// docs / changelog
變更紀錄
FixVibe 掃描引擎更新:新的覆蓋範圍、安全性改進和準確性改進。最新條目優先。
2026-07-02
- 修正Legal-link false positives reduced. Privacy and terms links that are visible after client-side rendering now count correctly, so SPA footers are not reported as missing when users can see those links.
2026年6月30日
- 新增Label Studio CVE-2025-47783 reflected XSS check. Verified active scans now flag Label Studio upload-example responses when target-specific label_config evidence shows raw HTML metacharacter reflection, without executing JavaScript, using victim sessions, reading tokens, or storing project data.
- 新增AVideo CVE-2023-25313 / GHSA-pgvh-p3g4-86jw advisory. Repo scans flag affected wwbn/avideo Composer manifests and lockfiles below 12.4 with version-based evidence only; no AVideo login, video-link submission, video creation, request-delay checks, command execution, or runtime exploit claim.
- 新增GL.iNet GL-MT3000 CVE-2026-11451 advisory. Verified active scans flag GL.iNet GL-MT3000 firmware 4.4.5 as version-based advisory evidence only; no router authentication, FTP-setting changes, file writes, command input, or command-execution claim.
- 改進Schneider Modicon M221 遠端重啟涵蓋。 既有的被動 Modicon M221 韌體檢查現在會將同一組強公共 HTTP 產品與韌體版本證據,與 CVE-2018-7789 以及 CVE-2018-7790 關聯,並以版本型通告脈絡回報;不會傳送重啟探測、查詢 Modbus、重放驗證、上傳 PLC 程式或宣稱已確認利用。
- 新增Mbed TLS CVE-2024-45159 repo advisory coverage. GitHub repo scans now flag source and build metadata for affected Mbed TLS 3.2.0 through 3.6.0 releases, reporting version-based advisory evidence without client-certificate probes, TLS handshake testing, or authentication-bypass confirmation.
- 新增Oracle Java SE/GraalVM CVE-2022-21340 repo advisory coverage. GitHub repo scans now flag explicit Oracle Java SE or Oracle GraalVM Enterprise runtime metadata, reporting version-based advisory evidence without running Java, sandbox-code proof, denial-of-service traffic, or runtime exploit confirmation.
- 新增OpenSSL CMS CVE-2025-15467 advisory. GitHub repo scans now flag affected OpenSSL CMS release-line evidence and report branch-aware source/config evidence without crash, denial-of-service, or code-execution reproduction.
- 新增codfish semantic-release GitHub Action compromise check. Repo scans can now flag workflow YAML references to codfish/semantic-release-action refs associated with the June 2026 compromise, reporting source/config evidence only. The check does not run GitHub Actions, read CI secrets, inspect runners, or claim credential theft.
- 新增Spring Data Commons property-path advisory coverage. GitHub repo scans now report Maven/Gradle dependency evidence for Spring Data Commons versions associated with CVE-2018-1274 / GHSA-5q8m-mqmx-pxp9. The finding stays version-based and does not run the app, probe Spring Data REST endpoints, send crafted property-path parameters, stress CPU or memory, or claim denial-of-service confirmation.
- 新增vm2 Promise species advisory coverage. GitHub repo scans now report npm manifest and lockfile evidence for vm2 versions associated with CVE-2026-47208 / GHSA-76w7-j9cq-rx2j. The finding stays version-based and does not run the app, execute sandbox-breakout proof-of-concept code, inspect live workers, or claim host command execution.
- 新增pyLoad /flashgot advisory coverage. GitHub repo scans now report Python manifest and lockfile evidence for pyload-ng versions associated with CVE-2024-47821 / GHSA-w7hq-f2pj-c53g. The finding stays version-based and does not run pyLoad, send /flashgot requests, change settings, download files, write script directories, or claim command execution.
- 新增SAP Cloud SDK for AI Python advisory check. GitHub repo scans now flag Python manifest and lockfile evidence for sap-ai-sdk-base versions affected by CVE-2023-25617 / GHSA-xxhh-59gh-6ffx as version-based advisory evidence, without running Python, connecting to SAP BusinessObjects, scheduling Program Objects, sending command-injection input, or claiming OS command execution.
- 新增Gradio Windows/Python path traversal advisory check. GitHub repo scans now flag Gradio dependency evidence for CVE-2026-28414 / GHSA-39mp-8hj3-5c49 and raise confidence when repository configuration also points to Windows with Python 3.13+, without requesting Gradio file endpoints, sending traversal input, reading files, or claiming live arbitrary file read.
29 Jun 2026
- 新增MISP STIX import source advisory coverage. GitHub repo scans now report source evidence for CVE-2018-19908 in app/Model/Event.php when original STIX filenames flow into shell command construction. The check uses repository source evidence and does not run MISP, import files, or claim runtime command execution.
- 新增MindsDB status version advisory coverage. Verified active scans now include MindsDB /api/status version evidence for CVE-2026-27483 when the public status endpoint reports a release before 25.9.1.1. This read-only check does not upload files, send traversal filenames, or claim remote-code execution.
- 新增NiceGUI upload filename source advisory check. GitHub repo scans now include CVE-2026-25732 coverage when affected NiceGUI dependency evidence appears with upload-handler source that saves paths built from client-supplied filenames. The check reports source/dependency evidence without uploading files, writing outside upload directories, or claiming code execution.
