// docs / changelog
更新日志
FixVibe 扫描引擎更新:新的覆盖范围、安全性改进和准确性改进。最新条目优先。
2026-07-02
- 修复Legal-link false positives reduced. Privacy and terms links that are visible after client-side rendering now count correctly, so SPA footers are not reported as missing when users can see those links.
2026年6月30日
- 新增Label Studio CVE-2025-47783 reflected XSS check. Verified active scans now flag Label Studio upload-example responses when target-specific label_config evidence shows raw HTML metacharacter reflection, without executing JavaScript, using victim sessions, reading tokens, or storing project data.
- 新增AVideo CVE-2023-25313 / GHSA-pgvh-p3g4-86jw advisory. Repo scans flag affected wwbn/avideo Composer manifests and lockfiles below 12.4 with version-based evidence only; no AVideo login, video-link submission, video creation, request-delay checks, command execution, or runtime exploit claim.
- 新增GL.iNet GL-MT3000 CVE-2026-11451 advisory. Verified active scans flag GL.iNet GL-MT3000 firmware 4.4.5 as version-based advisory evidence only; no router authentication, FTP-setting changes, file writes, command input, or command-execution claim.
- 改进Schneider Modicon M221 远程重启覆盖。 现有的被动 Modicon M221 固件检查现在会把同一组强公共 HTTP 产品和固件版本证据与 CVE-2018-7789 以及 CVE-2018-7790 关联起来,并以基于版本的通告上下文报告;不会发送重启探测、查询 Modbus、重放认证、上传 PLC 程序或声称已确认利用。
- 新增Mbed TLS CVE-2024-45159 repo advisory coverage. GitHub repo scans now flag source and build metadata for affected Mbed TLS 3.2.0 through 3.6.0 releases, reporting version-based advisory evidence without client-certificate probes, TLS handshake testing, or authentication-bypass confirmation.
- 新增Oracle Java SE/GraalVM CVE-2022-21340 repo advisory coverage. GitHub repo scans now flag explicit Oracle Java SE or Oracle GraalVM Enterprise runtime metadata, reporting version-based advisory evidence without running Java, sandbox-code proof, denial-of-service traffic, or runtime exploit confirmation.
- 新增OpenSSL CMS CVE-2025-15467 advisory. GitHub repo scans now flag affected OpenSSL CMS release-line evidence and report branch-aware source/config evidence without crash, denial-of-service, or code-execution reproduction.
- 新增codfish semantic-release GitHub Action compromise check. Repo scans can now flag workflow YAML references to codfish/semantic-release-action refs associated with the June 2026 compromise, reporting source/config evidence only. The check does not run GitHub Actions, read CI secrets, inspect runners, or claim credential theft.
- 新增Spring Data Commons property-path advisory coverage. GitHub repo scans now report Maven/Gradle dependency evidence for Spring Data Commons versions associated with CVE-2018-1274 / GHSA-5q8m-mqmx-pxp9. The finding stays version-based and does not run the app, probe Spring Data REST endpoints, send crafted property-path parameters, stress CPU or memory, or claim denial-of-service confirmation.
- 新增vm2 Promise species advisory coverage. GitHub repo scans now report npm manifest and lockfile evidence for vm2 versions associated with CVE-2026-47208 / GHSA-76w7-j9cq-rx2j. The finding stays version-based and does not run the app, execute sandbox-breakout proof-of-concept code, inspect live workers, or claim host command execution.
- 新增pyLoad /flashgot advisory coverage. GitHub repo scans now report Python manifest and lockfile evidence for pyload-ng versions associated with CVE-2024-47821 / GHSA-w7hq-f2pj-c53g. The finding stays version-based and does not run pyLoad, send /flashgot requests, change settings, download files, write script directories, or claim command execution.
- 新增SAP Cloud SDK for AI Python advisory check. GitHub repo scans now flag Python manifest and lockfile evidence for sap-ai-sdk-base versions affected by CVE-2023-25617 / GHSA-xxhh-59gh-6ffx as version-based advisory evidence, without running Python, connecting to SAP BusinessObjects, scheduling Program Objects, sending command-injection input, or claiming OS command execution.
- 新增Gradio Windows/Python path traversal advisory check. GitHub repo scans now flag Gradio dependency evidence for CVE-2026-28414 / GHSA-39mp-8hj3-5c49 and raise confidence when repository configuration also points to Windows with Python 3.13+, without requesting Gradio file endpoints, sending traversal input, reading files, or claiming live arbitrary file read.
29 Jun 2026
- 新增MISP STIX import source advisory coverage. GitHub repo scans now report source evidence for CVE-2018-19908 in app/Model/Event.php when original STIX filenames flow into shell command construction. The check uses repository source evidence and does not run MISP, import files, or claim runtime command execution.
- 新增MindsDB status version advisory coverage. Verified active scans now include MindsDB /api/status version evidence for CVE-2026-27483 when the public status endpoint reports a release before 25.9.1.1. This read-only check does not upload files, send traversal filenames, or claim remote-code execution.
- 新增NiceGUI upload filename source advisory check. GitHub repo scans now include CVE-2026-25732 coverage when affected NiceGUI dependency evidence appears with upload-handler source that saves paths built from client-supplied filenames. The check reports source/dependency evidence without uploading files, writing outside upload directories, or claiming code execution.
