Insufficient Database Security in Lovable by Lovable Inc.
CVE-2025-48757

9.3CRITICAL

Key Information:

Vendor: Lovable
Status: Lovable
Vendor: CVE Published:; 30 May 2025

What is CVE-2025-48757?

An insufficient database Row-Level Security policy in Lovable allows remote unauthenticated attackers to gain unauthorized access to sensitive data. This vulnerability permits attackers to read or write to arbitrary database tables associated with any generated sites, potentially leading to significant data breaches and compromise of confidential information. Immediate measures must be taken to address this security flaw to protect user data and maintain the integrity of systems utilizing Lovable.

Affected Version(s)

Lovable 0 <= 2025-04-15

References

https://docs.lovable.dev/changelog

https://mattpalmer.io/posts/CVE-2025-48757/

https://gist.github.com/lhchavez/625ee42a6c408a850d35e50f...

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 30, 2025
Vulnerability Reserved
May 25, 2025