FixVibe

// docs / changelog

Registro de alterações

FixVibe atualizações do mecanismo de varredura: nova cobertura, melhorias de segurança e melhorias de precisão. Entradas mais recentes primeiro.

2026-07-02

  • CORRIGIDOLegal-link false positives reduced. Privacy and terms links that are visible after client-side rendering now count correctly, so SPA footers are not reported as missing when users can see those links.

30 de junho de 2026

  • NOVOLabel Studio CVE-2025-47783 reflected XSS check. Verified active scans now flag Label Studio upload-example responses when target-specific label_config evidence shows raw HTML metacharacter reflection, without executing JavaScript, using victim sessions, reading tokens, or storing project data.
  • NOVOAVideo CVE-2023-25313 / GHSA-pgvh-p3g4-86jw advisory. Repo scans flag affected wwbn/avideo Composer manifests and lockfiles below 12.4 with version-based evidence only; no AVideo login, video-link submission, video creation, request-delay checks, command execution, or runtime exploit claim.
  • NOVOGL.iNet GL-MT3000 CVE-2026-11451 advisory. Verified active scans flag GL.iNet GL-MT3000 firmware 4.4.5 as version-based advisory evidence only; no router authentication, FTP-setting changes, file writes, command input, or command-execution claim.
  • MELHORADOCobertura de reinicialização remota do Schneider Modicon M221. A verificação passiva existente de firmware do Modicon M221 agora correlaciona a mesma evidência forte de produto HTTP público e versão de firmware com CVE-2018-7789 junto com CVE-2018-7790, relatando contexto de advisory baseado em versão sem enviar probes de reinicialização, consultar Modbus, reproduzir autenticação, enviar programas PLC ou afirmar confirmação de exploração.
  • NOVOMbed TLS CVE-2024-45159 repo advisory coverage. GitHub repo scans now flag source and build metadata for affected Mbed TLS 3.2.0 through 3.6.0 releases, reporting version-based advisory evidence without client-certificate probes, TLS handshake testing, or authentication-bypass confirmation.
  • NOVOOracle Java SE/GraalVM CVE-2022-21340 repo advisory coverage. GitHub repo scans now flag explicit Oracle Java SE or Oracle GraalVM Enterprise runtime metadata, reporting version-based advisory evidence without running Java, sandbox-code proof, denial-of-service traffic, or runtime exploit confirmation.
  • NOVOOpenSSL CMS CVE-2025-15467 advisory. GitHub repo scans now flag affected OpenSSL CMS release-line evidence and report branch-aware source/config evidence without crash, denial-of-service, or code-execution reproduction.
  • NOVOcodfish semantic-release GitHub Action compromise check. Repo scans can now flag workflow YAML references to codfish/semantic-release-action refs associated with the June 2026 compromise, reporting source/config evidence only. The check does not run GitHub Actions, read CI secrets, inspect runners, or claim credential theft.
  • NOVOSpring Data Commons property-path advisory coverage. GitHub repo scans now report Maven/Gradle dependency evidence for Spring Data Commons versions associated with CVE-2018-1274 / GHSA-5q8m-mqmx-pxp9. The finding stays version-based and does not run the app, probe Spring Data REST endpoints, send crafted property-path parameters, stress CPU or memory, or claim denial-of-service confirmation.
  • NOVOvm2 Promise species advisory coverage. GitHub repo scans now report npm manifest and lockfile evidence for vm2 versions associated with CVE-2026-47208 / GHSA-76w7-j9cq-rx2j. The finding stays version-based and does not run the app, execute sandbox-breakout proof-of-concept code, inspect live workers, or claim host command execution.
  • NOVOpyLoad /flashgot advisory coverage. GitHub repo scans now report Python manifest and lockfile evidence for pyload-ng versions associated with CVE-2024-47821 / GHSA-w7hq-f2pj-c53g. The finding stays version-based and does not run pyLoad, send /flashgot requests, change settings, download files, write script directories, or claim command execution.
  • NOVOSAP Cloud SDK for AI Python advisory check. GitHub repo scans now flag Python manifest and lockfile evidence for sap-ai-sdk-base versions affected by CVE-2023-25617 / GHSA-xxhh-59gh-6ffx as version-based advisory evidence, without running Python, connecting to SAP BusinessObjects, scheduling Program Objects, sending command-injection input, or claiming OS command execution.
  • NOVOGradio Windows/Python path traversal advisory check. GitHub repo scans now flag Gradio dependency evidence for CVE-2026-28414 / GHSA-39mp-8hj3-5c49 and raise confidence when repository configuration also points to Windows with Python 3.13+, without requesting Gradio file endpoints, sending traversal input, reading files, or claiming live arbitrary file read.

29 Jun 2026

  • NOVOMISP STIX import source advisory coverage. GitHub repo scans now report source evidence for CVE-2018-19908 in app/Model/Event.php when original STIX filenames flow into shell command construction. The check uses repository source evidence and does not run MISP, import files, or claim runtime command execution.
  • NOVOMindsDB status version advisory coverage. Verified active scans now include MindsDB /api/status version evidence for CVE-2026-27483 when the public status endpoint reports a release before 25.9.1.1. This read-only check does not upload files, send traversal filenames, or claim remote-code execution.
  • NOVONiceGUI upload filename source advisory check. GitHub repo scans now include CVE-2026-25732 coverage when affected NiceGUI dependency evidence appears with upload-handler source that saves paths built from client-supplied filenames. The check reports source/dependency evidence without uploading files, writing outside upload directories, or claiming code execution.

