FixVibe

// docs / changelog

Nhật ký thay đổi

FixVibe scan-engine updates: new coverage, safety improvements, and accuracy improvements. Newest entries first.

May 18, 2026

  • MỚIelecterm dependency advisory check. GitHub repo scans can now flag npm manifests and lockfiles that pin or allow electerm versions affected by CVE-2026-41500 / GHSA-wxw2-rwmh-vr8f, with version-based advisory evidence rather than exploit confirmation.
  • MỚIOpenCms dependency advisory check. GitHub repo scans can now flag Maven pom.xml files that pin or resolve org.opencms:opencms-core versions affected by CVE-2023-42344 / GHSA-rcc6-6q2f-m2cw, with version-based advisory evidence rather than XXE exploit confirmation.

May 17, 2026

  • MỚIFUXA hardcoded JWT secret check. Verified active scans can now confirm CVE-2025-69971 exposure on FUXA instances that still trust the vulnerable fallback JWT signing configuration.
  • MỚICKAN DataStore SQL exposure check. Verified active scans can now confirm unauthenticated CKAN DataStore SQL access associated with CVE-2026-42031 and guide teams to patched CKAN release lines or safer DataStore configuration.

16 May 2026

  • MỚIPDF.js dependency advisory check. GitHub repo scans can now flag npm manifests and lockfiles that pin or allow pdfjs-dist versions affected by CVE-2024-4367 / GHSA-wgrm-67xf-hhpq.
  • MỚIActive scans via REST API and MCP. Active scans can now be triggered from REST and MCP against verified domains that have been explicitly authorized from the dashboard. Authorization is revocable at any time.
  • MỚISafer authorization levels for active scans. Domain authorization now distinguishes safer automated active checks from deeper active testing, so teams can automate the right level of verification for each domain.
  • MỚIFirst-use webhook for API/MCP active scans. A webhook can notify teams the first time an API/MCP-triggered active scan runs against a newly authorized domain.
  • CẢI THIỆNImproved Referrer-Policy findings. Missing or weak Referrer-Policy results now separate URL-referrer leakage from broad information exposure, show document-response evidence, and include generic plus static-host remediation guidance.
  • CẢI THIỆNImproved Permissions-Policy findings. Missing or weak Permissions-Policy results now show feature-level evidence, separate broad feature allowlists from missing hardening, and include generic plus static-host remediation guidance for common hosts, proxies, and app servers.
  • CẢI THIỆNImproved clickjacking header prompts. Missing X-Frame-Options findings now point agents to CSP frame-ancestors as the modern protection, add Vercel/static SPA header guidance, and verify x-frame-options with CSP.
  • CẢI THIỆNCSP header evidence and fix prompts improved. Missing-CSP reports now include clearer hosting and response context plus safer framework-aware remediation guidance.
  • ĐÃ SỬAVercel path-probe false positives reduced. FixVibe now requires stronger application-specific evidence before reporting exposed framework artifacts on deployments that rewrite unknown routes to the app shell.
  • ĐÃ SỬACompliance findings no longer carry misleading CWE tags. The legal-compliance check previously tagged "missing privacy policy" and "missing terms of service" findings with CWE-359 (PII exposure), which doesn't describe the actual gap. Those findings now ship without a CWE — they're compliance/governance items, not classifiable security weaknesses.

May 15, 2026

  • MỚIAdditional research-informed checks. FixVibe shipped more coverage based on recent vulnerability research and mapped duplicate topics to existing scanner modules where coverage already existed.
  • MỚIKiểm tra rò rỉ bí mật trong kho lưu trữ. Quét kho lưu trữ GitHub giờ đây có thể đánh dấu các khóa nhà cung cấp hardcoded và các giá trị có entropy cao tương tự bí mật được commit vào mã nguồn, với bằng chứng được che giấu và lời nhắc luân chuyển FixVibe tiêu chuẩn được kèm theo.
  • MỚIVercel deployment protection check. Passive scans can now flag public *.vercel.app generated deployment URLs that respond without Vercel Deployment Protection, while existing header checks continue to audit CSP, HSTS, and browser hardening.

May 14, 2026

  • MỚILiteLLM dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow LiteLLM versions affected by CVE-2026-42208 / GHSA-r75f-5x8p-qvmc.
  • MỚILibreNMS dependency advisory check. GitHub repo scans can now flag Composer manifests that pin or allow LibreNMS versions affected by CVE-2024-51092 / GHSA-x645-6pf9-xwxw.
  • CẢI THIỆNFirebase rules detection improved. BaaS scans now detect more Firebase app shapes and use read-only evidence to identify risky public data exposure.