June 18, 2026
- 新增SillyTavern SearXNG SSRF active check. Verified active scans now report only direct evidence that a SillyTavern SearXNG search proxy fetched a FixVibe-controlled external callback URL. The probe avoids localhost, cloud metadata, private-network targets, and internal-service requests.
- 新增Glances REST API 未驗證暴露檢查。 經驗證的主動掃描現在可以確認被掃描的 origin 是否在未驗證情況下暴露 Glances REST API 身分資訊與指標形態回應。FixVibe 只記錄回應形態,並避免收集大範圍 API dump、程序清單、命令列、設定或 secret。
- 新增Spring Data Commons + XMLBeam advisory coverage. GitHub repo scans now report paired Maven/Gradle dependency evidence for Spring Data Commons and XMLBeam versions associated with CVE-2018-1259 / GHSA-m929-7fr6-cvjg. The finding stays version-based and does not run the app, send XML payloads, probe endpoints, read local files, or claim SSRF confirmation.
- 新增Moby AuthZ 相依性公告檢查。 GitHub 儲存庫掃描現在可以標記解析到受 CVE-2026-34040 / GHSA-x744-4wpc-v9h2 影響的 Moby 或 Docker Engine 版本的 Go 模組清單,並以版本型公告證據呈現,不連線 Docker APIs、不探測 AuthZ 外掛、不送出特製請求,也不聲稱已確認授權繞過。
- 新增NGINX rewrite-module config advisory check. GitHub repo scans can now correlate affected NGINX version evidence with rewrite-module configuration evidence for CVE-2026-42945, without running NGINX, sending traffic, or claiming memory-corruption proof.
- 新增SQLitePCLRaw NuGet advisory check. GitHub repo scans can now flag .NET project and NuGet lockfile evidence for affected SQLitePCLRaw native SQLite packages tied to CVE-2025-6965 / GHSA-2m69-gcr7-jv3q, without claiming memory-corruption proof.
- 新增gemini-mcp-tool CVE-2026-0755 advisory. Repo scans flag affected npm manifest and lockfile versions for GHSA-4h5r-5jm8-jxjm with repository version evidence only. The check does not run the MCP server, send command or @file probes, trigger callbacks, read local files, or assert runtime exploit confirmation.
- 新增Mastra easy-day-js advisory check. GitHub repo scans flag easy-day-js manifest and lockfile evidence tied to the June 2026 Mastra npm incident. The finding stays limited to repository dependency evidence and does not verify stale npm owners, run package scripts, inspect hosts, or assert credential theft.
- 新增Drupal Core CVE-2026-9082 advisory check. GitHub repo scans flag Composer manifest and lockfile versions for GHSA-ghwc-95x2-682j with repository version evidence only. The check does not run Drupal, verify PostgreSQL, send SQL payloads, extract data, or assert runtime exploit confirmation.
- 新增Paramiko SSH-server authentication advisory check. GitHub repo scans can now flag Python dependency files that resolve Paramiko releases affected by CVE-2018-7750 / GHSA-232r-66cg-79px, reporting version-based advisory evidence without starting an SSH server, sending bypass traffic, or claiming deployed server-mode exposure.
- 新增Apache Tomcat HTTP/2 resource-consumption dependency advisory check. GitHub repo scans can now flag Maven and Gradle build files that resolve Tomcat releases affected by CVE-2020-11996 / GHSA-53hp-jpwq-2jgq, reporting version-based advisory evidence without running Tomcat, sending HTTP/2 denial-of-service traffic, generating high-CPU proof traffic, or claiming runtime availability impact.
- 新增@andrei-tatar/nora-firebase-common prototype-pollution advisory check. GitHub repo scans can now flag npm manifests and lockfiles that resolve @andrei-tatar/nora-firebase-common versions affected by CVE-2024-30564 / GHSA-jjff-q3q4-5hh8, reporting version-based advisory evidence without running the package, mutating Object.prototype, sending proof payloads, or claiming runtime exploit confirmation.
- 新增cordova-plugin-inappbrowser Android 公告檢查。 GitHub repo 掃描現在可以標記 npm manifests、lockfiles 與 Cordova config.xml 中解析到受 CVE-2019-0219 / GHSA-c6pw-q7f2-97hv 影響的 cordova-plugin-inappbrowser 版本,並以版本型公告證據回報,而不建置行動二進位檔、不載入證明內容、不演練 plugin bridge 行為,也不聲稱已確認部署中的 Android 可被利用。
- 新增Nokogiri libxslt RubyGems advisory coverage. GitHub repo scans now report Gemfile, Gemfile.lock, and gemspec evidence for Nokogiri releases affected by CVE-2019-18197 / GHSA-242x-7cm6-4w8j. The check uses version-based RubyGems evidence and does not run Ruby, process XML or XSLT input, crash-test libxslt, or claim runtime exploit confirmation.
- 新增Perl GD CPAN advisory coverage. GitHub repo scans now report CPAN dependency evidence for Perl GD releases affected by CVE-2026-11526. The check uses version-based repository evidence and does not run Perl, process image files, pass crafted filenames to GD::Image constructors, or claim command-execution or file-overwrite confirmation.