June 18, 2026
- 新增SillyTavern SearXNG SSRF active check. Verified active scans now report only direct evidence that a SillyTavern SearXNG search proxy fetched a FixVibe-controlled external callback URL. The probe avoids localhost, cloud metadata, private-network targets, and internal-service requests.
- 新增Glances REST API 未认证暴露检查。 经过验证的主动扫描现在可以确认被扫描的 origin 是否在未认证情况下暴露 Glances REST API 身份信息和指标形态响应。FixVibe 只记录响应形态,并避免收集大范围 API dump、进程列表、命令行、配置或 secret。
- 新增Spring Data Commons + XMLBeam advisory coverage. GitHub repo scans now report paired Maven/Gradle dependency evidence for Spring Data Commons and XMLBeam versions associated with CVE-2018-1259 / GHSA-m929-7fr6-cvjg. The finding stays version-based and does not run the app, send XML payloads, probe endpoints, read local files, or claim SSRF confirmation.
- 新增Moby AuthZ 依赖公告检查。 GitHub 仓库扫描现在可以标记解析到受 CVE-2026-34040 / GHSA-x744-4wpc-v9h2 影响的 Moby 或 Docker Engine 版本的 Go 模块清单,并以版本公告证据呈现,不连接 Docker APIs、不探测 AuthZ 插件、不发送特制请求,也不声称已确认授权绕过。
- 新增NGINX rewrite-module config advisory check. GitHub repo scans can now correlate affected NGINX version evidence with rewrite-module configuration evidence for CVE-2026-42945, without running NGINX, sending traffic, or claiming memory-corruption proof.
- 新增SQLitePCLRaw NuGet advisory check. GitHub repo scans can now flag .NET project and NuGet lockfile evidence for affected SQLitePCLRaw native SQLite packages tied to CVE-2025-6965 / GHSA-2m69-gcr7-jv3q, without claiming memory-corruption proof.
- 新增gemini-mcp-tool CVE-2026-0755 advisory. Repo scans flag affected npm manifest and lockfile versions for GHSA-4h5r-5jm8-jxjm with repository version evidence only. The check does not run the MCP server, send command or @file probes, trigger callbacks, read local files, or assert runtime exploit confirmation.
- 新增Mastra easy-day-js advisory check. GitHub repo scans flag easy-day-js manifest and lockfile evidence tied to the June 2026 Mastra npm incident. The finding stays limited to repository dependency evidence and does not verify stale npm owners, run package scripts, inspect hosts, or assert credential theft.
- 新增Drupal Core CVE-2026-9082 advisory check. GitHub repo scans flag Composer manifest and lockfile versions for GHSA-ghwc-95x2-682j with repository version evidence only. The check does not run Drupal, verify PostgreSQL, send SQL payloads, extract data, or assert runtime exploit confirmation.
- 新增Paramiko SSH-server authentication advisory check. GitHub repo scans can now flag Python dependency files that resolve Paramiko releases affected by CVE-2018-7750 / GHSA-232r-66cg-79px, reporting version-based advisory evidence without starting an SSH server, sending bypass traffic, or claiming deployed server-mode exposure.
- 新增Apache Tomcat HTTP/2 resource-consumption dependency advisory check. GitHub repo scans can now flag Maven and Gradle build files that resolve Tomcat releases affected by CVE-2020-11996 / GHSA-53hp-jpwq-2jgq, reporting version-based advisory evidence without running Tomcat, sending HTTP/2 denial-of-service traffic, generating high-CPU proof traffic, or claiming runtime availability impact.
- 新增@andrei-tatar/nora-firebase-common prototype-pollution advisory check. GitHub repo scans can now flag npm manifests and lockfiles that resolve @andrei-tatar/nora-firebase-common versions affected by CVE-2024-30564 / GHSA-jjff-q3q4-5hh8, reporting version-based advisory evidence without running the package, mutating Object.prototype, sending proof payloads, or claiming runtime exploit confirmation.
- 新增cordova-plugin-inappbrowser Android advisory check. GitHub repo scans can now flag npm manifests, lockfiles, and Cordova config.xml files that resolve cordova-plugin-inappbrowser versions affected by CVE-2019-0219 / GHSA-c6pw-q7f2-97hv, reporting version-based advisory evidence without building mobile binaries, loading proof content, exercising plugin bridge behavior, or claiming deployed Android exploitability.
- 新增Nokogiri libxslt RubyGems advisory coverage. GitHub repo scans now report Gemfile, Gemfile.lock, and gemspec evidence for Nokogiri releases affected by CVE-2019-18197 / GHSA-242x-7cm6-4w8j. The check uses version-based RubyGems evidence and does not run Ruby, process XML or XSLT input, crash-test libxslt, or claim runtime exploit confirmation.
- 新增Perl GD CPAN advisory coverage. GitHub repo scans now report CPAN dependency evidence for Perl GD releases affected by CVE-2026-11526. The check uses version-based repository evidence and does not run Perl, process image files, pass crafted filenames to GD::Image constructors, or claim command-execution or file-overwrite confirmation.
