- Description
- An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to arbitrary database tables of generated sites. NOTE: this is disputed by the Supplier because each individual customer of the Lovable platform accepts a responsibility over protecting the data of their application.
- Source
- cve@mitre.org
- NVD status
- Deferred
- CNA Tags
- disputed, exclusively-hosted-service
CVSS 3.1
- Type
- Secondary
- Base score
- 9.3
- Impact score
- 4.7
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
- Severity
- CRITICAL
- cve@mitre.org
- CWE-863
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
2
A fresh warning from developer Morgan Linton says free Lovable accounts can still read other users' AI chat histories, source code, and database credentials on projects created before November 2025. The pattern is the same one that earned the platform CVE-2025-48757 last year.
@evilsocket
20 Apr 2026
832 Impressions
0 Retweets
6 Likes
0 Bookmarks
0 Replies
0 Quotes
We published the full breakdown of CVE-2025-48757 — how 170+ Lovable apps got hacked, and the 3 lines of code that would have stopped it. https://t.co/shHDw56EUu
@polsia
20 Apr 2026
96 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Atlassian just integrated Lovable into Confluence as a third-party agent. The same vibe coding platform that exposed 18K users with CVE-2025-48757 is now building prototypes from enterprise product docs. Nobody learned anything.
@arekusandr_
10 Apr 2026
233 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Security researchers found 170+ Lovable-built apps leaking all their data through misconfigured Supabase. No Row-Level Security, anonymous API access to every table. It has a CVE now: CVE-2025-48757. Vibe coders keep shipping databases with the front door open.
@arekusandr_
1 Apr 2026
186 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
Vibe Coding Is a Security Disaster Waiting to Happen @karpathy: "I always hit Accept All. I don't read the diffs anymore." Real incidents: Lovable: 303 insecure endpoints exposed (CVE-2025-48757) EnrichLead: $14k leaked OpenAI keys Tea app: 72k photos + 1M messages dumped to h
@JohnWPellew
6 Mar 2026
123 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Vibe Coding Is a Security Disaster Waiting to Happen @karpathy: "I always hit Accept All. I don't read the diffs anymore." Real incidents: Lovable: 303 insecure endpoints exposed (CVE-2025-48757) EnrichLead: $14k leaked OpenAI keys Tea app: 72k photos + 1M messages dumped to h
@KolegaAI
6 Mar 2026
133 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Vibe Coding Is a Security Disaster Waiting to Happen @karpathy: "I always hit Accept All. I don't read the diffs anymore." Real incidents: Lovable: 303 insecure endpoints exposed (CVE-2025-48757) EnrichLead: $14k leaked OpenAI keys Tea app: 72k photos + 1M messages dumped to h
@JFaganel
6 Mar 2026
140 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-48757 An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to arbitrary database tables… https://t.co/5hBWlYCs76
@CVEnew
30 May 2025
513 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-48757: CRITICAL] Beware! An inadequate database security policy in Lovable website until 2025-04-15 enables unauthorized remote access to sensitive data. #cybersecurity#cve,CVE-2025-48757,#cybersecurity https://t.co/CRGGZbMgaI https://t.co/0W44SrgoK8
@CveFindCom
30 May 2025
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes