir yang sebenarnya dengan diagnostik penyelesai sehingga temuan intelijen ancaman tidak melaporkan secara berlebihan respons pencarian di sisi infrastruktur.
- BARUPemindaian repo GitHub. Hubungkan repo dan FixVibe memeriksa source untuk kunci service Supabase yang bocor, token admin Firebase, file workflow berisiko, dan dependensi usang โ tanpa pernah memuat situs deploy kamu. Lihat Jenis pemindaian.
- BARUPemeriksaan SAST untuk JavaScript berisiko. Pemindaian repo kini menandai
new Function()dansetTimeout("string")โ keduanya setara denganeval()saat diberi input tidak tepercaya. - DIPERBAIKITemuan โexposed fileโ palsu pada situs Vercel / Cloudflare. Respons
403 Forbiddenpolos tidak lagi dilaporkan sebagai โfile existsโ โ kebanyakan edge provider mengembalikan 403 untuk path yang tampak mencurigakan entah filenya ada atau tidak. Kami kini mewajibkan sinyal HTTP positif sebelum menandai. - DIPERBAIKIRepo-code false positives reduced. Pemindaian repo sekarang menghindari penandaan istilah keamanan dalam komentar, dokumentasi, pembantu pengujian, dan konteks khusus server untuk beberapa pemeriksaan kode sinyal tinggi.
- DIPERBAIKISupabase anon key di localStorage tidak lagi dilaporkan sebagai temuan JWT-in-storage โ anon key adalah token klien yang memang publik. Token service-role sungguhan di storage browser kini critical dengan judul lebih jelas.
- DIPERBAIKICSP weakness detection improved. Content-Security-Policy pemeriksaan sekarang menangkap kebijakan sumber yang lebih permisif sambil menjaga bukti dan remediasi tetap fokus pada kebijakan browser yang efektif.
- DIPERBAIKIReflected-XSS check tightened. Pemindaian aktif kini memerlukan bukti refleksi yang lebih kuat sebelum melaporkan risiko konteks yang dapat dieksekusi, sehingga mengurangi kesalahan positif dari markup yang tidak terkait pada laman.
- DIPERBAIKIVerifikasi domain menangani redirect apex โ www dengan benar dan lebih jelas tentang nilai mana yang dimasukkan ke field Host record TXT.
Format
Setiap entri diberi tag agar mudah dipindai:
- BARU Pemeriksaan, permukaan, atau fitur baru.
- DITINGKATKAN Perilaku yang ada menjadi lebih baik โ lebih akurat, lebih cepat, lebih jelas.
- DIPERBAIKI Bug yang sempat kami kirim lalu kami bereskan.
- KEAMANAN Pengerasan, perbaikan kerentanan, atau perubahan kepatuhan.
Melihat sesuatu yang rusak dan belum dicatat di sini? Email support@fixvibe.app.
