변경 로그

May 18, 2026

• NEWelecterm dependency advisory check. GitHub repo scans can now flag npm manifests and lockfiles that pin or allow electerm versions affected by CVE-2026-41500 / GHSA-wxw2-rwmh-vr8f, with version-based advisory evidence rather than exploit confirmation.
• NEWOpenCms dependency advisory check. GitHub repo scans can now flag Maven pom.xml files that pin or resolve org.opencms:opencms-core versions affected by CVE-2023-42344 / GHSA-rcc6-6q2f-m2cw, with version-based advisory evidence rather than XXE exploit confirmation.

May 17, 2026

• NEWFUXA hardcoded JWT secret check. Verified active scans can now confirm CVE-2025-69971 exposure on FUXA instances that still trust the vulnerable fallback JWT signing configuration.
• NEWCKAN DataStore SQL exposure check. Verified active scans can now confirm unauthenticated CKAN DataStore SQL access associated with CVE-2026-42031 and guide teams to patched CKAN release lines or safer DataStore configuration.

16 May 2026

• NEWPDF.js dependency advisory check. GitHub repo scans can now flag npm manifests and lockfiles that pin or allow pdfjs-dist versions affected by CVE-2024-4367 / GHSA-wgrm-67xf-hhpq.
• NEWActive scans via REST API and MCP. Active scans can now be triggered from REST and MCP against verified domains that have been explicitly authorized from the dashboard. Authorization is revocable at any time.
• NEWSafer authorization levels for active scans. Domain authorization now distinguishes safer automated active checks from deeper active testing, so teams can automate the right level of verification for each domain.
• NEWFirst-use webhook for API/MCP active scans. A webhook can notify teams the first time an API/MCP-triggered active scan runs against a newly authorized domain.
• IMPROVEDImproved Referrer-Policy findings. Missing or weak Referrer-Policy results now separate URL-referrer leakage from broad information exposure, show document-response evidence, and include generic plus static-host remediation guidance.
• IMPROVEDImproved Permissions-Policy findings. Missing or weak Permissions-Policy results now show feature-level evidence, separate broad feature allowlists from missing hardening, and include generic plus static-host remediation guidance for common hosts, proxies, and app servers.
• IMPROVEDImproved clickjacking header prompts. Missing X-Frame-Options findings now point agents to CSP frame-ancestors as the modern protection, add Vercel/static SPA header guidance, and verify x-frame-options with CSP.
• IMPROVEDCSP header evidence and fix prompts improved. Missing-CSP reports now include clearer hosting and response context plus safer framework-aware remediation guidance.
• FIXEDVercel path-probe false positives reduced. FixVibe now requires stronger application-specific evidence before reporting exposed framework artifacts on deployments that rewrite unknown routes to the app shell.
• FIXED컴플라이언스 발견에 더 이상 잘못된 CWE 태그가 붙지 않습니다. 이전에는 legal-compliance 체크가 "개인정보처리방침 누락" 및 "이용약관 누락" 발견에 CWE-359(PII 노출)를 붙였으나, 이는 실제 갭을 설명하지 않습니다. 이러한 발견은 이제 CWE 없이 게시됩니다 — 분류 가능한 보안 취약점이 아니라 컴플라이언스 항목입니다.

May 15, 2026

• NEWAdditional research-informed checks. FixVibe shipped more coverage based on recent vulnerability research and mapped duplicate topics to existing scanner modules where coverage already existed.
• NEW저장소 비밀 누출 검사. GitHub 저장소 스캔이 이제 소스에 커밋된 하드코딩된 공급자 키와 비밀처럼 보이는 고엔트로피 값을 감지할 수 있으며, 증거는 마스킹되고 표준 FixVibe 로테이션 프롬프트가 포함됩니다.
• NEWVercel deployment protection check. Passive scans can now flag public *.vercel.app generated deployment URLs that respond without Vercel Deployment Protection, while existing header checks continue to audit CSP, HSTS, and browser hardening.

May 14, 2026

• NEWLiteLLM dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow LiteLLM versions affected by CVE-2026-42208 / GHSA-r75f-5x8p-qvmc.
• NEWLibreNMS dependency advisory check. GitHub repo scans can now flag Composer manifests that pin or allow LibreNMS versions affected by CVE-2024-51092 / GHSA-x645-6pf9-xwxw.
• IMPROVEDFirebase rules detection improved. BaaS scans now detect more Firebase app shapes and use read-only evidence to identify risky public data exposure.