May 13, 2026

  • MỚIRepo Supabase RLS migration check. GitHub repo scans can now flag Supabase SQL migrations that create public tables without a matching ALTER TABLE ... ENABLE ROW LEVEL SECURITY statement.
  • MỚISupabase Storage posture check. Passive scans can now review public Supabase Storage buckets and anonymous object-listing exposure alongside existing RLS and key checks.
  • MỚIAI-generated code guardrail check. GitHub repo scans can now flag missing security automation around code scanning, secret scanning, dependency updates, and AI-agent instructions.

May 12, 2026

  • MỚIRepo web-app risk checklist. GitHub repo scans can now flag high-confidence OWASP-style code risks such as raw SQL interpolation, unsafe HTML sinks, credentialed wildcard CORS, disabled TLS verification, and weak JWT secret fallbacks.
  • MỚINext.js middleware-bypass check. Active scans for verified domains can now confirm CVE-2025-29927 exposure on middleware-protected routes before reporting it, and reports include the standard FixVibe AI fix prompt for remediation.

Ngày 9 tháng 5 năm 2026

  • BẢO MẬTCross-origin scope hardening. Active scans and client-asset checks now stay within the authorized target scope and avoid carrying customer-provided credentials across cross-origin redirects.
  • ĐÃ SỬASupabase RLS check is now strictly read-only. Supabase posture checks now avoid write attempts and focus on safe exposure signals. Verified-domain active testing remains the boundary for deeper confirmation.
  • CẢI THIỆNPhát hiện security-header chỉ áp dụng cho phản hồi HTML gốc. Thiếu CSP, Permissions-Policy, X-Frame-Options hoặc Referrer-Policy trên 204, JSON API, file download hoặc trang 404 không còn tạo phát hiện. HSTS và X-Content-Type-Options vẫn được chấm trên mọi phản hồi.
  • CẢI THIỆNAuth-flow and rate-limit checks now require stronger evidence. FixVibe now reports these issues only when the application behavior clearly supports the finding, reducing noise from generic error pages and unsupported methods.
  • CẢI THIỆNFile-upload findings tier by exploitability evidence. File-upload reports now separate low-confidence acceptance signals from stronger evidence of risky serving behavior, reducing over-severity on benign upload handlers.

Ngày 7 tháng 5 năm 2026

  • ĐÃ SỬAThreat-intel listing accuracy improved. FixVibe now distinguishes real blocklist evidence from resolver diagnostics so threat-intel findings do not over-report on infrastructure-side lookup responses.
  • MỚIQuét repo GitHub. Kết nối repo và FixVibe kiểm tra mã nguồn để tìm Supabase service key bị lộ, Firebase admin token, file workflow rủi ro và dependency lỗi thời — mà không bao giờ tải site đã deploy của bạn. Xem Loại quét.
  • MỚIKiểm tra SAST cho JavaScript rủi ro. Quét repo giờ flag new Function()setTimeout("string") — cả hai tương đương eval() khi nhận input không đáng tin cậy.
  • ĐÃ SỬADương tính giả “exposed file” trên site Vercel / Cloudflare. Phản hồi 403 Forbidden trần không còn bị báo cáo là “file exists” — hầu hết edge provider trả 403 cho path trông đáng ngờ dù file có tồn tại hay không. Giờ chúng tôi yêu cầu tín hiệu HTTP dương tính trước khi flag.
  • ĐÃ SỬARepo-code false positives reduced. Repo scans now avoid flagging security terms in comments, documentation, test helpers, and clearly server-only contexts for several high-signal code checks.
  • ĐÃ SỬASupabase anon key trong localStorage không còn bị báo cáo là phát hiện JWT-in-storage — anon key là client token được chủ ý công khai. Service-role token thật trong browser storage giờ là critical với tiêu đề rõ hơn.
  • ĐÃ SỬACSP weakness detection improved. Content-Security-Policy checks now catch more permissive source policies while keeping evidence and remediation focused on the effective browser policy.
  • ĐÃ SỬAReflected-XSS check tightened. Active scans now require stronger reflection evidence before reporting executable-context risk, reducing false positives from unrelated markup on the page.
  • ĐÃ SỬAXác minh tên miền xử lý đúng redirect apex ↔ www và rõ hơn về giá trị nào cần điền vào trường Host của TXT-record.

Định dạng

Mỗi mục được gắn tag để bạn có thể lướt nhanh:

  • MỚI Một kiểm tra, bề mặt hoặc tính năng mới.
  • CẢI THIỆN Hành vi hiện có tốt hơn — chính xác hơn, nhanh hơn, rõ hơn.
  • ĐÃ SỬA Một lỗi chúng tôi đã phát hành rồi sửa.
  • BẢO MẬT Gia cố, sửa lỗ hổng hoặc thay đổi tuân thủ.

Thấy thứ gì bị hỏng mà chưa được ghi ở đây? Email support@fixvibe.app.

Nhật ký thay đổi — Docs · FixVibe