June 18, 2026

  • NOVOSillyTavern SearXNG SSRF active check. Verified active scans now report only direct evidence that a SillyTavern SearXNG search proxy fetched a FixVibe-controlled external callback URL. The probe avoids localhost, cloud metadata, private-network targets, and internal-service requests.
  • NOVOVerificação de exposição do Glances REST API sem autenticação. Varreduras ativas verificadas agora confirmam quando a origem escaneada expõe a identidade do Glances REST API e respostas em formato de métricas sem autenticação. O FixVibe registra somente o formato da resposta e evita dumps amplos de API, listas de processos, linhas de comando, configuração ou segredos.
  • NOVOSpring Data Commons + XMLBeam advisory coverage. GitHub repo scans now report paired Maven/Gradle dependency evidence for Spring Data Commons and XMLBeam versions associated with CVE-2018-1259 / GHSA-m929-7fr6-cvjg. The finding stays version-based and does not run the app, send XML payloads, probe endpoints, read local files, or claim SSRF confirmation.
  • NOVOVerificação de aviso de dependência Moby AuthZ. As varreduras de repositórios GitHub agora podem sinalizar manifestos de módulos Go que resolvem versões do Moby ou Docker Engine afetadas por CVE-2026-34040 / GHSA-x744-4wpc-v9h2, relatando evidência baseada em versão sem conectar às Docker APIs, sondar plugins AuthZ, enviar requisições criadas ou afirmar confirmação de bypass de autorização.
  • NOVONGINX rewrite-module config advisory check. GitHub repo scans can now correlate affected NGINX version evidence with rewrite-module configuration evidence for CVE-2026-42945, without running NGINX, sending traffic, or claiming memory-corruption proof.
  • NOVOSQLitePCLRaw NuGet advisory check. GitHub repo scans can now flag .NET project and NuGet lockfile evidence for affected SQLitePCLRaw native SQLite packages tied to CVE-2025-6965 / GHSA-2m69-gcr7-jv3q, without claiming memory-corruption proof.
  • NOVOgemini-mcp-tool CVE-2026-0755 advisory. Repo scans flag affected npm manifest and lockfile versions for GHSA-4h5r-5jm8-jxjm with repository version evidence only. The check does not run the MCP server, send command or @file probes, trigger callbacks, read local files, or assert runtime exploit confirmation.
  • NOVOMastra easy-day-js advisory check. GitHub repo scans flag easy-day-js manifest and lockfile evidence tied to the June 2026 Mastra npm incident. The finding stays limited to repository dependency evidence and does not verify stale npm owners, run package scripts, inspect hosts, or assert credential theft.
  • NOVODrupal Core CVE-2026-9082 advisory check. GitHub repo scans flag Composer manifest and lockfile versions for GHSA-ghwc-95x2-682j with repository version evidence only. The check does not run Drupal, verify PostgreSQL, send SQL payloads, extract data, or assert runtime exploit confirmation.
  • NOVOParamiko SSH-server authentication advisory check. GitHub repo scans can now flag Python dependency files that resolve Paramiko releases affected by CVE-2018-7750 / GHSA-232r-66cg-79px, reporting version-based advisory evidence without starting an SSH server, sending bypass traffic, or claiming deployed server-mode exposure.
  • NOVOApache Tomcat HTTP/2 resource-consumption dependency advisory check. GitHub repo scans can now flag Maven and Gradle build files that resolve Tomcat releases affected by CVE-2020-11996 / GHSA-53hp-jpwq-2jgq, reporting version-based advisory evidence without running Tomcat, sending HTTP/2 denial-of-service traffic, generating high-CPU proof traffic, or claiming runtime availability impact.
  • NOVO@andrei-tatar/nora-firebase-common prototype-pollution advisory check. GitHub repo scans can now flag npm manifests and lockfiles that resolve @andrei-tatar/nora-firebase-common versions affected by CVE-2024-30564 / GHSA-jjff-q3q4-5hh8, reporting version-based advisory evidence without running the package, mutating Object.prototype, sending proof payloads, or claiming runtime exploit confirmation.
  • NOVOcordova-plugin-inappbrowser Android advisory check. GitHub repo scans can now flag npm manifests, lockfiles, and Cordova config.xml files that resolve cordova-plugin-inappbrowser versions affected by CVE-2019-0219 / GHSA-c6pw-q7f2-97hv, reporting version-based advisory evidence without building mobile binaries, loading proof content, exercising plugin bridge behavior, or claiming deployed Android exploitability.
  • NOVONokogiri libxslt RubyGems advisory coverage. GitHub repo scans now report Gemfile, Gemfile.lock, and gemspec evidence for Nokogiri releases affected by CVE-2019-18197 / GHSA-242x-7cm6-4w8j. The check uses version-based RubyGems evidence and does not run Ruby, process XML or XSLT input, crash-test libxslt, or claim runtime exploit confirmation.
  • NOVOPerl GD CPAN advisory coverage. GitHub repo scans now report CPAN dependency evidence for Perl GD releases affected by CVE-2026-11526. The check uses version-based repository evidence and does not run Perl, process image files, pass crafted filenames to GD::Image constructors, or claim command-execution or file-overwrite confirmation.
  • NOVOkill-port-process CVE-2019-15609 advisory check. GitHub repo scans flag affected npm manifest and lockfile versions for GHSA-xp4x-j9vh-c3wf, reporting version evidence only. The check does not run the package, send command payloads, terminate processes, or assert runtime exploit confirmation.
  • NOVOproxy npm advisory coverage. GitHub repo scans can now report repository dependency evidence for proxy releases associated with CVE-2023-2968 / GHSA-mj6p-3pc9-wf5m. The finding stays version-based and does not run proxy, send crafted request traffic, crash-test services, or claim runtime denial-of-service confirmation.
  • NOVOApache ActiveMQ Artemis Jolokia dependency advisory check. GitHub repo scans can now flag Maven and Gradle build files that resolve org.apache.activemq:artemis-cli versions affected by CVE-2023-50780 / GHSA-443j-grxv-2pgv, reporting version-based advisory evidence without authenticating to Jolokia, enumerating MBeans, changing Log4J2 configuration, writing files, restarting services, or claiming live RCE confirmation.
  • NOVOApache ActiveMQ Artemis dependency advisory check. GitHub repo scans can now flag Maven and Gradle build files that pin or allow artemis-server versions affected by CVE-2026-27446 / GHSA-fw88-pf9m-p947, reporting version-based advisory evidence without connecting to brokers, triggering federation callbacks, or claiming message injection/exfiltration confirmation.
  • NOVOApache Spark UI dependency advisory check. GitHub repo scans can now flag Maven, Gradle, and PySpark dependency files that pin or allow Apache Spark versions affected by CVE-2022-33891 / GHSA-4x9r-j582-cgr8, reporting version-based advisory evidence without visiting Spark UI, sending active exploit probes, or claiming command-execution confirmation.
  • NOVOvLLM pickle-deserialization dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow vllm versions affected by CVE-2024-9053 / GHSA-cj47-qj6g-x7r4, reporting version-based advisory evidence without running vLLM, exposing AsyncEngineRPCServer, sending pickle payloads, or claiming runtime code-execution confirmation.
  • NOVOApache Airflow example-DAG advisory coverage. GitHub repo scans can now report repository dependency evidence for Airflow releases associated with CVE-2024-45498 / GHSA-c392-whpc-vfpr. The finding stays version-based and does not probe Airflow UI, trigger DAGs, run command payloads, or claim runtime exploit confirmation.
  • NOVOONNX download_model_with_test_data advisory coverage. GitHub repo scans now report Python dependency evidence for onnx releases affected by CVE-2024-5187 / GHSA-6rq9-53c3-f7vj and add source-call context when download_model_with_test_data appears. The check does not run Python, download or extract model archives, create malicious tar files, overwrite files, or claim runtime exploit confirmation.
  • NOVOYOURLS type-juggling dependency advisory check. GitHub repo scans can now flag Composer and YOURLS source-version evidence for yourls/yourls releases affected by CVE-2019-14537 / GHSA-vf23-f26f-mjj9, reporting version-based advisory evidence without calling the YOURLS API, sending authentication-bypass requests, probing admin pages, or claiming unauthorized access.
  • NOVOhttp4k-format-xml dependency advisory check. GitHub repo scans can now flag Maven and Gradle build files that resolve org.http4k:http4k-format-xml versions affected by CVE-2024-55875 / GHSA-7mj5-hjjj-8rgw, reporting version-based advisory evidence without sending XML payloads, SSRF callbacks, local-file reads, or denial-of-service traffic.

