FixVibe

// docs / changelog

變更紀錄

FixVibe scan-engine updates: new coverage, safety improvements, and accuracy improvements. Newest entries first.

May 18, 2026

  • 新增electerm dependency advisory check. GitHub repo scans can now flag npm manifests and lockfiles that pin or allow electerm versions affected by CVE-2026-41500 / GHSA-wxw2-rwmh-vr8f, with version-based advisory evidence rather than exploit confirmation.
  • 新增OpenCms dependency advisory check. GitHub repo scans can now flag Maven pom.xml files that pin or resolve org.opencms:opencms-core versions affected by CVE-2023-42344 / GHSA-rcc6-6q2f-m2cw, with version-based advisory evidence rather than XXE exploit confirmation.

May 17, 2026

  • 新增FUXA hardcoded JWT secret check. Verified active scans can now confirm CVE-2025-69971 exposure on FUXA instances that still trust the vulnerable fallback JWT signing configuration.
  • 新增CKAN DataStore SQL exposure check. Verified active scans can now confirm unauthenticated CKAN DataStore SQL access associated with CVE-2026-42031 and guide teams to patched CKAN release lines or safer DataStore configuration.

16 May 2026

  • 新增PDF.js dependency advisory check. GitHub repo scans can now flag npm manifests and lockfiles that pin or allow pdfjs-dist versions affected by CVE-2024-4367 / GHSA-wgrm-67xf-hhpq.
  • 新增Active scans via REST API and MCP. Active scans can now be triggered from REST and MCP against verified domains that have been explicitly authorized from the dashboard. Authorization is revocable at any time.
  • 新增Safer authorization levels for active scans. Domain authorization now distinguishes safer automated active checks from deeper active testing, so teams can automate the right level of verification for each domain.
  • 新增First-use webhook for API/MCP active scans. A webhook can notify teams the first time an API/MCP-triggered active scan runs against a newly authorized domain.
  • 改進Improved Referrer-Policy findings. Missing or weak Referrer-Policy results now separate URL-referrer leakage from broad information exposure, show document-response evidence, and include generic plus static-host remediation guidance.
  • 改進Improved Permissions-Policy findings. Missing or weak Permissions-Policy results now show feature-level evidence, separate broad feature allowlists from missing hardening, and include generic plus static-host remediation guidance for common hosts, proxies, and app servers.
  • 改進Improved clickjacking header prompts. Missing X-Frame-Options findings now point agents to CSP frame-ancestors as the modern protection, add Vercel/static SPA header guidance, and verify x-frame-options with CSP.
  • 改進CSP header evidence and fix prompts improved. Missing-CSP reports now include clearer hosting and response context plus safer framework-aware remediation guidance.
  • 修正Vercel path-probe false positives reduced. FixVibe now requires stronger application-specific evidence before reporting exposed framework artifacts on deployments that rewrite unknown routes to the app shell.
  • 修正合規類發現不再帶有誤導性的 CWE 標籤。先前 legal-compliance 檢查會把「缺少隱私政策」與「缺少服務條款」標示為 CWE-359(PII 暴露),但這並不能描述實際的落差。這些發現現在不再附帶 CWE — 它們是合規事項,而非可分類的安全弱點。

May 15, 2026

  • 新增Additional research-informed checks. FixVibe shipped more coverage based on recent vulnerability research and mapped duplicate topics to existing scanner modules where coverage already existed.
  • 新增儲存庫密鑰外洩檢查。 GitHub 儲存庫掃描現在可以標示硬編碼的供應商密鑰以及提交到原始碼中的高熵疑似密鑰值,並遮蔽相關證據,附上標準的 FixVibe 輪替提示。
  • 新增Vercel deployment protection check. Passive scans can now flag public *.vercel.app generated deployment URLs that respond without Vercel Deployment Protection, while existing header checks continue to audit CSP, HSTS, and browser hardening.

May 14, 2026

  • 新增LiteLLM dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow LiteLLM versions affected by CVE-2026-42208 / GHSA-r75f-5x8p-qvmc.
  • 新增LibreNMS dependency advisory check. GitHub repo scans can now flag Composer manifests that pin or allow LibreNMS versions affected by CVE-2024-51092 / GHSA-x645-6pf9-xwxw.
  • 改進Firebase rules detection improved. BaaS scans now detect more Firebase app shapes and use read-only evidence to identify risky public data exposure.

