Find security holes AI tools left behind.
Free instant scan. Finds exposed Supabase service keys, missing RLS, open Firebase rules, leaked secrets in your JS bundle, and more.
- No signup required
- 500+ checks performed
- BaaS-aware
- Auth-safe (passive)
Scanner coverage
- 170+
- vulnerability classes covered
- 270+
- passive checks / scan
- 120+
- active checks / scan
- 120+
- GitHub checks / scan
Compatible with
Scan websites and apps built with AI coding tools.
Deploy from Cursor, Claude Code, Codex, Lovable, Bolt, v0, Replit, and more. FixVibe checks the shipped URL and repo for security gaps AI-generated apps tend to miss.
- Cursor
- Claude Code
- OpenAI Codex
- GitHub Copilot
- Lovable
- Bolt.new
- v0
- Replit Agent
- Windsurf
- Devin
- Google Jules
- Gemini CLI
- Firebase Studio
- Amazon Q Developer
- JetBrains Junie
- Kiro
- Tabnine
- Qodo
- Sourcegraph Amp
- Continue
- Cline
- Roo Code
- Aider
- OpenCode
- Base44
- Anything
- Builder.io Fusion
- Tempo
- Softgen
- Trae
Latest research
New vulnerabilities, every day.
We track newly disclosed CVEs, GHSA advisories, and BaaS misconfiguration patterns that matter to AI-built apps. Public notes explain impact and safe remediation at a high level.
- criticalresearch note
Rancher Command Injection via Unsanitized YAML Parameter (CVE-2026-44939)
A critical command injection vulnerability (CVE-2026-44939) in Rancher versions 2.14.0 and 2.14.1 allows remote code execution. The flaw exists in the processing of unsanitized YAML parameters, potentially leading to full system compromise. Users should upgrade to version 2.14.2.
- criticalresearch note
Apache Derby LDAP Injection in Authenticator (CVE-2022-46337)
A critical vulnerability (CVE-2022-46337) exists in Apache Derby versions 10.1.1.0 to 10.1.3.1. The LDAP authenticator fails to properly sanitize user-supplied input, allowing attackers to perform LDAP injection. This can lead to authentication bypass or unauthorized information disclosure from the directory service.
- criticalresearch note
Arbitrary File Write in Rollup via Path Traversal (CVE-2026-27606)
Rollup, a popular JavaScript module bundler, is vulnerable to an arbitrary file write flaw. Insecure file name sanitization in the core engine allows attackers to perform path traversal, potentially overwriting critical system or application files during the build process. This affects versions prior to 2.80.0, 3.30.0, and 4.59.0.
Current research, practical context, and coverage updates when checks ship.
All research →