June 14, 2026

  • CORRIGIDODOM XSS fragment probe stability fix. Verified active scans now skip the DOM fragment probe cleanly when browser automation is unavailable at startup, so reports no longer show internal browser-context errors for that check.
  • MELHORADOExpanded Red Hat npm worm coverage. GitHub repo scans now include additional Wiz-reported @redhat-cloud-services package versions for the Miasma campaign, while still reporting repository dependency evidence without installing packages, executing lifecycle scripts, or claiming credential theft.
  • NOVOKnown npm typosquat package check. GitHub repo scans can now flag package manifests and lockfiles that resolve Microsoft-reported vpmdhaj npm typosquat package versions, reporting version-based advisory evidence without installing packages, executing lifecycle scripts, fetching tarballs, contacting attacker infrastructure, or claiming credential theft.
  • NOVOCodex Remote UI token-stealing npm package check. GitHub repo scans can now flag package manifests and lockfiles that resolve codexui-android 0.1.82 or newer, reporting version-based advisory evidence without installing the package, executing it, reading Codex auth files, contacting exfiltration infrastructure, or claiming token theft.
  • NOVOClaude Code GitHub Action workflow repo check. GitHub repo scans can now flag Claude Code Action workflows with mutable action refs, broad workflow token permissions, or risky access override inputs, reporting workflow YAML evidence without running Actions, executing Claude Code, reading CI secrets, or claiming prompt-injection exploitation.
  • NOVOonering Rust crate malware repo check. GitHub repo scans can now flag Cargo manifests or lockfiles that resolve onering 1.4.1 or the known compromised onering git commit, and can flag matching checked-in build.rs evidence, without running Cargo, executing build scripts, fetching crates, or claiming source exfiltration.
  • NOVONode-gyp / Phantom Gyp npm worm repo check. GitHub repo scans can now flag package manifests or lockfiles that resolve known malicious npm package versions from the binding.gyp supply-chain campaign, or flag matching binding.gyp source evidence, without running npm install, executing node-gyp, downloading tarballs, or claiming credential theft.

