Find security holes AI tools left behind.
Free instant scan. Finds exposed Supabase service keys, missing RLS, open Firebase rules, leaked secrets in your JS bundle, and more.
- No signup required
- 500+ checks performed
- BaaS-aware
- Auth-safe (passive)
Scanner coverage
- 200+
- vulnerability classes covered
- 270+
- passive checks / scan
- 120+
- active checks / scan
- 140+
- GitHub checks / scan
Compatible with
Scan websites and apps built with AI coding tools.
Deploy from Cursor, Claude Code, Codex, Lovable, Bolt, v0, Replit, and more. FixVibe checks the shipped URL and repo for security gaps AI-generated apps tend to miss.
- Cursor
- Claude Code
- OpenAI Codex
- GitHub Copilot
- Lovable
- Bolt.new
- v0
- Replit Agent
- Windsurf
- Devin
- Google Jules
- Gemini CLI
- Firebase Studio
- Amazon Q Developer
- JetBrains Junie
- Kiro
- Tabnine
- Qodo
- Sourcegraph Amp
- Continue
- Cline
- Roo Code
- Aider
- OpenCode
- Base44
- Anything
- Builder.io Fusion
- Tempo
- Softgen
- Trae
Latest research
New vulnerabilities, every day.
We track newly disclosed CVEs, GHSA advisories, and BaaS misconfiguration patterns that matter to AI-built apps. Public notes explain impact and safe remediation at a high level.
- criticalresearch note
Unauthenticated RCE in Progress LoadMaster via API Command Injection (CVE-2026-8037)
Progress ADC LoadMaster appliances are vulnerable to a critical unauthenticated remote code execution (RCE) vulnerability. The flaw exists in the API's handling of multiple command endpoints, where unsanitized input allows attackers to inject and execute arbitrary OS commands on the appliance.
- criticalcovered by FixVibe
Command Injection in curlrequest (CVE-2020-7646)
`curlrequest` through 1.0.1 is associated with CVE-2020-7646 / GHSA-m8xj-5v73-3hh8. FixVibe covers it with GitHub repo dependency evidence for affected npm manifest and lockfile entries, without executing curlrequest, invoking curl, reading files, running proof payloads, or claiming live command execution.
- highcovered by FixVibe
Authenticated Command Injection in Nginx-UI (CVE-2024-22198)
Nginx-UI releases before the fixed Go pseudo-version 1.9.10-0.20231219184941-827e76c46e63, and application beta releases before 2.0.0.beta.9, are affected by an authenticated command-injection flaw. FixVibe reports repository dependency evidence as a version-based advisory and does not claim live command execution from repo evidence alone.
Current research, practical context, and coverage updates when checks ship.
All research →