Our research uncovered multiple critical vulnerabilities in Base44, an AI-powered platform that lets you turn any idea into a fully functional custom app. These flaws ranged from an open redirect that leaked access tokens, to stored cross-site scripting (XSS), insecure authentication design, sensitive data leakage, and client-side-only enforcement of premium features. Together, they represented a broad attack surface with real-world impact. The vulnerabilities were responsibly disclosed to Base44, and the vendor moved quickly to implement fixes. Background Platforms like Base44, Loveable, and Bolt are at the forefront of the “vibe coding” movement, where natural language prompts replace traditional programming. Businesses increasingly rely on them to build internal chatbots, automate workflows, and launch customer-facing applications. But with this rapid adoption comes systemic risk. These platforms handle authentication, data storage, and app hosting at scale. Any flaw in their shared infrastructure cascades across all applications, magnifying the impact of each vulnerability. Lovable RLS Misconfigurations CVE-2025-48757: In March 2025, researchers disclosed that Lovable’s Row Level Security (RLS) implementation often left applications with insecure or misaligned access controls. Attackers could bypass frontend checks and directly exfiltrate or corrupt sensitive data. Over-Sharing by Default: Services like Lovable and similar platforms have been called out for making it…Read More