June 11, 2026

  • MELHORADOMoxa NPort authentication advisory coverage. The existing verified-active Moxa NPort firmware check now correlates the same strong HTTP model and firmware evidence with CVE-2016-9361 as part of the MCSA-160401 advisory family, while still reporting a version-based advisory without attempting password retries, brute-force checks, firmware uploads, unauthenticated administrative actions, SNMP queries, serial-device protocol probes, crash tests, or exploit confirmation.
  • MELHORADOMoxa NPort unauthenticated firmware-update advisory coverage. The existing verified-active Moxa NPort firmware check now correlates the same strong HTTP model and firmware evidence with CVE-2016-9369 as part of the MCSA-160401 advisory family, while still reporting a version-based advisory without attempting firmware uploads, unauthenticated administrative actions, SNMP queries, serial-device protocol probes, crash tests, or exploit confirmation.
  • NOVOSchneider Modicon M221 firmware advisory check. Passive scans can now flag strong public HTTP product and firmware-version evidence for Modicon M221 controllers associated with CVE-2018-7790, reporting version-based advisory context without capturing credentials, replaying authentication, querying Modbus, uploading PLC programs, or claiming unauthorized-access confirmation.
  • NOVOLangflow CVE-2025-34291 CORS advisory check. Verified active scans can now flag affected Langflow instances when target-specific version evidence is paired with credentialed CORS origin reflection, without authenticating, reading tokens, triggering refresh flows, or claiming code-execution confirmation.
  • NOVOSiteOmat BOS version advisory check. Verified active scans can now flag public SiteOmat BOS version evidence associated with CVE-2017-14728 as a version-based advisory, without attempting default credentials, SSH login, broad port scans, state-changing management actions, or unauthorized access.
  • NOVOSiteOmat login SQL injection advisory check. Verified active scans can now flag public SiteOmat BOS version evidence associated with CVE-2017-14851 as a version-based advisory, without submitting login forms, sending SQL injection payloads, attempting authentication bypass, accessing post-login pages, or making state-changing management requests.
  • NOVOSiteOmat CGI buffer-overflow advisory check. Verified active scans can now flag public SiteOmat BOS version evidence associated with CVE-2017-14854 as a version-based advisory, without sending crafted CGI input, overflow payloads, crash tests, broad port scans, state-changing management actions, or exploit requests.
  • NOVOKubernetes externalIPs manifest advisory check. GitHub repo scans can now flag Kubernetes Service manifests that declare non-empty spec.externalIPs as source/config hardening evidence for CVE-2020-8554, without inspecting live clusters, checking RBAC, sending traffic, or claiming traffic interception.
  • NOVOApache Tomcat EncryptInterceptor dependency advisory check. GitHub repo scans can now flag Maven and Gradle files that resolve exact Tomcat releases associated with CVE-2026-34486 / GHSA-69r9-qgr7-g2wj, reporting version-based advisory evidence without running Tomcat, inspecting cluster traffic, sending crafted Tribes packets, or claiming plaintext-disclosure confirmation.
  • NOVOApache Tomcat h2c request mix-up dependency advisory check. GitHub repo scans can now flag Maven and Gradle files that resolve Tomcat embedded-core or Coyote versions affected by CVE-2021-25122 / GHSA-j39c-c8hj-x4j3, reporting version-based advisory evidence without running Tomcat, sending h2c upgrade requests, capturing traffic, or claiming information-disclosure confirmation.
  • NOVOPickleScan ZIP CRC dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow PickleScan versions affected by CVE-2025-10156 / GHSA-mjqp-26hc-grxg, reporting version-based advisory evidence without running PickleScan, creating corrupted archives, loading models, or claiming runtime code-execution confirmation.
  • NOVONLTK Zip Slip dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow NLTK versions affected by CVE-2025-14009 / GHSA-7p94-766c-hgjp, reporting version-based advisory evidence without running Python or NLTK, calling nltk.download(), extracting packages, creating malicious archives, or claiming runtime code-execution confirmation.
  • NOVOTanStack ArkType adapter malware dependency check. GitHub repo scans can now flag package manifests and lockfiles that resolve @tanstack/arktype-adapter to malicious versions 1.166.12 or 1.166.15 from CVE-2026-45321 / GHSA-g7cv-rxg3-hmpx, reporting version-based advisory evidence without running npm install, executing lifecycle scripts, downloading tarballs, or claiming credential theft.
  • NOVOMbed TLS CVE-2021-44732 repo advisory check. GitHub repo scans can now flag source and build metadata that identify Mbed TLS versions affected by CVE-2021-44732, reporting version-based advisory evidence without running Mbed TLS, forcing out-of-memory behavior, calling session-copy APIs, or claiming live double-free confirmation.
  • NOVOIIS TRACK method exposure check. Verified active scans can now flag legacy TRACK echo behavior associated with CVE-2003-1567 using non-sensitive request evidence, without sending cookies, credentials, browser exploit pages, user traffic, or state-changing requests.
  • NOVORed Hat npm worm dependency advisory check. GitHub repo scans can now flag package manifests and lockfiles that resolve known compromised @redhat-cloud-services npm versions associated with the credential-stealing worm campaign, reporting dependency evidence without executing install scripts or claiming credential theft.
  • NOVODICOM executable preamble check. GitHub repo scans can now flag committed DICOM files whose Part 10 preamble carries executable-file evidence, reporting static file evidence without executing the file or claiming production compromise.