- 新增kill-port-process CVE-2019-15609 advisory check. GitHub repo scans flag affected npm manifest and lockfile versions for GHSA-xp4x-j9vh-c3wf, reporting version evidence only. The check does not run the package, send command payloads, terminate processes, or assert runtime exploit confirmation.
- 新增proxy npm advisory coverage. GitHub repo scans can now report repository dependency evidence for proxy releases associated with CVE-2023-2968 / GHSA-mj6p-3pc9-wf5m. The finding stays version-based and does not run proxy, send crafted request traffic, crash-test services, or claim runtime denial-of-service confirmation.
- 新增Apache ActiveMQ Artemis Jolokia dependency advisory check. GitHub repo scans can now flag Maven and Gradle build files that resolve org.apache.activemq:artemis-cli versions affected by CVE-2023-50780 / GHSA-443j-grxv-2pgv, reporting version-based advisory evidence without authenticating to Jolokia, enumerating MBeans, changing Log4J2 configuration, writing files, restarting services, or claiming live RCE confirmation.
- 新增Apache ActiveMQ Artemis dependency advisory check. GitHub repo scans can now flag Maven and Gradle build files that pin or allow artemis-server versions affected by CVE-2026-27446 / GHSA-fw88-pf9m-p947, reporting version-based advisory evidence without connecting to brokers, triggering federation callbacks, or claiming message injection/exfiltration confirmation.
- 新增Apache Spark UI dependency advisory check. GitHub repo scans can now flag Maven, Gradle, and PySpark dependency files that pin or allow Apache Spark versions affected by CVE-2022-33891 / GHSA-4x9r-j582-cgr8, reporting version-based advisory evidence without visiting Spark UI, sending active exploit probes, or claiming command-execution confirmation.
- 新增vLLM pickle-deserialization dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow vllm versions affected by CVE-2024-9053 / GHSA-cj47-qj6g-x7r4, reporting version-based advisory evidence without running vLLM, exposing AsyncEngineRPCServer, sending pickle payloads, or claiming runtime code-execution confirmation.
- 新增Apache Airflow example-DAG advisory coverage. GitHub repo scans can now report repository dependency evidence for Airflow releases associated with CVE-2024-45498 / GHSA-c392-whpc-vfpr. The finding stays version-based and does not probe Airflow UI, trigger DAGs, run command payloads, or claim runtime exploit confirmation.
- 新增ONNX download_model_with_test_data advisory coverage. GitHub repo scans now report Python dependency evidence for onnx releases affected by CVE-2024-5187 / GHSA-6rq9-53c3-f7vj and add source-call context when download_model_with_test_data appears. The check does not run Python, download or extract model archives, create malicious tar files, overwrite files, or claim runtime exploit confirmation.
- 新增YOURLS type-juggling dependency advisory check. GitHub repo scans can now flag Composer and YOURLS source-version evidence for yourls/yourls releases affected by CVE-2019-14537 / GHSA-vf23-f26f-mjj9, reporting version-based advisory evidence without calling the YOURLS API, sending authentication-bypass requests, probing admin pages, or claiming unauthorized access.
- 新增http4k-format-xml dependency advisory check. GitHub repo scans can now flag Maven and Gradle build files that resolve org.http4k:http4k-format-xml versions affected by CVE-2024-55875 / GHSA-7mj5-hjjj-8rgw, reporting version-based advisory evidence without sending XML payloads, SSRF callbacks, local-file reads, or denial-of-service traffic.
June 14, 2026
- 修复DOM XSS fragment probe stability fix. Verified active scans now skip the DOM fragment probe cleanly when browser automation is unavailable at startup, so reports no longer show internal browser-context errors for that check.
- 改进Expanded Red Hat npm worm coverage. GitHub repo scans now include additional Wiz-reported @redhat-cloud-services package versions for the Miasma campaign, while still reporting repository dependency evidence without installing packages, executing lifecycle scripts, or claiming credential theft.
- 新增Known npm typosquat package check. GitHub repo scans can now flag package manifests and lockfiles that resolve Microsoft-reported vpmdhaj npm typosquat package versions, reporting version-based advisory evidence without installing packages, executing lifecycle scripts, fetching tarballs, contacting attacker infrastructure, or claiming credential theft.
- 新增Codex Remote UI token-stealing npm package check. GitHub repo scans can now flag package manifests and lockfiles that resolve codexui-android 0.1.82 or newer, reporting version-based advisory evidence without installing the package, executing it, reading Codex auth files, contacting exfiltration infrastructure, or claiming token theft.
- 新增Claude Code GitHub Action workflow repo check. GitHub repo scans can now flag Claude Code Action workflows with mutable action refs, broad workflow token permissions, or risky access override inputs, reporting workflow YAML evidence without running Actions, executing Claude Code, reading CI secrets, or claiming prompt-injection exploitation.
- 新增onering Rust crate malware repo check. GitHub repo scans can now flag Cargo manifests or lockfiles that resolve onering 1.4.1 or the known compromised onering git commit, and can flag matching checked-in build.rs evidence, without running Cargo, executing build scripts, fetching crates, or claiming source exfiltration.