- 新增kill-port-process CVE-2019-15609 advisory check. GitHub repo scans flag affected npm manifest and lockfile versions for GHSA-xp4x-j9vh-c3wf, reporting version evidence only. The check does not run the package, send command payloads, terminate processes, or assert runtime exploit confirmation.
- 新增proxy npm advisory coverage. GitHub repo scans can now report repository dependency evidence for proxy releases associated with CVE-2023-2968 / GHSA-mj6p-3pc9-wf5m. The finding stays version-based and does not run proxy, send crafted request traffic, crash-test services, or claim runtime denial-of-service confirmation.
- 新增Apache ActiveMQ Artemis Jolokia dependency advisory check. GitHub repo scans can now flag Maven and Gradle build files that resolve org.apache.activemq:artemis-cli versions affected by CVE-2023-50780 / GHSA-443j-grxv-2pgv, reporting version-based advisory evidence without authenticating to Jolokia, enumerating MBeans, changing Log4J2 configuration, writing files, restarting services, or claiming live RCE confirmation.
- 新增Apache ActiveMQ Artemis dependency advisory check. GitHub repo scans can now flag Maven and Gradle build files that pin or allow artemis-server versions affected by CVE-2026-27446 / GHSA-fw88-pf9m-p947, reporting version-based advisory evidence without connecting to brokers, triggering federation callbacks, or claiming message injection/exfiltration confirmation.
- 新增Apache Spark UI dependency advisory check. GitHub repo scans can now flag Maven, Gradle, and PySpark dependency files that pin or allow Apache Spark versions affected by CVE-2022-33891 / GHSA-4x9r-j582-cgr8, reporting version-based advisory evidence without visiting Spark UI, sending active exploit probes, or claiming command-execution confirmation.
- 新增vLLM pickle-deserialization dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow vllm versions affected by CVE-2024-9053 / GHSA-cj47-qj6g-x7r4, reporting version-based advisory evidence without running vLLM, exposing AsyncEngineRPCServer, sending pickle payloads, or claiming runtime code-execution confirmation.
- 新增Apache Airflow example-DAG advisory coverage. GitHub repo scans can now report repository dependency evidence for Airflow releases associated with CVE-2024-45498 / GHSA-c392-whpc-vfpr. The finding stays version-based and does not probe Airflow UI, trigger DAGs, run command payloads, or claim runtime exploit confirmation.
- 新增ONNX download_model_with_test_data advisory coverage. GitHub repo scans now report Python dependency evidence for onnx releases affected by CVE-2024-5187 / GHSA-6rq9-53c3-f7vj and add source-call context when download_model_with_test_data appears. The check does not run Python, download or extract model archives, create malicious tar files, overwrite files, or claim runtime exploit confirmation.
- 新增YOURLS type-juggling dependency advisory check. GitHub repo scans can now flag Composer and YOURLS source-version evidence for yourls/yourls releases affected by CVE-2019-14537 / GHSA-vf23-f26f-mjj9, reporting version-based advisory evidence without calling the YOURLS API, sending authentication-bypass requests, probing admin pages, or claiming unauthorized access.
- 新增http4k-format-xml dependency advisory check. GitHub repo scans can now flag Maven and Gradle build files that resolve org.http4k:http4k-format-xml versions affected by CVE-2024-55875 / GHSA-7mj5-hjjj-8rgw, reporting version-based advisory evidence without sending XML payloads, SSRF callbacks, local-file reads, or denial-of-service traffic.
June 14, 2026
- 修正DOM XSS fragment probe stability fix. Verified active scans now skip the DOM fragment probe cleanly when browser automation is unavailable at startup, so reports no longer show internal browser-context errors for that check.
- 改進Expanded Red Hat npm worm coverage. GitHub repo scans now include additional Wiz-reported @redhat-cloud-services package versions for the Miasma campaign, while still reporting repository dependency evidence without installing packages, executing lifecycle scripts, or claiming credential theft.
- 新增Known npm typosquat package check. GitHub repo scans can now flag package manifests and lockfiles that resolve Microsoft-reported vpmdhaj npm typosquat package versions, reporting version-based advisory evidence without installing packages, executing lifecycle scripts, fetching tarballs, contacting attacker infrastructure, or claiming credential theft.
- 新增Codex Remote UI token-stealing npm package check. GitHub repo scans can now flag package manifests and lockfiles that resolve codexui-android 0.1.82 or newer, reporting version-based advisory evidence without installing the package, executing it, reading Codex auth files, contacting exfiltration infrastructure, or claiming token theft.
- 新增Claude Code GitHub Action workflow repo check. GitHub repo scans can now flag Claude Code Action workflows with mutable action refs, broad workflow token permissions, or risky access override inputs, reporting workflow YAML evidence without running Actions, executing Claude Code, reading CI secrets, or claiming prompt-injection exploitation.
- 新增onering Rust crate malware repo check. GitHub repo scans can now flag Cargo manifests or lockfiles that resolve onering 1.4.1 or the known compromised onering git commit, and can flag matching checked-in build.rs evidence, without running Cargo, executing build scripts, fetching crates, or claiming source exfiltration.
- 新增Node-gyp / Phantom Gyp npm worm repo check. GitHub repo scans can now flag package manifests or lockfiles that resolve known malicious npm package versions from the binding.gyp supply-chain campaign, or flag matching binding.gyp source evidence, without running npm install, executing node-gyp, downloading tarballs, or claiming credential theft.
