VBS-2026-0021CRITICALCVSS 9CWE-863The Lovable generated-app security class (missing or weak Supabase RLS in generated projects) remains a high-impact risk pattern. The associated CVE is disputed by the vendor, but NVD still tracks the issue and updates metadata as of 2026.
Treat RLS as a deployment gate: block publish when any table lacks strict policies, validate policies with preflight checks, and require ownership-based authorization tests on generated APIs.
How do I check if my Generated Supabase schemas + Missing/weak RLS policies app is affected by lovable generated-app exposure class remains active (CVE-2025-48757, disputed)?
The Lovable generated-app security class (missing or weak Supabase RLS in generated projects) remains a high-impact risk pattern. Search your codebase for Generated Supabase schemas, Missing/weak RLS policies, Client-accessible database endpoints patterns and verify the remediation has been applied. This is rated CVSS 9 — treat it as a live incident if your app is already in production.
Why does Lovable generate code with CWE-863 (critical severity)?
The Lovable generated-app security class (missing or weak Supabase RLS in generated projects) remains a high-impact risk pattern. The associated CVE is disputed by the vendor, but NVD still tracks the issue and updates metadata as of 2026.
How do I fix lovable generated-app exposure class remains active (CVE-2025-48757, disputed)?
Treat RLS as a deployment gate: block publish when any table lacks strict policies, validate policies with preflight checks, and require ownership-based authorization tests on generated APIs.
What is CVE-2025-48757 and how does it affect Lovable projects?
CVE-2025-48757 is a critical severity CVE with a CVSS score of 9, affecting Lovable. The Lovable generated-app security class (missing or weak Supabase RLS in generated projects) remains a high-impact risk pattern.