Thousands of applications built on no-code AI platforms like Lovable, Base44, Replit, and Netlify are leaking sensitive corporate and personal data publicly online.
A security analysis has uncovered widespread data exposure across applications created using AI-powered, no-code development platforms. The affected services enable rapid web app creation with minimal technical expertise, but thousands of resulting applications are broadcasting confidential information to the open internet.
Platforms implicated in the exposure include Lovable, Base44, Replit, and Netlify—all major players in the low-code and no-code development space. These tools democratize app development by allowing users to build functional web applications in seconds using AI assistance.
However, the speed and simplicity come with a critical security cost. Developers using these platforms have inadvertently exposed API keys, authentication tokens, database credentials, and personal user information. In some cases, the exposed data includes corporate secrets and financial records.
The exposure stems from multiple factors: default insecure configurations, developers unfamiliar with security best practices shipping applications without proper credential management, and platforms not enforcing security guardrails by default. Many of the vulnerable apps remain publicly accessible, presenting ongoing risk to affected organizations and individuals.
The issue highlights a growing concern in the rapid-development space. As barriers to entry lower, security knowledge gaps widen. Users without traditional software development backgrounds may lack understanding of fundamental security principles—particularly around credential handling and environment variable management.
No official response or timeline for remediation has been announced from the affected platforms. Security researchers have typically reported findings to the companies involved, but disclosure patterns remain unclear.
The discovery underscores the need for platform-level security defaults and developer education as AI-assisted development becomes more accessible. Organizations using these platforms should audit their deployed applications for exposed credentials and implement proper secret management practices immediately.
Partnered Health, one of Australia's largest healthcare providers, has disclosed a cyber-attack affecting 21 clinics across Sydney, Melbourne, and Canberra. Personal information and medical records were compromised in the breach.
Security firm Intruder has developed an AI-powered system that automatically identifies previously unknown software vulnerabilities by combining code analysis with large language models. The tool already discovered and exploited a WordPress plugin zero-day.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.