June 11, 2026
- 改進Moxa NPort authentication advisory coverage. The existing verified-active Moxa NPort firmware check now correlates the same strong HTTP model and firmware evidence with CVE-2016-9361 as part of the MCSA-160401 advisory family, while still reporting a version-based advisory without attempting password retries, brute-force checks, firmware uploads, unauthenticated administrative actions, SNMP queries, serial-device protocol probes, crash tests, or exploit confirmation.
- 改進Moxa NPort unauthenticated firmware-update advisory coverage. The existing verified-active Moxa NPort firmware check now correlates the same strong HTTP model and firmware evidence with CVE-2016-9369 as part of the MCSA-160401 advisory family, while still reporting a version-based advisory without attempting firmware uploads, unauthenticated administrative actions, SNMP queries, serial-device protocol probes, crash tests, or exploit confirmation.
- 新增Schneider Modicon M221 firmware advisory check. Passive scans can now flag strong public HTTP product and firmware-version evidence for Modicon M221 controllers associated with CVE-2018-7790, reporting version-based advisory context without capturing credentials, replaying authentication, querying Modbus, uploading PLC programs, or claiming unauthorized-access confirmation.
- 新增Langflow CVE-2025-34291 CORS advisory check. Verified active scans can now flag affected Langflow instances when target-specific version evidence is paired with credentialed CORS origin reflection, without authenticating, reading tokens, triggering refresh flows, or claiming code-execution confirmation.
- 新增SiteOmat BOS version advisory check. Verified active scans can now flag public SiteOmat BOS version evidence associated with CVE-2017-14728 as a version-based advisory, without attempting default credentials, SSH login, broad port scans, state-changing management actions, or unauthorized access.
- 新增SiteOmat login SQL injection advisory check. Verified active scans can now flag public SiteOmat BOS version evidence associated with CVE-2017-14851 as a version-based advisory, without submitting login forms, sending SQL injection payloads, attempting authentication bypass, accessing post-login pages, or making state-changing management requests.
- 新增SiteOmat CGI buffer-overflow advisory check. Verified active scans can now flag public SiteOmat BOS version evidence associated with CVE-2017-14854 as a version-based advisory, without sending crafted CGI input, overflow payloads, crash tests, broad port scans, state-changing management actions, or exploit requests.
- 新增Kubernetes externalIPs manifest advisory check. GitHub repo scans can now flag Kubernetes Service manifests that declare non-empty
spec.externalIPsas source/config hardening evidence for CVE-2020-8554, without inspecting live clusters, checking RBAC, sending traffic, or claiming traffic interception. - 新增Apache Tomcat EncryptInterceptor dependency advisory check. GitHub repo scans can now flag Maven and Gradle files that resolve exact Tomcat releases associated with CVE-2026-34486 / GHSA-69r9-qgr7-g2wj, reporting version-based advisory evidence without running Tomcat, inspecting cluster traffic, sending crafted Tribes packets, or claiming plaintext-disclosure confirmation.
- 新增Apache Tomcat h2c request mix-up dependency advisory check. GitHub repo scans can now flag Maven and Gradle files that resolve Tomcat embedded-core or Coyote versions affected by CVE-2021-25122 / GHSA-j39c-c8hj-x4j3, reporting version-based advisory evidence without running Tomcat, sending h2c upgrade requests, capturing traffic, or claiming information-disclosure confirmation.
- 新增PickleScan ZIP CRC dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow PickleScan versions affected by CVE-2025-10156 / GHSA-mjqp-26hc-grxg, reporting version-based advisory evidence without running PickleScan, creating corrupted archives, loading models, or claiming runtime code-execution confirmation.
- 新增NLTK Zip Slip dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow NLTK versions affected by CVE-2025-14009 / GHSA-7p94-766c-hgjp, reporting version-based advisory evidence without running Python or NLTK, calling nltk.download(), extracting packages, creating malicious archives, or claiming runtime code-execution confirmation.
- 新增TanStack ArkType adapter malware dependency check. GitHub repo scans can now flag package manifests and lockfiles that resolve @tanstack/arktype-adapter to malicious versions 1.166.12 or 1.166.15 from CVE-2026-45321 / GHSA-g7cv-rxg3-hmpx, reporting version-based advisory evidence without running npm install, executing lifecycle scripts, downloading tarballs, or claiming credential theft.
- 新增Mbed TLS CVE-2021-44732 repo advisory check. GitHub repo scans can now flag source and build metadata that identify Mbed TLS versions affected by CVE-2021-44732, reporting version-based advisory evidence without running Mbed TLS, forcing out-of-memory behavior, calling session-copy APIs, or claiming live double-free confirmation.
- 新增IIS TRACK method exposure check. Verified active scans can now flag legacy TRACK echo behavior associated with CVE-2003-1567 using non-sensitive request evidence, without sending cookies, credentials, browser exploit pages, user traffic, or state-changing requests.
- 新增Red Hat npm worm dependency advisory check. GitHub repo scans can now flag package manifests and lockfiles that resolve known compromised @redhat-cloud-services npm versions associated with the credential-stealing worm campaign, reporting dependency evidence without executing install scripts or claiming credential theft.