May 13, 2026

  • 新增Repo Supabase RLS migration check. GitHub repo scans can now flag Supabase SQL migrations that create public tables without a matching ALTER TABLE ... ENABLE ROW LEVEL SECURITY statement.
  • 新增Supabase Storage posture check. Passive scans can now review public Supabase Storage buckets and anonymous object-listing exposure alongside existing RLS and key checks.
  • 新增AI-generated code guardrail check. GitHub repo scans can now flag missing security automation around code scanning, secret scanning, dependency updates, and AI-agent instructions.

May 12, 2026

  • 新增Repo web-app risk checklist. GitHub repo scans can now flag high-confidence OWASP-style code risks such as raw SQL interpolation, unsafe HTML sinks, credentialed wildcard CORS, disabled TLS verification, and weak JWT secret fallbacks.
  • 新增Next.js middleware-bypass check. Active scans for verified domains can now confirm CVE-2025-29927 exposure on middleware-protected routes before reporting it, and reports include the standard FixVibe AI fix prompt for remediation.

2026 年 5 月 9 日

  • 安全Cross-origin scope hardening. Active scans and client-asset checks now stay within the authorized target scope and avoid carrying customer-provided credentials across cross-origin redirects.
  • 修正Supabase RLS check is now strictly read-only. Supabase posture checks now avoid write attempts and focus on safe exposure signals. Verified-domain active testing remains the boundary for deeper confirmation.
  • 改進Security-header findings 只套用於 root HTML responses。 204、JSON API、file download 或 404 上缺少 CSP、Permissions-Policy、X-Frame-Options 或 Referrer-Policy,不再產生 finding。HSTS 與 X-Content-Type-Options 仍會跨所有 responses 評分。
  • 改進Auth-flow and rate-limit checks now require stronger evidence. FixVibe now reports these issues only when the application behavior clearly supports the finding, reducing noise from generic error pages and unsupported methods.
  • 改進File-upload findings tier by exploitability evidence. File-upload reports now separate low-confidence acceptance signals from stronger evidence of risky serving behavior, reducing over-severity on benign upload handlers.

2026 年 5 月 7 日

  • 修正Threat-intel listing accuracy improved. FixVibe now distinguishes real blocklist evidence from resolver diagnostics so threat-intel findings do not over-report on infrastructure-side lookup responses.
  • 新增GitHub repo scans。 連接 repo 後,FixVibe 會檢查原始碼中是否有 leaked Supabase service keys、Firebase admin tokens、risky workflow files 與 outdated dependencies,而且完全不需要載入你部署的網站。請見 掃描類型
  • 新增針對高風險 JavaScript 的 SAST checks。 Repo scans 現在會標記 new Function()setTimeout("string");在餵入不受信任輸入時,兩者都等同於 eval()
  • 修正Vercel / Cloudflare sites 上的 false「exposed file」findings。403 Forbidden responses 不再被報告為「file exists」;大多數 edge providers 對看起來可疑的 paths 都會回傳 403,不論檔案是否存在。現在必須有正向 HTTP signal 才會標記。
  • 修正Repo-code false positives reduced. Repo scans now avoid flagging security terms in comments, documentation, test helpers, and clearly server-only contexts for several high-signal code checks.
  • 修正localStorage 中的 Supabase anon key 不再被報告為 JWT-in-storage finding;anon key 是公開預期的 client token。瀏覽器 storage 中真正的 service-role tokens 現在會是 critical,且標題更清楚。
  • 修正CSP weakness detection improved. Content-Security-Policy checks now catch more permissive source policies while keeping evidence and remediation focused on the effective browser policy.
  • 修正Reflected-XSS check tightened. Active scans now require stronger reflection evidence before reporting executable-context risk, reducing false positives from unrelated markup on the page.
  • 修正Domain verification 會正確處理 apex ↔ www redirects,並更清楚說明 TXT-record Host 欄位應填入哪個值。

格式

每個項目都有標籤,方便你快速瀏覽:

  • 新增 新的 check、surface 或 feature。
  • 改進 既有行為變得更好:更準確、更快、更清楚。
  • 修正 我們已發布、後來修掉的 bug。
  • 安全 強化、漏洞修正或合規變更。

發現有東西壞了但這裡沒記錄?請 email support@fixvibe.app

變更紀錄 — Docs · FixVibe