- 新增Node-gyp / Phantom Gyp npm worm repo check. GitHub repo scans can now flag package manifests or lockfiles that resolve known malicious npm package versions from the binding.gyp supply-chain campaign, or flag matching binding.gyp source evidence, without running npm install, executing node-gyp, downloading tarballs, or claiming credential theft.
June 11, 2026
- 改进Moxa NPort authentication advisory coverage. The existing verified-active Moxa NPort firmware check now correlates the same strong HTTP model and firmware evidence with CVE-2016-9361 as part of the MCSA-160401 advisory family, while still reporting a version-based advisory without attempting password retries, brute-force checks, firmware uploads, unauthenticated administrative actions, SNMP queries, serial-device protocol probes, crash tests, or exploit confirmation.
- 改进Moxa NPort unauthenticated firmware-update advisory coverage. The existing verified-active Moxa NPort firmware check now correlates the same strong HTTP model and firmware evidence with CVE-2016-9369 as part of the MCSA-160401 advisory family, while still reporting a version-based advisory without attempting firmware uploads, unauthenticated administrative actions, SNMP queries, serial-device protocol probes, crash tests, or exploit confirmation.
- 新增Schneider Modicon M221 firmware advisory check. Passive scans can now flag strong public HTTP product and firmware-version evidence for Modicon M221 controllers associated with CVE-2018-7790, reporting version-based advisory context without capturing credentials, replaying authentication, querying Modbus, uploading PLC programs, or claiming unauthorized-access confirmation.
- 新增Langflow CVE-2025-34291 CORS advisory check. Verified active scans can now flag affected Langflow instances when target-specific version evidence is paired with credentialed CORS origin reflection, without authenticating, reading tokens, triggering refresh flows, or claiming code-execution confirmation.
- 新增SiteOmat BOS version advisory check. Verified active scans can now flag public SiteOmat BOS version evidence associated with CVE-2017-14728 as a version-based advisory, without attempting default credentials, SSH login, broad port scans, state-changing management actions, or unauthorized access.
- 新增SiteOmat login SQL injection advisory check. Verified active scans can now flag public SiteOmat BOS version evidence associated with CVE-2017-14851 as a version-based advisory, without submitting login forms, sending SQL injection payloads, attempting authentication bypass, accessing post-login pages, or making state-changing management requests.
- 新增SiteOmat CGI buffer-overflow advisory check. Verified active scans can now flag public SiteOmat BOS version evidence associated with CVE-2017-14854 as a version-based advisory, without sending crafted CGI input, overflow payloads, crash tests, broad port scans, state-changing management actions, or exploit requests.
- 新增Kubernetes externalIPs manifest advisory check. GitHub repo scans can now flag Kubernetes Service manifests that declare non-empty
spec.externalIPsas source/config hardening evidence for CVE-2020-8554, without inspecting live clusters, checking RBAC, sending traffic, or claiming traffic interception. - 新增Apache Tomcat EncryptInterceptor dependency advisory check. GitHub repo scans can now flag Maven and Gradle files that resolve exact Tomcat releases associated with CVE-2026-34486 / GHSA-69r9-qgr7-g2wj, reporting version-based advisory evidence without running Tomcat, inspecting cluster traffic, sending crafted Tribes packets, or claiming plaintext-disclosure confirmation.
- 新增Apache Tomcat h2c request mix-up dependency advisory check. GitHub repo scans can now flag Maven and Gradle files that resolve Tomcat embedded-core or Coyote versions affected by CVE-2021-25122 / GHSA-j39c-c8hj-x4j3, reporting version-based advisory evidence without running Tomcat, sending h2c upgrade requests, capturing traffic, or claiming information-disclosure confirmation.
- 新增PickleScan ZIP CRC dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow PickleScan versions affected by CVE-2025-10156 / GHSA-mjqp-26hc-grxg, reporting version-based advisory evidence without running PickleScan, creating corrupted archives, loading models, or claiming runtime code-execution confirmation.
- 新增NLTK Zip Slip dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow NLTK versions affected by CVE-2025-14009 / GHSA-7p94-766c-hgjp, reporting version-based advisory evidence without running Python or NLTK, calling nltk.download(), extracting packages, creating malicious archives, or claiming runtime code-execution confirmation.
- 新增TanStack ArkType adapter malware dependency check. GitHub repo scans can now flag package manifests and lockfiles that resolve @tanstack/arktype-adapter to malicious versions 1.166.12 or 1.166.15 from CVE-2026-45321 / GHSA-g7cv-rxg3-hmpx, reporting version-based advisory evidence without running npm install, executing lifecycle scripts, downloading tarballs, or claiming credential theft.
- 新增Mbed TLS CVE-2021-44732 repo advisory check. GitHub repo scans can now flag source and build metadata that identify Mbed TLS versions affected by CVE-2021-44732, reporting version-based advisory evidence without running Mbed TLS, forcing out-of-memory behavior, calling session-copy APIs, or claiming live double-free confirmation.
- 新增IIS TRACK method exposure check. Verified active scans can now flag legacy TRACK echo behavior associated with CVE-2003-1567 using non-sensitive request evidence, without sending cookies, credentials, browser exploit pages, user traffic, or state-changing requests.