June 10, 2026

  • NOVOMbed TLS CVE-2023-45199 repo advisory check. GitHub repo scans can now flag source and build metadata that identify Mbed TLS 3.2.x through 3.4.x, reporting version-based advisory evidence without sending TLS handshake payloads or claiming live memory corruption.
  • NOVORockwell MicroLogix 1100 advisory fingerprint. Passive scans can now flag strong public HTTP evidence of a Rockwell Automation MicroLogix 1100 controller associated with CVE-2021-33012, reporting advisory context without sending industrial protocol commands or claiming denial-of-service behavior.
  • NOVOMoxa NPort firmware advisory check. Verified active scans can now flag public HTTP model and firmware-version evidence for Moxa NPort devices associated with CVE-2016-9363, reporting version-based advisory context without sending crafted packets, querying SNMP, testing serial-device services, or claiming exploit confirmation.
  • NOVORockwell MicroLogix 1100 authentication-attempt advisory check. Verified active scans can now flag public HTTP model and firmware evidence for MicroLogix 1100 controllers associated with CVE-2017-7898, reporting version-based advisory context without attempting logins, brute force, or industrial protocol probes.
  • NOVOLog4j 1.2 JDBCAppender advisory check. GitHub repo scans can now flag Log4j 1.2 dependency evidence paired with JDBCAppender SQL configuration for CVE-2022-23305 / GHSA-65fg-84f6-3jq3, reporting repository/config evidence without executing SQL, writing log events, or claiming runtime database compromise.
  • NOVOLog4j 1.2 JMSAppender advisory check. GitHub repo scans can now flag Log4j 1.2 dependency evidence paired with JMSAppender configuration for CVE-2021-4104 / GHSA-fp5r-v3w9-4333, reporting repository/config evidence without contacting JNDI or JMS services or claiming runtime exploit confirmation.
  • NOVOMicrosoft ATL MS09-035 source advisory check. GitHub repo scans can now flag legacy Visual C++ ATL project metadata paired with ATL source usage associated with CVE-2009-0901/CVE-2009-2493/CVE-2009-2495, reporting source/build advisory evidence without inspecting build machines, sending malformed streams, probing information disclosure, or claiming live code-execution confirmation.
  • NOVOLangflow CVE-2026-33017 version advisory check. Verified active scans can now flag public Langflow version evidence for CVE-2026-33017 / GHSA-vwmf-pq79-vjvx as a version-based advisory, without submitting flow data, building flows, executing code, or claiming public-flow exploit confirmation.
  • NOVOKeras CVE-2025-1550 dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow Keras versions affected by CVE-2025-1550 / GHSA-48g7-3x6r-xfhp, reporting version-based advisory evidence without loading model archives, generating payloads, or claiming runtime code-execution confirmation.
  • NOVOTLS RC4 negotiation advisory check. Verified active scans can now flag TLS endpoints that still select RC4 cipher suites associated with CVE-2015-2808, reporting confirmed RC4 support without capturing traffic or claiming plaintext recovery.
  • NOVOTLS Sweet32 DES/3DES advisory check. Verified active scans can now flag TLS endpoints that still select DES or 3DES 64-bit block cipher suites associated with CVE-2016-2183, reporting confirmed cipher negotiation without capturing traffic or claiming plaintext recovery.
  • NOVOSchneider PowerLogic EGX advisory check. Verified active scans can now flag public PowerLogic EGX100 firmware or EGX300 product evidence associated with CVE-2021-22765/CVE-2021-22767/CVE-2021-22768, reporting product/firmware advisory context without sending crafted HTTP packets, querying industrial protocols, crash-testing gateways, or claiming exploit confirmation.

May 27, 2026

  • NOVOArcserve UDP CVE-2025-34523 version advisory check. Verified active scans can now flag public Arcserve UDP version evidence for CVE-2025-34523 as a version-based advisory, without sending crafted heap-overflow input, crash-testing the service, authenticating to the console, or claiming command execution.
  • NOVOLiferay Portal CVE-2010-5327 version advisory check. Verified active scans can now flag public Liferay Portal version evidence for CVE-2010-5327 as a version-based advisory, without authenticating, editing templates, sending template payloads, or claiming command execution.
  • NOVOws excessive-header DoS dependency advisory check. GitHub repo scans can now flag npm manifests and lockfiles that resolve ws versions affected by CVE-2024-37890 / GHSA-3h5v-q93c-6h6q, reporting version-based advisory evidence without sending denial-of-service traffic or claiming runtime WebSocket exposure.

May 25, 2026

  • MELHORADOSPIP version advisory wording. Passive SPIP version findings now distinguish version-fingerprint advisory evidence for CVE-2016-7980 and CVE-2016-7998 from runtime exploit proof, without active CSRF, local-file validation, or template-execution reproduction.
  • CORRIGIDOActive scan reliability and SSTI accuracy fix. Active scans now safely store response-derived evidence that contains unsupported control characters, and SSTI reporting requires stronger target-specific template-evaluation evidence instead of common page or static-asset content.

May 24, 2026

  • NOVOWebdriverIO BrowserStack service dependency advisory check. GitHub repo scans can now flag npm manifests and lockfiles that resolve @wdio/browserstack-service versions affected by CVE-2026-25244 / GHSA-5c46-x3qw-q7j7, reporting version-based advisory evidence without running WebdriverIO, starting BrowserStack Local, or using command payloads.
  • NOVOWordPress REST API user-exposure check. Verified active scans can now report WordPress REST users endpoints that return public user slugs to unauthenticated clients, with medium-severity exposure wording that does not claim WordPress version proof or account compromise.
  • NOVODjango CSRF dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow Django versions affected by CVE-2011-0696 / GHSA-5j2h-h5hg-3wf8, reporting version-based advisory evidence without running Django, probing state-changing routes, or claiming runtime CSRF exploitability.
  • NOVOTMT Lockcell SQL injection active check. Verified active scans can now report TMT Lockcell login surfaces whose responses change consistently with CVE-2023-3047, using a bounded login-response comparison that does not run timing delays, follow authenticated redirects, or extract database data.
  • NOVOOpenSSL PowerPC Poly1305 advisory check. GitHub repo scans can now correlate affected OpenSSL 3.x version evidence with PowerPC build/deployment evidence for CVE-2023-6129, reporting version-and-architecture advisory evidence without reproducing state corruption or denial-of-service behavior.

