CVE-2025-48757 — Lovable project-enumeration exposure
Lovable's project API exposed project metadata (name, slug, collaborator emails, GitHub repo ID, Firebase token scope) without verifying ownership. Affected 170+ apps at disclosure time and — per Cyber Kendra's April 2026 report — re-broke after the initial patch.
- Lovable (vibe-coding platform) — pre-patch projects, and April 2026 re-break variant
What an attacker does
An attacker enumerated Lovable project IDs and queried the documented project endpoint. Before the patch, the endpoint returned full project metadata including collaborator email addresses and Firebase tokens that could be reused to access other project fields. The April 2026 re-break reintroduced a subset of this exposure.
How to detect
Test your own project ID against Lovable's documented API endpoints — if any response returns another project's metadata without an auth check, you're still exposed. Request Securie access at /scan for automated detection across Lovable projects you own.
How to fix
Contact Lovable support to confirm your project is covered by the latest patch. Rotate collaborator sessions and any Firebase tokens. Audit GitHub repo access for collaborators you did not intend.
CVE-2025-48757How Securie catches CVE-2025-48757
Securie flags Lovable exports that contain exposed Firebase tokens and scopes them against the intent graph of your routes. Request access at /scan for a review.