- 新增Red Hat npm worm dependency advisory check. GitHub repo scans can now flag package manifests and lockfiles that resolve known compromised @redhat-cloud-services npm versions associated with the credential-stealing worm campaign, reporting dependency evidence without executing install scripts or claiming credential theft.
- 新增DICOM executable preamble check. GitHub repo scans can now flag committed DICOM files whose Part 10 preamble carries executable-file evidence, reporting static file evidence without executing the file or claiming production compromise.
June 10, 2026
- 新增Mbed TLS CVE-2023-45199 repo advisory check. GitHub repo scans can now flag source and build metadata that identify Mbed TLS 3.2.x through 3.4.x, reporting version-based advisory evidence without sending TLS handshake payloads or claiming live memory corruption.
- 新增Rockwell MicroLogix 1100 advisory fingerprint. Passive scans can now flag strong public HTTP evidence of a Rockwell Automation MicroLogix 1100 controller associated with CVE-2021-33012, reporting advisory context without sending industrial protocol commands or claiming denial-of-service behavior.
- 新增Moxa NPort firmware advisory check. Verified active scans can now flag public HTTP model and firmware-version evidence for Moxa NPort devices associated with CVE-2016-9363, reporting version-based advisory context without sending crafted packets, querying SNMP, testing serial-device services, or claiming exploit confirmation.
- 新增Rockwell MicroLogix 1100 authentication-attempt advisory check. Verified active scans can now flag public HTTP model and firmware evidence for MicroLogix 1100 controllers associated with CVE-2017-7898, reporting version-based advisory context without attempting logins, brute force, or industrial protocol probes.
- 新增Log4j 1.2 JDBCAppender advisory check. GitHub repo scans can now flag Log4j 1.2 dependency evidence paired with JDBCAppender SQL configuration for CVE-2022-23305 / GHSA-65fg-84f6-3jq3, reporting repository/config evidence without executing SQL, writing log events, or claiming runtime database compromise.
- 新增Log4j 1.2 JMSAppender advisory check. GitHub repo scans can now flag Log4j 1.2 dependency evidence paired with JMSAppender configuration for CVE-2021-4104 / GHSA-fp5r-v3w9-4333, reporting repository/config evidence without contacting JNDI or JMS services or claiming runtime exploit confirmation.
- 新增Microsoft ATL MS09-035 source advisory check. GitHub repo scans can now flag legacy Visual C++ ATL project metadata paired with ATL source usage associated with CVE-2009-0901/CVE-2009-2493/CVE-2009-2495, reporting source/build advisory evidence without inspecting build machines, sending malformed streams, probing information disclosure, or claiming live code-execution confirmation.
- 新增Langflow CVE-2026-33017 version advisory check. Verified active scans can now flag public Langflow version evidence for CVE-2026-33017 / GHSA-vwmf-pq79-vjvx as a version-based advisory, without submitting flow data, building flows, executing code, or claiming public-flow exploit confirmation.
- 新增Keras CVE-2025-1550 dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow Keras versions affected by CVE-2025-1550 / GHSA-48g7-3x6r-xfhp, reporting version-based advisory evidence without loading model archives, generating payloads, or claiming runtime code-execution confirmation.
- 新增TLS RC4 negotiation advisory check. Verified active scans can now flag TLS endpoints that still select RC4 cipher suites associated with CVE-2015-2808, reporting confirmed RC4 support without capturing traffic or claiming plaintext recovery.
- 新增TLS Sweet32 DES/3DES advisory check. Verified active scans can now flag TLS endpoints that still select DES or 3DES 64-bit block cipher suites associated with CVE-2016-2183, reporting confirmed cipher negotiation without capturing traffic or claiming plaintext recovery.
- 新增Schneider PowerLogic EGX advisory check. Verified active scans can now flag public PowerLogic EGX100 firmware or EGX300 product evidence associated with CVE-2021-22765/CVE-2021-22767/CVE-2021-22768, reporting product/firmware advisory context without sending crafted HTTP packets, querying industrial protocols, crash-testing gateways, or claiming exploit confirmation.
May 27, 2026
- 新增Arcserve UDP CVE-2025-34523 version advisory check. Verified active scans can now flag public Arcserve UDP version evidence for CVE-2025-34523 as a version-based advisory, without sending crafted heap-overflow input, crash-testing the service, authenticating to the console, or claiming command execution.
- 新增Liferay Portal CVE-2010-5327 version advisory check. Verified active scans can now flag public Liferay Portal version evidence for CVE-2010-5327 as a version-based advisory, without authenticating, editing templates, sending template payloads, or claiming command execution.
- 新增ws excessive-header DoS dependency advisory check. GitHub repo scans can now flag npm manifests and lockfiles that resolve ws versions affected by CVE-2024-37890 / GHSA-3h5v-q93c-6h6q, reporting version-based advisory evidence without sending denial-of-service traffic or claiming runtime WebSocket exposure.
May 25, 2026
- 改进SPIP version advisory wording. Passive SPIP version findings now distinguish version-fingerprint advisory evidence for CVE-2016-7980 and CVE-2016-7998 from runtime exploit proof, without active CSRF, local-file validation, or template-execution reproduction.