May 23, 2026

  • NOVOVerificação de aviso do electerm sobre execução de comandos não autenticada. As varreduras de repositórios do GitHub agora podem sinalizar manifests npm e lockfiles que fixam ou permitem versões do electerm afetadas pelo CVE-2020-23256 / GHSA-x73w-g8hx-v7rp, reportando o resultado como aviso baseado em versão, sem sondar nem iniciar o serviço electerm.
  • NOVOVerificação de aviso de dependência do SaltStack Salt. As varreduras de repositórios do GitHub agora podem sinalizar evidências de dependência Python para versões do Salt afetadas pelo CVE-2017-12791 / GHSA-xxvj-8g5m-4qgw, reportando como aviso baseado em versão, sem sondar handshakes do master do Salt.
  • NOVOVerificação de exposição do fsinfo do RC do rclone. As varreduras ativas verificadas já podem confirmar a exposição não autenticada do fsinfo do Remote Control do rclone associada ao CVE-2026-41179 / GHSA-jfwf-28xr-xw6q, usando evidências de metadados limitadas e sem execução de comandos.
  • NOVOVerificação de aviso de persistência de sessão do Apache Tomcat. As varreduras de repositórios do GitHub agora podem sinalizar arquivos de build Maven e Gradle que resolvem versões do Tomcat afetadas pelo CVE-2020-9484 / GHSA-344f-f5vg-2jfj, e reforçar o achado quando a configuração do repo também mostra persistência de sessão com PersistentManager apoiada em FileStore.
  • NOVONote Mark dependency advisory check. GitHub repo scans can now flag Go manifests that resolve Note Mark backend versions affected by CVE-2026-44522 / GHSA-g49p-4qxj-88v3, reporting the result as a version-based advisory without uploading files, triggering exports, or claiming live RCE confirmation.

20 de maio de 2026

  • NOVOGogs dependency advisory check. GitHub repo scans agora podem sinalizar manifestos Go que fixam versões Gogs afetadas para CVE-2018-20303 / GHSA-9hxg-w7qf-hh93, com evidência de aconselhamento baseada em versão em vez de confirmação de passagem de caminho.
  • NOVOdeephas prototype-pollution advisory check. GitHub repo scans agora podem sinalizar manifestos npm e lockfiles que resolvem versões deephas afetadas por CVE-2020-28271 / GHSA-4fr2-j4g9-mppf, com evidência de aconselhamento baseada em versão em vez de confirmação de poluição de protótipo em tempo de execução.
  • NOVOOpenSSL TLSv1.3 session advisory check. GitHub repo scans agora podem correlacionar evidências de versão OpenSSL afetadas com evidências de configuração de sessão TLSv1.3 para CVE-2024-2511, relatando evidências de fonte de confiança média/config em vez de confirmação de negação de serviço ao vivo.

19 de maio de 2026

  • MELHORADOelecterm Linux install-script coverage. O aviso de dependência electerm agora inclui CVE-2026-41501 / GHSA-8x35-hph8-37hq junto com o aviso de script de instalação do macOS existente, mantendo a descoberta no escopo do manifesto npm e da evidência do arquivo de bloqueio em vez da confirmação de exploração.
  • NOVOGeniXCMS author-route SQL injection check. As varreduras ativas verificadas agora podem confirmar o comportamento de erro do banco de dados estilo CVE-2017-5517- nas rotas do autor GeniXCMS com evidências específicas do alvo, sem extração de dados ou sondagens SQL destrutivas.
  • NOVONetmaker DNS key authorization-bypass check. Varreduras ativas verificadas agora podem confirmar a exposição de CVE-2023-32077 em implantações do Netmaker quando o DNS API nega a solicitação de linha de base, mas retorna DNS evidência de registro por meio do caminho de autorização herdado DNS, sem criar, modificar ou excluir registros.
  • NOVOopenDCIM source command-injection check. GitHub repo scans agora podem sinalizar o padrão CVE-2026-28517 source/config em report_network_map.php com evidência de correspondência de origem, confiança e limites de exploração em tempo de execução em vez de execução de comando ativo.
  • NOVOSPIP valider_xml XSS check. Varreduras ativas verificadas agora podem confirmar a reflexão CVE-2016-7981- sem escape do estilo URL em implantações SPIP com evidência de contexto HTML- específica do alvo, sem executar JavaScript em um navegador.
  • NOVOApache Tomcat Coyote dependency advisory check. GitHub repo scans agora podem sinalizar arquivos de compilação Maven e Gradle que resolvem Tomcat Coyote ou versões de núcleo incorporado afetadas por CVE-2025-48989 / GHSA-gqp3-2cvr-x8m3, com evidência de aconselhamento baseada em versão em vez de confirmação de negação de serviço em tempo de execução.
  • NOVOveraPDF XSLT dependency advisory check. GitHub repo scans agora podem sinalizar arquivos de compilação Maven e Gradle que resolvem artefatos veraPDF afetados por CVE-2024-28109 / GHSA-qxqf-2mfx-x8jw, com evidência de aconselhamento baseada em versão em vez de XSLT confirmação de execução.

