CVE-2025-48757: An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to...

9.3 CVSS

Description

An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to arbitrary database tables of generated sites.

Classification

CVE ID: CVE-2025-48757

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Problem Types

CWE-863 Incorrect Authorization

Affected Products

Vendor: Lovable

Product: Lovable

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 6.67% (scored less or equal to compared to others)

EPSS Date: 2025-05-30 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-48757
https://docs.lovable.dev/changelog
https://mattpalmer.io/posts/CVE-2025-48757/
https://gist.github.com/lhchavez/625ee42a6c408a850d35e50f8e649de9
https://x.com/danialasaria/status/1911862269996118272

Timeline

2025-05-30 03:40:17 UTC
CVE

An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to...