- 修复Active scan reliability and SSTI accuracy fix. Active scans now safely store response-derived evidence that contains unsupported control characters, and SSTI reporting requires stronger target-specific template-evaluation evidence instead of common page or static-asset content.
May 24, 2026
- 新增WebdriverIO BrowserStack service dependency advisory check. GitHub repo scans can now flag npm manifests and lockfiles that resolve @wdio/browserstack-service versions affected by CVE-2026-25244 / GHSA-5c46-x3qw-q7j7, reporting version-based advisory evidence without running WebdriverIO, starting BrowserStack Local, or using command payloads.
- 新增WordPress REST API user-exposure check. Verified active scans can now report WordPress REST users endpoints that return public user slugs to unauthenticated clients, with medium-severity exposure wording that does not claim WordPress version proof or account compromise.
- 新增Django CSRF dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow Django versions affected by CVE-2011-0696 / GHSA-5j2h-h5hg-3wf8, reporting version-based advisory evidence without running Django, probing state-changing routes, or claiming runtime CSRF exploitability.
- 新增TMT Lockcell SQL injection active check. Verified active scans can now report TMT Lockcell login surfaces whose responses change consistently with CVE-2023-3047, using a bounded login-response comparison that does not run timing delays, follow authenticated redirects, or extract database data.
- 新增OpenSSL PowerPC Poly1305 advisory check. GitHub repo scans can now correlate affected OpenSSL 3.x version evidence with PowerPC build/deployment evidence for CVE-2023-6129, reporting version-and-architecture advisory evidence without reproducing state corruption or denial-of-service behavior.
May 23, 2026
- 新增electerm 未授权命令执行公告检查。 GitHub 仓库扫描现在可以标记锁定或允许受 CVE-2020-23256 / GHSA-x73w-g8hx-v7rp 影响的 electerm 版本的 npm 清单和锁文件,以基于版本的公告形式报告结果,而不会探测或启动 electerm 服务。
- 新增SaltStack Salt 依赖公告检查。 GitHub 仓库扫描现在可以标记受 CVE-2017-12791 / GHSA-xxvj-8g5m-4qgw 影响的 Salt 版本的 Python 依赖证据,以基于版本的公告形式报告,而不会探测 Salt master 握手。
- 新增rclone RC fsinfo 暴露检查。 经过验证的主动扫描现在可以确认与 CVE-2026-41179 / GHSA-jfwf-28xr-xw6q 相关的 rclone Remote Control 未授权 fsinfo 暴露,使用有界元数据证据,不执行任何命令。
- 新增Apache Tomcat 会话持久化公告检查。 GitHub 仓库扫描现在可以标记解析为受 CVE-2020-9484 / GHSA-344f-f5vg-2jfj 影响的 Tomcat 版本的 Maven 和 Gradle 构建文件,并在仓库配置同时显示基于 FileStore 的 PersistentManager 会话持久化时强化该发现。
- 新增Note Mark dependency advisory check. GitHub repo scans can now flag Go manifests that resolve Note Mark backend versions affected by CVE-2026-44522 / GHSA-g49p-4qxj-88v3, reporting the result as a version-based advisory without uploading files, triggering exports, or claiming live RCE confirmation.
2026 年 5 月 20 日
- 新增Gogs dependency advisory check. GitHub repo 扫描现在可以标记 Go 清单,以基于版本的咨询证据而不是路径遍历确认来固定受影响的 Gogs 版本 CVE-2018-20303 / GHSA-9hxg-w7qf-hh93。
- 新增deephas prototype-pollution advisory check. GitHub repo 扫描现在可以标记 npm 清单和锁定文件,以解析受 CVE-2020-28271 / GHSA-4fr2-j4g9-mppf 影响的 deephas 版本,并使用基于版本的咨询证据而不是运行时原型污染确认。
- 新增OpenSSL TLSv1.3 session advisory check. GitHub 存储库扫描现在可以将受影响的 OpenSSL 版本证据与 CVE-2024-2511 的 TLSv1.3 会话配置证据关联起来,报告中等可信度来源/config 证据,而不是实时拒绝服务确认。
2026 年 5 月 19 日
