SECURITY ANALYSIS · MARCH 2026
170 Lovable Apps Were Exposed. Here's What Standard Scanners Miss.
CVE-2025-48757 broke unauthenticated data access across 170+ apps. Standard scanners had no idea.
WHAT HAPPENED
Lovable is an AI platform that builds full-stack apps from prompts. CVE-2025-48757 allowed unauthenticated users to access data across 170+ applications built on the platform. The vulnerability was not a dependency issue or a known CVE in a library. It was a logic flaw: missing access control on generated API routes. Anyone who knew - or could guess - an endpoint URL could read the data behind it without logging in.
WHY TRADITIONAL SCANNERS MISSED IT
Tools like Snyk, Dependabot, and Semgrep scan source code for known vulnerable libraries and common code patterns. They are excellent at what they do. But CVE-2025-48757 was not in a library. It was in the application logic - specifically, an API route that forgot to check who was making the request. No dependency version was wrong. No known exploit pattern was present. The code was syntactically fine and lint-clean.
WHAT UNPWNED ACTUALLY CHECKS
UNPWNED does not scan your source code - it scans your live domain. This means it catches what actually runs in production, regardless of how the code was generated or which framework was used.
WHAT UNPWNED DOES NOT CLAIM
No scanner result should be treated as a compliance certificate. UNPWNED finds the obvious holes - the ones your users could stumble on. It does not replace a manual code review of your authentication logic. Use it as a first line of defense, not the last.