- 新增DICOM executable preamble check. GitHub repo scans can now flag committed DICOM files whose Part 10 preamble carries executable-file evidence, reporting static file evidence without executing the file or claiming production compromise.
June 10, 2026
- 新增Mbed TLS CVE-2023-45199 repo advisory check. GitHub repo scans can now flag source and build metadata that identify Mbed TLS 3.2.x through 3.4.x, reporting version-based advisory evidence without sending TLS handshake payloads or claiming live memory corruption.
- 新增Rockwell MicroLogix 1100 advisory fingerprint. Passive scans can now flag strong public HTTP evidence of a Rockwell Automation MicroLogix 1100 controller associated with CVE-2021-33012, reporting advisory context without sending industrial protocol commands or claiming denial-of-service behavior.
- 新增Moxa NPort firmware advisory check. Verified active scans can now flag public HTTP model and firmware-version evidence for Moxa NPort devices associated with CVE-2016-9363, reporting version-based advisory context without sending crafted packets, querying SNMP, testing serial-device services, or claiming exploit confirmation.
- 新增Rockwell MicroLogix 1100 authentication-attempt advisory check. Verified active scans can now flag public HTTP model and firmware evidence for MicroLogix 1100 controllers associated with CVE-2017-7898, reporting version-based advisory context without attempting logins, brute force, or industrial protocol probes.
- 新增Log4j 1.2 JDBCAppender advisory check. GitHub repo scans can now flag Log4j 1.2 dependency evidence paired with JDBCAppender SQL configuration for CVE-2022-23305 / GHSA-65fg-84f6-3jq3, reporting repository/config evidence without executing SQL, writing log events, or claiming runtime database compromise.
- 新增Log4j 1.2 JMSAppender advisory check. GitHub repo scans can now flag Log4j 1.2 dependency evidence paired with JMSAppender configuration for CVE-2021-4104 / GHSA-fp5r-v3w9-4333, reporting repository/config evidence without contacting JNDI or JMS services or claiming runtime exploit confirmation.
- 新增Microsoft ATL MS09-035 source advisory check. GitHub repo scans can now flag legacy Visual C++ ATL project metadata paired with ATL source usage associated with CVE-2009-0901/CVE-2009-2493/CVE-2009-2495, reporting source/build advisory evidence without inspecting build machines, sending malformed streams, probing information disclosure, or claiming live code-execution confirmation.
- 新增Langflow CVE-2026-33017 version advisory check. Verified active scans can now flag public Langflow version evidence for CVE-2026-33017 / GHSA-vwmf-pq79-vjvx as a version-based advisory, without submitting flow data, building flows, executing code, or claiming public-flow exploit confirmation.
- 新增Keras CVE-2025-1550 dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow Keras versions affected by CVE-2025-1550 / GHSA-48g7-3x6r-xfhp, reporting version-based advisory evidence without loading model archives, generating payloads, or claiming runtime code-execution confirmation.
- 新增TLS RC4 negotiation advisory check. Verified active scans can now flag TLS endpoints that still select RC4 cipher suites associated with CVE-2015-2808, reporting confirmed RC4 support without capturing traffic or claiming plaintext recovery.
- 新增TLS Sweet32 DES/3DES advisory check. Verified active scans can now flag TLS endpoints that still select DES or 3DES 64-bit block cipher suites associated with CVE-2016-2183, reporting confirmed cipher negotiation without capturing traffic or claiming plaintext recovery.
- 新增Schneider PowerLogic EGX advisory check. Verified active scans can now flag public PowerLogic EGX100 firmware or EGX300 product evidence associated with CVE-2021-22765/CVE-2021-22767/CVE-2021-22768, reporting product/firmware advisory context without sending crafted HTTP packets, querying industrial protocols, crash-testing gateways, or claiming exploit confirmation.
May 27, 2026
- 新增Arcserve UDP CVE-2025-34523 version advisory check. Verified active scans can now flag public Arcserve UDP version evidence for CVE-2025-34523 as a version-based advisory, without sending crafted heap-overflow input, crash-testing the service, authenticating to the console, or claiming command execution.
- 新增Liferay Portal CVE-2010-5327 version advisory check. Verified active scans can now flag public Liferay Portal version evidence for CVE-2010-5327 as a version-based advisory, without authenticating, editing templates, sending template payloads, or claiming command execution.
- 新增ws excessive-header DoS dependency advisory check. GitHub repo scans can now flag npm manifests and lockfiles that resolve ws versions affected by CVE-2024-37890 / GHSA-3h5v-q93c-6h6q, reporting version-based advisory evidence without sending denial-of-service traffic or claiming runtime WebSocket exposure.
May 25, 2026
- 改進SPIP version advisory wording. Passive SPIP version findings now distinguish version-fingerprint advisory evidence for CVE-2016-7980 and CVE-2016-7998 from runtime exploit proof, without active CSRF, local-file validation, or template-execution reproduction.
- 修正Active scan reliability and SSTI accuracy fix. Active scans now safely store response-derived evidence that contains unsupported control characters, and SSTI reporting requires stronger target-specific template-evaluation evidence instead of common page or static-asset content.