- 改进electerm Linux install-script coverage. electterm 依赖建议现在包括 CVE-2026-41501 / GHSA-8x35-hph8-37hq 以及现有的 macOS 安装脚本建议,将发现范围限制在 npm 清单和锁定文件证据,而不是利用确认。
- 新增GeniXCMS author-route SQL injection check. 经过验证的主动扫描现在可以使用特定于目标的证据来确认 GeniXCMS 作者路线上的 CVE-2017-5517- 式数据库错误行为,而无需数据提取或破坏性的 SQL 探针。
- 新增当只读 DNS API 拒绝基线请求但通过旧版 DNS 授权路径返回 DNS 记录证据时,Netmaker DNS key authorization-bypass check. 已验证的主动扫描现在可以确认 Netmaker 部署上的 CVE-2023-32077 暴露,而无需创建、修改或删除记录。
- 新增openDCIM source command-injection check. GitHub 存储库扫描现在可以使用源匹配证据、置信度和运行时可利用性限制来标记 report_network_map.php 中的 CVE-2026-28517 源/config 模式,而不是主动命令执行。
- 新增SPIP valider_xml XSS check. 经过验证的主动扫描现在可以使用特定于目标的 HTML- 上下文证据来确认 CVE-2016-7981- 风格的未转义 URL 对 SPIP 部署的反射,而无需在浏览器中执行 JavaScript。
- 新增Apache Tomcat Coyote dependency advisory check. GitHub repo 扫描现在可以标记 Maven 和 Gradle 构建文件,这些文件可解析受 CVE-2025-48989 / GHSA-gqp3-2cvr-x8m3 影响的 Tomcat Coyote 或嵌入式核心版本,并使用基于版本的咨询证据而不是运行时拒绝服务确认。
- 新增veraPDF XSLT dependency advisory check. GitHub repo 扫描现在可以标记 Maven 和 Gradle 构建文件,以解决受 CVE-2024-28109 / GHSA-qxqf-2mfx-x8jw 影响的 veraPDF 工件,并使用基于版本的咨询证据而不是 XSLT 执行确认。
2026 年 5 月 18 日
- 新增electerm dependency advisory check. GitHub repo 扫描可以标记 npm 清单和锁定文件,这些清单和锁定文件固定或允许受 CVE-2026-41500 / GHSA-wxw2-rwmh-vr8f 和 CVE-2026-41501 / GHSA-8x35-hph8-37hq 影响的 electterm 版本,并使用基于版本的咨询证据而不是利用确认。
- 新增OpenCms dependency advisory check. GitHub repo 扫描现在可以标记 Maven pom.xml 文件,这些文件固定或解析受 CVE-2023-42344 / GHSA-rcc6-6q2f-m2cw 影响的 org.opencms:opencms-core 版本,并使用基于版本的咨询证据而不是 XXE 漏洞利用确认。
- 新增当未经身份验证的/cors端点获取FixVibe控制的外部回调时,MagicMirror /cors SSRF check.验证的主动扫描现在可以确认MagicMirror实例上的CVE-2026-42281暴露,而无需探测内部服务。
2026 年 5 月 17 日
- 新增FUXA hardcoded JWT secret check. 经过验证的主动扫描现在可以确认FUXA 实例上的CVE-2025-69971 暴露情况,这些实例仍然信任易受攻击的后备JWT 签名配置。
- 新增CKAN DataStore SQL exposure check. 经过验证的主动扫描现在可以确认与CVE-2026-42031 关联的未经身份验证的CKAN DataStore SQL 访问,并指导团队修补CKAN 版本线或更安全的DataStore 配置。
16 May 2026
- 新增PDF.js dependency advisory check. GitHub repo 扫描现在可以标记 npm 清单和锁定文件,这些清单和锁定文件固定或允许受 CVE-2024-4367 / GHSA-wgrm-67xf-hhpq 影响的 pdfjs-dist 版本。
- 新增Active scans via REST API and MCP. 现在可以从REST 和MCP 针对已从仪表板明确授权的已验证域触发主动扫描。授权可随时撤销。
- 新增Safer authorization levels for active scans. 域授权现在可以区分更安全的自动主动检查和更深入的主动测试,因此团队可以为每个域自动执行正确级别的验证。
- 新增First-use webhook for API/MCP active scans. 首次针对新授权的域运行 API/MCP-triggered 主动扫描时,Webhook 可以通知团队。
- 改进Improved Referrer-Policy findings. Missing or weak
Referrer-Policyresults now separate URL-referrer leakage from broad information exposure, show document-response evidence, and include generic plus static-host remediation guidance. - 改进Improved Permissions-Policy findings. Missing or weak
Permissions-Policyresults now show feature-level evidence, separate broad feature allowlists from missing hardening, and include generic plus static-host remediation guidance for common hosts, proxies, and app servers. - 改进Improved clickjacking header prompts. Missing
X-Frame-Optionsfindings now point agents to CSPframe-ancestorsas the modern protection, add Vercel/static SPA header guidance, and verifyx-frame-optionswith CSP. - 改进CSP header evidence and fix prompts improved. Missing-CSP 报告现在包括更清晰的托管和响应上下文以及更安全的框架感知修复指南。
- 修复Vercel path-probe false positives reduced. FixVibe 现在需要更强大的特定于应用程序的证据,然后才能报告部署中重写未知路由到应用程序 shell 的公开框架工件。