18 de maio de 2026

  • NOVOelecterm dependency advisory check. GitHub repo scans podem sinalizar manifestos npm e lockfiles que fixam ou permitem versões electerm afetadas por CVE-2026-41500 / GHSA-wxw2-rwmh-vr8f e CVE-2026-41501 / GHSA-8x35-hph8-37hq, com evidência de aconselhamento baseada em versão em vez de confirmação de exploração.
  • NOVOOpenCms dependency advisory check. GitHub repo scans agora podem sinalizar arquivos Maven pom.xml que fixam ou resolvem versões org.opencms:opencms-core afetadas por CVE-2023-42344 / GHSA-rcc6-6q2f-m2cw, com evidência de aconselhamento baseada em versão em vez de confirmação de exploração XXE.
  • NOVOMagicMirror /cors SSRF check. Varreduras ativas verificadas agora podem confirmar a exposição de CVE-2026-42281 em instâncias do MagicMirror quando o endpoint /cors não autenticado busca um retorno de chamada externo controlado por FixVibe, sem testar serviços internos.

17 de maio de 2026

  • NOVOFUXA hardcoded JWT secret check. As verificações ativas verificadas agora podem confirmar a exposição de CVE-2025-69971 em FUXA instâncias que ainda confiam na configuração de assinatura de fallback vulnerável JWT.
  • NOVOCKAN DataStore SQL exposure check. Varreduras ativas verificadas agora podem confirmar o acesso não autenticado ao CKAN DataStore SQL associado a CVE-2026-42031 e orientar as equipes para linhas de lançamento CKAN corrigidas ou configuração mais segura do DataStore.

16 May 2026

  • NOVOPDF.js dependency advisory check. GitHub repo scans agora podem sinalizar manifestos npm e lockfiles que fixam ou permitem versões pdfjs-dist afetadas por CVE-2024-4367 / GHSA-wgrm-67xf-hhpq.
  • NOVOActive scans via REST API and MCP. As verificações ativas agora podem ser acionadas de REST e MCP em domínios verificados que foram explicitamente autorizados no painel. A autorização é revogável a qualquer momento.
  • NOVOSafer authorization levels for active scans. A autorização de domínio agora distingue verificações ativas automatizadas mais seguras de testes ativos mais profundos, para que as equipes possam automatizar o nível certo de verificação para cada domínio.
  • NOVOFirst-use webhook for API/MCP active scans. Um webhook pode notificar as equipes na primeira vez que uma verificação ativa API/MCP-triggered é executada em um domínio recém-autorizado.
  • MELHORADOImproved Referrer-Policy findings. Missing or weak Referrer-Policy results now separate URL-referrer leakage from broad information exposure, show document-response evidence, and include generic plus static-host remediation guidance.
  • MELHORADOImproved Permissions-Policy findings. Missing or weak Permissions-Policy results now show feature-level evidence, separate broad feature allowlists from missing hardening, and include generic plus static-host remediation guidance for common hosts, proxies, and app servers.
  • MELHORADOImproved clickjacking header prompts. Missing X-Frame-Options findings now point agents to CSP frame-ancestors as the modern protection, add Vercel/static SPA header guidance, and verify x-frame-options with CSP.
  • MELHORADOOs relatórios CSP header evidence and fix prompts improved. Missing-CSP agora incluem hospedagem e contexto de resposta mais claros, além de orientações de correção mais seguras e baseadas na estrutura.
  • CORRIGIDOVercel path-probe false positives reduced. FixVibe agora requer evidências mais fortes específicas do aplicativo antes de relatar artefatos de estrutura expostos em implantações que reescrevem rotas desconhecidas para o shell do aplicativo.
  • CORRIGIDOOs achados de conformidade não levam mais etiquetas CWE enganosas. O check legal-compliance marcava "política de privacidade ausente" e "termos ausentes" com CWE-359 (exposição de PII), o que não descreve a lacuna real. Esses achados agora saem sem CWE — são itens de conformidade, não fraquezas de segurança classificáveis.

15 de maio de 2026

  • NOVOAdditional research-informed checks. FixVibe enviou mais cobertura com base em pesquisas recentes de vulnerabilidade e mapeou tópicos duplicados para módulos de scanner existentes onde a cobertura já existia.
  • NOVOVerificação de vazamento de segredos no repositório. As varreduras de repositórios do GitHub agora podem sinalizar chaves de provedor hardcoded e valores de alta entropia semelhantes a segredos enviados ao código, com as evidências mascaradas e o prompt de rotação padrão da FixVibe incluído.
  • NOVOVercel deployment protection check. As varreduras passivas agora podem sinalizar URLs de implantação públicos *.vercel.app gerados que respondem sem Vercel Deployment Protection, enquanto as verificações de cabeçalho existentes continuam a auditar CSP, HSTS e proteção do navegador.

14 de maio de 2026

  • NOVOLiteLLM dependency advisory check. GitHub repo scans agora podem sinalizar arquivos de dependência do Python que fixam ou permitem LiteLLM versões afetadas por CVE-2026-42208 / GHSA-r75f-5x8p-qvmc.
  • NOVOLibreNMS dependency advisory check. GitHub repo scans agora podem sinalizar manifestos do Composer que fixam ou permitem LibreNMS versões afetadas por CVE-2024-51092 / GHSA-x645-6pf9-xwxw.
  • MELHORADOAs varreduras Firebase rules detection improved. BaaS agora detectam mais formatos de aplicativos Firebase e usam evidências somente leitura para identificar exposições arriscadas a dados públicos.

