Find security holes AI tools left behind.
Free instant scan. Finds exposed Supabase service keys, missing RLS, open Firebase rules, leaked secrets in your JS bundle, and more.
- No signup required
- 500+ checks performed
- BaaS-aware
- Auth-safe (passive)
Scanner coverage
- 160+
- vulnerability classes covered
- 260+
- passive checks / scan
- 120+
- active checks / scan
- 110+
- GitHub checks / scan
Compatible with
Scan websites and apps built with AI coding tools.
Deploy from Cursor, Claude Code, Codex, Lovable, Bolt, v0, Replit, and more. FixVibe checks the shipped URL and repo for security gaps AI-generated apps tend to miss.
- Cursor
- Claude Code
- OpenAI Codex
- GitHub Copilot
- Lovable
- Bolt.new
- v0
- Replit Agent
- Windsurf
- Devin
- Google Jules
- Gemini CLI
- Firebase Studio
- Amazon Q Developer
- JetBrains Junie
- Kiro
- Tabnine
- Qodo
- Sourcegraph Amp
- Continue
- Cline
- Roo Code
- Aider
- OpenCode
- Base44
- Anything
- Builder.io Fusion
- Tempo
- Softgen
- Trae
Latest research
New vulnerabilities, every day.
We track newly disclosed CVEs, GHSA advisories, and BaaS misconfiguration patterns that matter to AI-built apps. Public notes explain impact and safe remediation at a high level.
- criticalresearch note
Dolibarr ERP CRM Remote Code Evaluation (CVE-2018-25357)
Dolibarr ERP CRM contains a critical remote code evaluation (RCE) vulnerability in versions 7.0.0 through 7.0.3. An attacker can exploit this flaw to execute arbitrary code on the host server, potentially leading to full system compromise and data theft.
- criticalresearch note
Authorization Bypass in gRPC-Go via HTTP/2 :path Pseudo-Header (CVE-2026-33186)
A critical vulnerability in gRPC-Go (CVE-2026-33186) allows attackers to bypass authorization checks. The server's routing logic was too lenient when processing HTTP/2 requests where the ':path' pseudo-header was omitted or malformed, potentially allowing unauthorized access to gRPC services.
- highresearch note
urllib3 Decompression Bomb Vulnerability (CVE-2026-21441)
urllib3, a widely used Python HTTP client library, contains a vulnerability in its streaming API. When handling large HTTP responses in chunks, the library can perform automatic decoding or decompression. Maliciously crafted compressed responses (decompression bombs) can lead to excessive resource consumption and denial of service.
Current research, practical context, and coverage updates when checks ship.
All research →