Cy
CymeroMy Vibe SaaSProtected
Search findings, deploys, users...K
Findings
Fix these before strangers use your app
Demo findings are showing until your first live scan writes results into Supabase.
Active findings
Plain-English risks ranked by launch impact.
criticalLiveSupabase
Anyone can read your customers table
A Supabase rule change made customer records readable by anonymous users.
supabase/migrations/202605041830_customers.sql:18
12 min ago
criticalLiveAI
AI endpoint accepts anonymous requests
The chat endpoint can call OpenAI without login or a per-user quota.
src/app/api/chat/route.ts:9
28 min ago
highPreview/code onlyStripe
Stripe webhook is missing signature verification
A webhook handler accepts event payloads without verifying Stripe's signature header.
src/app/api/stripe/webhook/route.ts:14
44 min ago
highLiveDeploy
OpenAI key found in browser bundle
A private-looking model provider key appears in the deployed JavaScript bundle.
.env.production:4
1 hr ago
mediumPreview/code onlyCode
Admin access is protected only in React state
The admin page renders protected controls before a server-side role check.
src/app/admin/page.tsx:31
2 hr ago