13 de maio de 2026

  • NOVORepo Supabase RLS migration check. GitHub repo scans agora podem sinalizar Supabase SQL migrações que criam tabelas públicas sem uma instrução ALTER TABLE ... ENABLE ROW LEVEL SECURITY correspondente.
  • NOVOSupabase Storage posture check. As varreduras passivas agora podem revisar Supabase buckets de armazenamento públicos e exposição anônima de listagem de objetos junto com RLS existentes e verificações de chave.
  • NOVOAI-generated code guardrail check. GitHub repo scans agora podem sinalizar falta de automação de segurança em torno de varredura de código, varredura secreta, atualizações de dependências e AI- instruções do agente.

12 de maio de 2026

  • NOVORepo web-app risk checklist. GitHub repo scans agora podem sinalizar riscos de código de estilo OWASP- de alta confiança, como interpolação SQL bruta, coletores HTML inseguros, curinga credenciado CORS, verificação TLS desabilitada e substitutos secretos JWT fracos.
  • NOVONext.js middleware-bypass check. As varreduras ativas para domínios verificados agora podem confirmar a exposição CVE-2025-29927 em rotas protegidas por middleware antes de relatá-la, e os relatórios incluem o prompt de correção padrão FixVibe AI para correção.

9 de maio de 2026

  • SEGURANÇACross-origin scope hardening. As varreduras ativas e as verificações de ativos do cliente agora permanecem dentro do escopo de destino autorizado e evitam o transporte de credenciais fornecidas pelo cliente em redirecionamentos de origem cruzada.
  • CORRIGIDOSupabase RLS check is now strictly read-only. Supabase verificações de postura agora evitam tentativas de gravação e se concentram em sinais de exposição seguros. O teste ativo de domínio verificado continua sendo o limite para uma confirmação mais profunda.
  • MELHORADOFindings de headers de segurança só se aplicam a respostas HTML raiz. CSP, Permissions-Policy, X-Frame-Options ou Referrer-Policy ausentes em 204, API JSON, download de arquivo ou 404 não geram mais finding. HSTS e X-Content-Type-Options continuam avaliados em todas as respostas.
  • MELHORADOAuth-flow and rate-limit checks now require stronger evidence. FixVibe agora relata esses problemas somente quando o comportamento do aplicativo suporta claramente a descoberta, reduzindo o ruído de páginas de erro genéricas e métodos não suportados.
  • MELHORADOFile-upload findings tier by exploitability evidence. Os relatórios de upload de arquivos agora separam os sinais de aceitação de baixa confiança das evidências mais fortes de comportamento de veiculação arriscado, reduzindo o excesso de severidade em manipuladores de upload benignos.

7 de maio de 2026

  • CORRIGIDOThreat-intel listing accuracy improved. FixVibe agora distingue evidências reais de listas de bloqueio de diagnósticos de resolvedores, para que as descobertas de informações sobre ameaças não relatem excessivamente as respostas de pesquisa do lado da infraestrutura.
  • NOVOVarreduras de repositório GitHub. Conecte um repo e o FixVibe verifica o código-fonte em busca de chaves de serviço Supabase vazadas, tokens admin Firebase, arquivos de workflow arriscados e dependências desatualizadas — sem nunca carregar seu site implantado. Veja Tipos de varredura.
  • NOVOChecks SAST para JavaScript arriscado. Varreduras de repo agora sinalizam new Function() e setTimeout("string") — ambos equivalentes a eval() quando alimentados com entrada não confiável.
  • CORRIGIDOFalsos findings de “arquivo exposto” em sites Vercel / Cloudflare. Respostas 403 Forbidden simples não são mais reportadas como “arquivo existe” — a maioria dos provedores de borda retorna 403 para caminhos com aparência suspeita, exista ou não o arquivo. Agora exigimos um sinal HTTP positivo antes de sinalizar.
  • CORRIGIDORepo-code false positives reduced. As varreduras de repositório agora evitam sinalizar termos de segurança em comentários, documentação, auxiliares de teste e contextos claramente apenas de servidor para várias verificações de código de alto sinal.
  • CORRIGIDOChave anon do Supabase em localStorage não é mais reportada como finding de JWT em storage — a chave anon é o token cliente intencionalmente público. Tokens service-role reais em armazenamento do navegador agora são critical com título mais claro.
  • CORRIGIDOAs verificações CSP weakness detection improved. Content-Security-Policy agora capturam políticas de origem mais permissivas, mantendo as evidências e a correção focadas na política eficaz do navegador.
  • CORRIGIDOReflected-XSS check tightened. As verificações ativas agora exigem evidências de reflexão mais fortes antes de relatar o risco do contexto executável, reduzindo falsos positivos de marcações não relacionadas na página.
  • CORRIGIDOA verificação de domínio lida corretamente com redirects apex ↔ www e deixa mais claro qual valor entra no campo Host do registro TXT.

Formato

Cada entrada recebe uma tag para você poder passar os olhos:

  • NOVO Um novo check, superfície ou recurso.
  • MELHORADO Comportamento existente ficou melhor — mais preciso, mais rápido, mais claro.
  • CORRIGIDO Um bug que enviamos e depois corrigimos.
  • SEGURANÇA Reforço, correções de vulnerabilidade ou mudanças de conformidade.

Viu algo que quebrou e não está registrado aqui? Envie e-mail para support@fixvibe.app.

Registro de alterações — Docs · FixVibe