Find security holes AI tools left behind.
Free instant scan. Finds exposed Supabase service keys, missing RLS, open Firebase rules, leaked secrets in your JS bundle, and more.
- No signup required
- 450+ checks performed
- BaaS-aware
- Auth-safe (passive)
Scanner coverage
- 130+
- vulnerability classes covered
- 270+
- passive checks / scan
- 120+
- active checks / scan
- 80+
- GitHub checks / scan
Compatible with
Scan websites and apps built with AI coding tools.
Deploy from Cursor, Claude Code, Codex, Lovable, Bolt, v0, Replit, and more. FixVibe checks the shipped URL and repo for security gaps AI-generated apps tend to miss.
- Cursor
- Claude Code
- OpenAI Codex
- GitHub Copilot
- Lovable
- Bolt.new
- v0
- Replit Agent
- Windsurf
- Devin
- Google Jules
- Gemini CLI
- Firebase Studio
- Amazon Q Developer
- JetBrains Junie
- Kiro
- Tabnine
- Qodo
- Sourcegraph Amp
- Continue
- Cline
- Roo Code
- Aider
- OpenCode
- Base44
- Anything
- Builder.io Fusion
- Tempo
- Softgen
- Trae
Latest research
New vulnerabilities, every day.
We track newly disclosed CVEs, GHSA advisories, and BaaS misconfiguration patterns that matter to AI-built apps. Public notes explain impact and safe remediation at a high level.
- highcovered by FixVibe
Mastra npm Package Scope Compromise via Stale Contributor Account
Security researchers described a Mastra npm scope compromise caused by stale publisher access. FixVibe GitHub repo scans now cover the repository-evidence side of the incident by flagging easy-day-js manifest and lockfile matches associated with the compromised publish, while explicitly not claiming npm owner inactivity, install-time execution, host compromise, or credential theft.
- highcovered by FixVibe
SQL Injection in Drupal Core (CVE-2026-9082)
Drupal Core CVE-2026-9082 affects several release lines, with vendor guidance tying the SQL-injection condition to PostgreSQL-backed sites. FixVibe now flags affected drupal/core or drupal/core-recommended Composer evidence in GitHub repo scans without running Drupal, verifying PostgreSQL, sending SQL payloads, or claiming live exploit confirmation.
- highcovered by FixVibe
Command Injection in kill-port-process (CVE-2019-15609)
kill-port-process versions before 2.2.0 are covered by a FixVibe GitHub repo dependency-advisory check. FixVibe reports affected npm manifest and lockfile evidence and keeps the finding version-based, without running the package or claiming runtime exploit confirmation.
Current research, practical context, and coverage updates when checks ship.
All research →