May 24, 2026
- 新增WebdriverIO BrowserStack service dependency advisory check. GitHub repo scans can now flag npm manifests and lockfiles that resolve @wdio/browserstack-service versions affected by CVE-2026-25244 / GHSA-5c46-x3qw-q7j7, reporting version-based advisory evidence without running WebdriverIO, starting BrowserStack Local, or using command payloads.
- 新增WordPress REST API user-exposure check. Verified active scans can now report WordPress REST users endpoints that return public user slugs to unauthenticated clients, with medium-severity exposure wording that does not claim WordPress version proof or account compromise.
- 新增Django CSRF dependency advisory check. GitHub repo scans can now flag Python dependency files that pin or allow Django versions affected by CVE-2011-0696 / GHSA-5j2h-h5hg-3wf8, reporting version-based advisory evidence without running Django, probing state-changing routes, or claiming runtime CSRF exploitability.
- 新增TMT Lockcell SQL injection active check. Verified active scans can now report TMT Lockcell login surfaces whose responses change consistently with CVE-2023-3047, using a bounded login-response comparison that does not run timing delays, follow authenticated redirects, or extract database data.
- 新增OpenSSL PowerPC Poly1305 advisory check. GitHub repo scans can now correlate affected OpenSSL 3.x version evidence with PowerPC build/deployment evidence for CVE-2023-6129, reporting version-and-architecture advisory evidence without reproducing state corruption or denial-of-service behavior.
May 23, 2026
- 新增electerm 未驗證命令執行公告檢查。 GitHub 儲存庫掃描現在可以標記鎖定或允許受 CVE-2020-23256 / GHSA-x73w-g8hx-v7rp 影響的 electerm 版本的 npm 資訊清單和鎖定檔,以基於版本的公告形式回報結果,而不會探測或啟動 electerm 服務。
- 新增SaltStack Salt 相依性公告檢查。 GitHub 儲存庫掃描現在可以標記受 CVE-2017-12791 / GHSA-xxvj-8g5m-4qgw 影響的 Salt 版本的 Python 相依性證據,以基於版本的公告形式回報,而不會探測 Salt master 交握。
- 新增rclone RC fsinfo 暴露檢查。 經過驗證的主動掃描現在可以確認與 CVE-2026-41179 / GHSA-jfwf-28xr-xw6q 相關的 rclone Remote Control 未驗證 fsinfo 暴露,使用有界中繼資料證據,不執行任何命令。
- 新增Apache Tomcat 工作階段持續化公告檢查。 GitHub 儲存庫掃描現在可以標記解析為受 CVE-2020-9484 / GHSA-344f-f5vg-2jfj 影響的 Tomcat 版本的 Maven 和 Gradle 建置檔,並在儲存庫設定同時顯示基於 FileStore 的 PersistentManager 工作階段持續化時強化該發現。
- 新增Note Mark dependency advisory check. GitHub repo scans can now flag Go manifests that resolve Note Mark backend versions affected by CVE-2026-44522 / GHSA-g49p-4qxj-88v3, reporting the result as a version-based advisory without uploading files, triggering exports, or claiming live RCE confirmation.
2026 年 5 月 20 日
- 新增Gogs dependency advisory check. GitHub repo 掃描現在可以標記 Go 清單,以基於版本的諮詢證據而不是路徑遍歷確認來固定受影響的 Gogs 版本 CVE-2018-20303 / GHSA-9hxg-w7qf-hh93。
- 新增deephas prototype-pollution advisory check. GitHub repo 掃描現在可以標記 npm 清單和鎖定文件,以解析受 CVE-2020-28271 / GHSA-4fr2-j4g9-mppf 影響的 deephas 版本,並使用基於版本的諮詢證據而不是運行時原型污染確認。
- 新增OpenSSL TLSv1.3 session advisory check. GitHub 儲存庫掃描現在可以將受影響的 OpenSSL 版本證據與 CVE-2024-2511 的 TLSv1.3 會話配置證據關聯起來,報告中等可信度來源/config 證據,而不是即時拒絕服務確認。
2026 年 5 月 19 日
- 改進electerm Linux install-script coverage. electterm 依賴建議現在包括 CVE-2026-41501 / GHSA-8x35-hph8-37hq 以及現有的 macOS 安裝腳本建議,將發現範圍限制在 npm 清單和鎖定文件證據,而不是利用確認。
