resolved
Low-privileged user can enable or disable Lovable AI for new projects in workspace
Bug reported by antonio was disclosed at November 7, 2025, 3:52 am | Improper Authorization
A vulnerability was discovered that allowed low-privileged users to enable or disable Lovable AI for new projects in a workspace. The vulnerability was caused by improper authorization, which enabled low-privileged users to modify the Lovable AI settings by replaying certain API endpoints.
resolved
SQL Injection in Django ORM via Unvalidated `_connector` in Q Objects
Bug reported by Stanley Shaw was disclosed at November 6, 2025, 9:09 pm | SQL Injection
A critical SQL injection vulnerability was discovered in the Django ORM's handling of Q objects. The internal WhereNode.as_sql method used unsafe string formatting to inject the query connector, which could be controlled by an attacker through the _connector key when creating a Q object. This allowed arbitrary SQL to be injected into the WHERE clause, bypassing the ORM's parameterization safeguards.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