May 13, 2026

• NEWRepo Supabase RLS migration check. GitHub repo scans can now flag Supabase SQL migrations that create public tables without a matching ALTER TABLE ... ENABLE ROW LEVEL SECURITY statement.
• NEWSupabase Storage posture check. Passive scans can now review public Supabase Storage buckets and anonymous object-listing exposure alongside existing RLS and key checks.
• NEWAI-generated code guardrail check. GitHub repo scans can now flag missing security automation around code scanning, secret scanning, dependency updates, and AI-agent instructions.

May 12, 2026

• NEWRepo web-app risk checklist. GitHub repo scans can now flag high-confidence OWASP-style code risks such as raw SQL interpolation, unsafe HTML sinks, credentialed wildcard CORS, disabled TLS verification, and weak JWT secret fallbacks.
• NEWNext.js middleware-bypass check. Active scans for verified domains can now confirm CVE-2025-29927 exposure on middleware-protected routes before reporting it, and reports include the standard FixVibe AI fix prompt for remediation.

2026년 5월 9일

• SECURITYCross-origin scope hardening. Active scans and client-asset checks now stay within the authorized target scope and avoid carrying customer-provided credentials across cross-origin redirects.
• FIXEDSupabase RLS check is now strictly read-only. Supabase posture checks now avoid write attempts and focus on safe exposure signals. Verified-domain active testing remains the boundary for deeper confirmation.
• IMPROVEDSecurity-header finding은 root HTML response에만 적용됩니다. 204, JSON API, file download, 404에 CSP, Permissions-Policy, X-Frame-Options, Referrer-Policy가 없다고 finding을 만들지 않습니다. HSTS와 X-Content-Type-Options는 여전히 모든 response에 대해 평가됩니다.
• IMPROVEDAuth-flow and rate-limit checks now require stronger evidence. FixVibe now reports these issues only when the application behavior clearly supports the finding, reducing noise from generic error pages and unsupported methods.
• IMPROVEDFile-upload findings tier by exploitability evidence. File-upload reports now separate low-confidence acceptance signals from stronger evidence of risky serving behavior, reducing over-severity on benign upload handlers.

2026년 5월 7일

• FIXEDThreat-intel listing accuracy improved. FixVibe now distinguishes real blocklist evidence from resolver diagnostics so threat-intel findings do not over-report on infrastructure-side lookup responses.
• NEWGitHub repo scan. Repo를 연결하면 FixVibe가 배포된 site를 load하지 않고도 source에서 leaked Supabase service key, Firebase admin token, 위험한 workflow file, outdated dependency를 검사합니다. 스캔 유형을 참고하세요.
• NEW위험한 JavaScript를 위한 SAST check. Repo scan은 이제 new Function()과 setTimeout("string")을 flag합니다. 둘 다 untrusted input을 받으면 eval()과 같습니다.
• FIXEDVercel / Cloudflare site의 거짓 “exposed file” finding. Bare 403 Forbidden response는 더 이상 “file exists”로 보고되지 않습니다. 대부분의 edge provider는 파일 존재 여부와 관계없이 suspicious path에 403을 반환합니다. 이제 flag하기 전에 positive HTTP signal을 요구합니다.
• FIXEDRepo-code false positives reduced. Repo scans now avoid flagging security terms in comments, documentation, test helpers, and clearly server-only contexts for several high-signal code checks.
• FIXEDlocalStorage 안의 Supabase anon key는 더 이상 JWT-in-storage finding으로 보고되지 않습니다. anon key는 client에 공개하도록 의도된 token입니다. Browser storage 안의 실제 service-role token은 더 명확한 title과 함께 critical입니다.
• FIXEDCSP weakness detection improved. Content-Security-Policy checks now catch more permissive source policies while keeping evidence and remediation focused on the effective browser policy.
• FIXEDReflected-XSS check tightened. Active scans now require stronger reflection evidence before reporting executable-context risk, reducing false positives from unrelated markup on the page.
• FIXEDDomain verification은 apex ↔ www redirect를 올바르게 처리하며, TXT-record Host field에 어떤 값을 넣어야 하는지도 더 명확해졌습니다.

형식

각 entry에는 빠르게 훑어볼 수 있도록 tag가 붙습니다.

• NEW 새 check, surface 또는 feature.
• IMPROVED 기존 동작이 더 정확하거나, 빠르거나, 명확해졌습니다.
• FIXED 배포했던 bug를 수정했습니다.
• SECURITY Hardening, vulnerability fix 또는 compliance change.

망가졌는데 여기에 기록되지 않은 것이 있나요? support@fixvibe.app로 이메일을 보내주세요.