- 新增GeniXCMS author-route SQL injection check. 經過驗證的主動掃描現在可以使用特定於目標的證據來確認 GeniXCMS 作者路線上的 CVE-2017-5517- 式資料庫錯誤行為,而無需資料提取或破壞性的 SQL 探針。
- 新增當唯讀 DNS API 拒絕基線請求但透過舊版 DNS 授權路徑返回 DNS 記錄證據時,Netmaker DNS key authorization-bypass check. 已驗證的主動掃描現在可以確認 Netmaker 部署上的 CVE-2023-32077 暴露,而無需建立、修改或刪除記錄。
- 新增openDCIM source command-injection check. GitHub 儲存庫掃描現在可以使用來源比對證據、置信度和運行時可利用性限制來標記 report_network_map.php 中的 CVE-2026-28517 來源/config 模式,而不是主動命令執行。
- 新增SPIP valider_xml XSS check. 經過驗證的主動掃描現在可以使用特定於目標的 HTML- 上下文證據來確認 CVE-2016-7981- 風格的未轉義 URL 對 SPIP 部署的反射,而無需在瀏覽器中執行 JavaScript。
- 新增Apache Tomcat Coyote dependency advisory check. GitHub repo 掃描現在可以標記 Maven 和 Gradle 建置文件,這些文件可解析受 CVE-2025-48989 / GHSA-gqp3-2cvr-x8m3 影響的 Tomcat Coyote 或嵌入式核心版本,並使用基於版本的諮詢證據而不是運行時拒絕服務確認。
- 新增veraPDF XSLT dependency advisory check. GitHub repo 掃描現在可以標記 Maven 和 Gradle 建置文件,以解決受 CVE-2024-28109 / GHSA-qxqf-2mfx-x8jw 影響的 veraPDF 工件,並使用基於版本的諮詢證據而不是 XSLT 執行確認。
2026 年 5 月 18 日
- 新增electerm dependency advisory check. GitHub repo 掃描可以標記 npm 清單和鎖定文件,這些清單和鎖定文件固定或允許受 CVE-2026-41500 / GHSA-wxw2-rwmh-vr8f 和 CVE-2026-41501 / GHSA-8x35-hph8-37hq 影響的證據而不是基於驗證版本的諮詢。
- 新增OpenCms dependency advisory check. GitHub repo 掃描現在可以標記 Maven pom.xml 文件,這些文件固定或解析受 CVE-2023-42344 / GHSA-rcc6-6q2f-m2cw 影響的 org.opencms:opencms-core 版本,並使用基於版本的諮詢證據而不是 XXE 漏洞確認。
- 新增當未經身份驗證的/cors端點獲取FixVibe控制的外部回調時,MagicMirror /cors SSRF check.驗證的主動掃描現在可以確認MagicMirror實例上的CVE-2026-42281暴露,而無需探測內部服務。
2026 年 5 月 17 日
- 新增FUXA hardcoded JWT secret check. 經過驗證的主動掃描現在可以確認FUXA 實例上的CVE-2025-69971 暴露情況,這些實例仍然信任易受攻擊的後備JWT 簽名配置。
- 新增CKAN DataStore SQL exposure check. 經過驗證的主動掃描現在可以確認與CVE-2026-42031 關聯的未經身份驗證的CKAN DataStore SQL 訪問,並指導團隊修補CKAN 版本線或更安全的DataStore 配置。
16 May 2026
- 新增PDF.js dependency advisory check. GitHub repo 掃描現在可以標記 npm 清單和鎖定文件,這些清單和鎖定文件固定或允許受 CVE-2024-4367 / GHSA-wgrm-67xf-hhpq 影響的 pdfjs-dist 版本。
- 新增Active scans via REST API and MCP. 現在可以從REST 和MCP 針對已從儀表板明確授權的已驗證網域觸發主動掃描。授權可隨時撤銷。
- 新增Safer authorization levels for active scans. 網域授權現在可以區分更安全的自動主動檢查和更深入的主動測試,因此團隊可以為每個網域自動執行正確等級的驗證。
- 新增First-use webhook for API/MCP active scans. 首次針對新授權的網域執行 API/MCP-triggered 主動掃描時,Webhook 可以通知團隊。
- 改進Improved Referrer-Policy findings. Missing or weak
Referrer-Policyresults now separate URL-referrer leakage from broad information exposure, show document-response evidence, and include generic plus static-host remediation guidance. - 改進Improved Permissions-Policy findings. Missing or weak
Permissions-Policyresults now show feature-level evidence, separate broad feature allowlists from missing hardening, and include generic plus static-host remediation guidance for common hosts, proxies, and app servers. - 改進Improved clickjacking header prompts. Missing
X-Frame-Optionsfindings now point agents to CSPframe-ancestorsas the modern protection, add Vercel/static SPA header guidance, and verifyx-frame-optionswith CSP. - 改進CSP header evidence and fix prompts improved. Missing-CSP 報告現在包括更清晰的託管和回應上下文以及更安全的框架感知修復指南。
- 修正Vercel path-probe false positives reduced. FixVibe 現在需要更強大的特定應用程式的證據,然後才能報告部署中重寫未知路由到應用程式 shell 的公開框架工件。
- 修正合規類發現不再帶有誤導性的 CWE 標籤。先前 legal-compliance 檢查會把「缺少隱私政策」與「缺少服務條款」標示為
CWE-359(PII 暴露),但這並不能描述實際的落差。這些發現現在不再附帶 CWE — 它們是合規事項,而非可分類的安全弱點。
2026 年 5 月 15 日
