CVE-2025-48757

170 of 1,645 Lovable-built apps: zero database security. Anyone could read the data. Lovable's response: not our fault. CVE-2025-48757. CVSS 9.3. The AI writes the code. You own the breach.

Launching Rivetz on Product Hunt tonight. The Lovable + Supabase security specialist. CVE-2025-48757 (CVSS 9.3) hit 170 production Lovable apps in a single weekend from one misconfigured setting. Fixed-price audit and fix. Every other service gives you a report and leaves.

CVE-2025-48757. CVSS 9.3 Critical. Lovable's default RLS configuration exposed 170+ production apps to unauthenticated database access in a single weekend. Here's exactly how the attack works, and what's in your app right now.

170 Lovable apps shipped with Supabase RLS disabled. Every table world-readable via the anon key. Emails, API keys, private rows. Anyone with DevTools could pull them. This was the default. CVE-2025-48757, CVSS 9.3. Fix: one SQL command per table. 🧵

Lovable, v0, Bolt are externalizing security costs onto users who don't know they're being externalized to. 170 RLS-disabled Lovable apps (CVE-2025-48757). 1.5M API tokens leaked from Moltbook. 18,697 student records exposed because Lovable EdTech inverted the auth check. Entire

Top 5 Trending CVEs: 1 - CVE-2025-48757 2 - CVE-2026-34621 3 - CVE-2026-35616 4 - CVE-2026-23654 5 - CVE-2026-5760 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

A fresh warning from developer Morgan Linton says free Lovable accounts can still read other users' AI chat histories, source code, and database credentials on projects created before November 2025. The pattern is the same one that earned the platform CVE-2025-48757 last year.

We published the full breakdown of CVE-2025-48757 — how 170+ Lovable apps got hacked, and the 3 lines of code that would have stopped it. https://t.co/shHDw56EUu

Atlassian just integrated Lovable into Confluence as a third-party agent. The same vibe coding platform that exposed 18K users with CVE-2025-48757 is now building prototypes from enterprise product docs. Nobody learned anything.

Security researchers found 170+ Lovable-built apps leaking all their data through misconfigured Supabase. No Row-Level Security, anonymous API access to every table. It has a CVE now: CVE-2025-48757. Vibe coders keep shipping databases with the front door open.

Vibe Coding Is a Security Disaster Waiting to Happen @karpathy: "I always hit Accept All. I don't read the diffs anymore." Real incidents: Lovable: 303 insecure endpoints exposed (CVE-2025-48757) EnrichLead: $14k leaked OpenAI keys Tea app: 72k photos + 1M messages dumped to h

Vibe Coding Is a Security Disaster Waiting to Happen @karpathy: "I always hit Accept All. I don't read the diffs anymore." Real incidents: Lovable: 303 insecure endpoints exposed (CVE-2025-48757) EnrichLead: $14k leaked OpenAI keys Tea app: 72k photos + 1M messages dumped to h

Vibe Coding Is a Security Disaster Waiting to Happen @karpathy: "I always hit Accept All. I don't read the diffs anymore." Real incidents: Lovable: 303 insecure endpoints exposed (CVE-2025-48757) EnrichLead: $14k leaked OpenAI keys Tea app: 72k photos + 1M messages dumped to h

CVE-2025-48757 An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to arbitrary database tables… https://t.co/5hBWlYCs76

[CVE-2025-48757: CRITICAL] Beware! An inadequate database security policy in Lovable website until 2025-04-15 enables unauthorized remote access to sensitive data. #cybersecurity#cve,CVE-2025-48757,#cybersecurity https://t.co/CRGGZbMgaI https://t.co/0W44SrgoK8