- 修复合规类发现不再带有误导性的 CWE 标签。此前 legal-compliance 检查会把"缺少隐私政策"和"缺少服务条款"标为
CWE-359(PII 暴露),但这并不能描述真正的差距。这些发现现在不再附带 CWE — 它们是合规事项,而非可分类的安全弱点。
2026 年 5 月 15 日
- 新增Additional research-informed checks. FixVibe 根据最近的漏洞研究提供了更多覆盖范围,并将重复主题映射到覆盖范围已存在的现有扫描仪模块。
- 新增仓库密钥泄露检查。 GitHub 仓库扫描现在可以标记硬编码的供应商密钥以及提交到源码中的高熵疑似密钥值,证据已遮挡,并附带标准的 FixVibe 轮换提示。
- 新增Vercel deployment protection check. 被动扫描现在可以标记公共
*.vercel.app生成的部署 URL,这些 URL 无需 Vercel 部署 Pro 保护即可响应,而现有标头检查将继续审核 CSP、HSTS 和浏览器强化。
2026 年 5 月 14 日
- 新增LiteLLM dependency advisory check. GitHub 存储库扫描现在可以标记那些固定或允许受 CVE-2026-42208 / GHSA-r75f-5x8p-qvmc 影响的 LiteLLM 版本的 Python 依赖文件。
- 新增LibreNMS dependency advisory check. GitHub 存储库扫描现在可以标记固定或允许受 CVE-2024-51092 / GHSA-x645-6pf9-xwxw 影响的 LibreNMS 版本的 Composer 清单。
- 改进Firebase rules detection improved. BaaS 扫描现在可以检测更多Firebase 应用程序形状,并使用只读证据来识别有风险的公共数据暴露。
2026 年 5 月 13 日
- 新增Repo Supabase RLS migration check. GitHub 存储库扫描现在可以标记 Supabase SQL 迁移,这些迁移创建公共表而没有匹配的
ALTER TABLE ... ENABLE ROW LEVEL SECURITY语句。 - 新增Supabase Storage posture check. 被动扫描现在可以审查公共Supabase 存储桶和匿名对象列表暴露以及现有的RLS 和密钥检查。
- 新增AI-generated code guardrail check. GitHub 存储库扫描现在可以标记围绕代码扫描、秘密扫描、依赖项更新和 AI-agent 指令缺少的安全自动化。
2026 年 5 月 12 日
- 新增Repo web-app risk checklist. GitHub 回购扫描现在可以标记高可信度OWASP-风格的代码风险,例如原始SQL插值、不安全HTML接收器、凭证通配符CORS、禁用TLS验证和弱JWT秘密后备。
- 新增Next.js middleware-bypass check. 对已验证域的主动扫描现在可以在报告之前确认受中间件保护的路由上的 CVE-2025-29927 暴露情况,并且报告包括用于修复的标准 FixVibe AI 修复提示。
2026年5月9日
- 安全Cross-origin scope hardening. 主动扫描和客户端资产检查现在保留在授权的目标范围内,并避免跨跨源重定向携带客户提供的凭据。
- 修复Supabase RLS check is now strictly read-only. Supabase 姿势检查现在避免写入尝试并专注于安全暴露信号。验证域主动测试仍然是更深入确认的边界。
- 改进安全 header 发现项只适用于根 HTML 响应。在 204、JSON API、文件下载或 404 上缺失 CSP、Permissions-Policy、X-Frame-Options 或 Referrer-Policy 不再产生发现项。HSTS 和 X-Content-Type-Options 仍会跨所有响应评分。
- 改进Auth-flow and rate-limit checks now require stronger evidence. FixVibe 现在仅当应用程序行为明确支持该发现时才报告这些问题,从而减少来自通用错误页面和不受支持的方法的噪音。
- 改进File-upload findings tier by exploitability evidence. 文件上传报告现在将低置信度接受信号与有风险服务行为的更有力证据分开,从而减少对良性上传处理程序的过度严重性。
2026年5月7日
- 修复Threat-intel listing accuracy improved. FixVibe 现在可以区分真正的阻止列表证据和解析器诊断,因此威胁情报调查结果不会过度报告基础设施端查找响应。
- 新增GitHub 仓库扫描。连接 repo 后,FixVibe 会检查源码中泄露的 Supabase service keys、Firebase admin tokens、风险 workflow files 和过时依赖;整个过程无需加载你已部署的网站。参见 扫描类型。
- 新增针对高风险 JavaScript 的 SAST 检查。仓库扫描现在会标记
new Function()和setTimeout("string");当输入不可信时,二者都等价于eval()。 - 修复Vercel / Cloudflare 站点上的误报“exposed file”发现项。裸
403 Forbidden响应不再被报告为“file exists”;大多数边缘服务商无论文件是否存在,都会对可疑路径返回 403。现在我们要求有正向 HTTP 信号才会标记。 - 修复Repo-code false positives reduced. Repo 扫描现在可以避免在注释、文档、测试帮助程序和明显仅服务器上下文中标记安全术语,以进行多个高信号代码检查。
- 修复localStorage 中的 Supabase anon key 不再报告为 JWT-in-storage 发现项;anon key 本来就是公开给客户端使用的 token。浏览器存储中的真实 service-role tokens 现在会被标为 critical,标题也更清楚。
- 修复CSP weakness detection improved. Content-Security-Policy 检查现在可以捕获更宽松的源策略,同时将证据和补救措施集中在有效的浏览器策略上。
- 修复Reflected-XSS check tightened. 主动扫描现在需要更强的反射证据才能报告可执行上下文风险,从而减少页面上不相关标记的误报。
- 修复域名验证现在能正确处理 apex ↔ www 重定向,并且更清楚地说明 TXT-record Host 字段应该填哪个值。
格式
每个条目都有标签,方便你快速浏览:
- 新增 新的检查、surface 或功能。
- 改进 现有行为变得更好:更准确、更快、更清楚。
- 修复 我们发布过、随后修掉的 bug。
- 安全 加固、漏洞修复或合规变更。
发现这里没记录的破坏性变化?发邮件到 support@fixvibe.app。