- 新增Additional research-informed checks. FixVibe 根據最近的漏洞研究提供了更多覆蓋範圍,並將重複主題映射到覆蓋範圍已存在的現有掃描器模組。
- 新增儲存庫密鑰外洩檢查。 GitHub 儲存庫掃描現在可以標示硬編碼的供應商密鑰以及提交到原始碼中的高熵疑似密鑰值,並遮蔽相關證據,附上標準的 FixVibe 輪替提示。
- 新增Vercel deployment protection check. 被動掃描現在可以標記公開
*.vercel.app產生的部署 URL,這些 URL 無需 Vercel 部署 Pro 保護即可回應,而現有標頭檢查將繼續審核 CSP、HSTS 和瀏覽器強化。
2026 年 5 月 14 日
- 新增LiteLLM dependency advisory check. GitHub 儲存庫掃描現在可以標記那些固定或允許受 CVE-2026-42208 / GHSA-r75f-5x8p-qvmc 影響的 LiteLLM 版本的 Python 依賴檔案。
- 新增LibreNMS dependency advisory check. GitHub 儲存庫掃描現在可以標記固定或允許受 CVE-2024-51092 / GHSA-x645-6pf9-xwxw 影響的 LibreNMS 版本的 Composer 清單。
- 改進Firebase rules detection improved. BaaS 掃描現在可以檢測更多Firebase 應用程式形狀,並使用唯讀證據來識別有風險的公共資料暴露。
2026 年 5 月 13 日
- 新增Repo Supabase RLS migration check. GitHub 儲存庫掃描現在可以標記 Supabase SQL 遷移,這些遷移會建立公用表而沒有符合的
ALTER TABLE ... ENABLE ROW LEVEL SECURITY語句。 - 新增Supabase Storage posture check. 被動掃描現在可以審查公共Supabase 儲存桶和匿名物件清單暴露以及現有的RLS 和金鑰檢查。
- 新增AI-generated code guardrail check. GitHub 儲存庫掃描現在可以標記圍繞程式碼掃描、秘密掃描、依賴項更新和 AI-agent 指令缺少的安全自動化。
2026 年 5 月 12 日
- 新增Repo web-app risk checklist. GitHub 回購掃描現在可以標記高可信度OWASP-風格的代碼風險,例如原始SQL插值、不安全HTML接收器、憑證通配符CORS、禁用TLS驗證和弱JWT秘密後備。
- 新增Next.js middleware-bypass check. 對已驗證網域的主動掃描現在可以在報告之前確認受中間件保護的路由上的 CVE-2025-29927 暴露情況,並且報告包括用於修復的標準 FixVibe AI 修復提示。
2026 年 5 月 9 日
- 安全Cross-origin scope hardening. 主動掃描和用戶端資產檢查現在保留在授權的目標範圍內,並避免跨跨來源重定向攜帶客戶提供的憑證。
- 修正Supabase RLS check is now strictly read-only. Supabase 姿勢檢查現在避免寫入嘗試並專注於安全暴露訊號。驗證域主動測試仍然是更深入確認的邊界。
- 改進Security-header findings 只套用於 root HTML responses。 204、JSON API、file download 或 404 上缺少 CSP、Permissions-Policy、X-Frame-Options 或 Referrer-Policy,不再產生 finding。HSTS 與 X-Content-Type-Options 仍會跨所有 responses 評分。
- 改進Auth-flow and rate-limit checks now require stronger evidence. FixVibe 現在僅當應用程式行為明確支持該發現時才報告這些問題,從而減少來自通用錯誤頁面和不受支援的方法的噪音。
- 改進File-upload findings tier by exploitability evidence. 文件上傳報告現在將低置信度接受訊號與有風險服務行為的更有力證據分開,從而減少對良性上傳處理程序的過度嚴重性。
2026 年 5 月 7 日
- 修正Threat-intel listing accuracy improved. FixVibe 現在可以區分真正的阻止清單證據和解析器診斷,因此威脅情報調查結果不會過度報告基礎設施端查找回應。
- 新增GitHub repo scans。 連接 repo 後,FixVibe 會檢查原始碼中是否有 leaked Supabase service keys、Firebase admin tokens、risky workflow files 與 outdated dependencies,而且完全不需要載入你部署的網站。請見 掃描類型。
- 新增針對高風險 JavaScript 的 SAST checks。 Repo scans 現在會標記
new Function()與setTimeout("string");在餵入不受信任輸入時,兩者都等同於eval()。 - 修正Vercel / Cloudflare sites 上的 false「exposed file」findings。 裸
403 Forbiddenresponses 不再被報告為「file exists」;大多數 edge providers 對看起來可疑的 paths 都會回傳 403,不論檔案是否存在。現在必須有正向 HTTP signal 才會標記。 - 修正Repo-code false positives reduced. Repo 掃描現在可以避免在註釋、文件、測試幫助程序和明顯僅伺服器上下文中標記安全術語,以進行多個高信號代碼檢查。
- 修正localStorage 中的 Supabase anon key 不再被報告為 JWT-in-storage finding;anon key 是公開預期的 client token。瀏覽器 storage 中真正的 service-role tokens 現在會是 critical,且標題更清楚。
- 修正CSP weakness detection improved. Content-Security-Policy 檢查現在可以捕捉更寬鬆的來源策略,同時將證據和補救措施集中在有效的瀏覽器策略上。
- 修正Reflected-XSS check tightened. 主動掃描現在需要更強的反射證據才能報告可執行上下文風險,從而減少頁面上不相關標記的誤報。
- 修正Domain verification 會正確處理 apex ↔ www redirects,並更清楚說明 TXT-record Host 欄位應填入哪個值。
格式
每個項目都有標籤,方便你快速瀏覽:
- 新增 新的 check、surface 或 feature。
- 改進 既有行為變得更好:更準確、更快、更清楚。
- 修正 我們已發布、後來修掉的 bug。
- 安全 強化、漏洞修正或合規變更。
發現有東西壞了但這裡沒記錄?請 email support@fixvibe.app。
