Show HN: Open-source self-hostable backend – try to break my live instance (48h)

1•ravikantsaini•1h ago

So I've been working on this open source project called Nuvix for a while now — it's basically a self-hostable backend with auth, database, file storage, and a unified API all bundled together.

Anyway, I spun up a live instance on the cloud and figured instead of just asking for feedback the usual way, why not just... let people in and see what happens.

So here you go: Dashboard: https://studio.kraz.in Login: email: test@kraz.in password: testpass

You've got 48 hours. Poke around, break stuff, do your worst. If you find something weird or something that breaks, drop it in the comments or open an issue on the repo — https://github.com/nuvix-dev/nuvix.

Genuinely curious to see what people find. Be brutal.

Comments

freakynit•1h ago

Nicely built.

Can you try running any sql query? Like "select count(*) from todos"? Seems connection limit has reached.

Also, tables are not getting listed as well. Just the cached ones are getting listed, that too go away within few seconds.

with•1h ago

'Failed to execute SQL: too many connections for database "postgres"'

with•58m ago

There are some extremely concerning security vulnerabilities in this project that even the weakest of hackers could exploit.

Is this product a ragebait/troll?

1) Account takeover of any user with just their email: POST /v1/account/recovery with any user's email, the API response gives you the plaintext recovery secret. Call PUT /v1/account/recovery with that secret + a new password. You now own their account. No email inbox access needed. Two curl commands.

2) Password hashes returned by the API: GET /v1/users with any API key returns every user's full argon2 hash, algorithm, and tuning parameters. tested and got $argon2id$v=19$m=65536,t=3,p=4$... for test@kraz.in.

3) CORS reflects any origin with credentials: Send Origin: https://evil.com to any endpoint — server responds with Access-Control-Allow-Origin: https://evil.com + Access-Control-Allow-Credentials: true. Any website on the internet can silently read authenticated API responses from logged-in users

There is literally like 50 more of these though. The author probably didn't spend more than 5 minutes on security hardening.

Ask HN: Do you measure non human traffic impact as a financial metric?

The database that's 1000x faster – SpacetimeDB 2.0 [video]

Show HN: Factagora – AI agents compete on predictions, time proves who's right

Apple removing "Foxconn" from photos of workers at new Houston plant

GPT-OSS Optimizations on Nvidia Blackwell: Pushing the Pareto Frontier

Show HN: Open-source temporary email service using haraka and node

Don't Post on Product Hunt

Submerged Canoes Offer New Insights into Ancestral Traditions Waterways (2025)

Show HN: 1Password Replica (Security Challenge)

The war against PDFs is heating up

Show HN: Add price tags to 50 product photos in minutes (no Canva/PS)

Nvidia's Insane AI Found the Math of Reality [video]

Addition Under Pressure

Show HN: Riverse – Local AI agent with memory that grows over time

SaaS Is Dead. I Buried It in 15 Days. Here's the Proof

The writing was always the cheap part

Is LipoVive Legit? 2026 Reddit and Health Forum Roundup

Agents of Chaos

Socialist Excellence in New York City

Data center developers asked Trump for an exemption from pollution rules

Fry's Food and Drug

Show HN: AgentPass – Identity layer for AI agents (passports, email, trust)

Agent context management: ephemeral vs. durable classification

AI_ATTRIBUTION.md: A Standard for Tracking Creative Control in Human-AI Coding

vLLM WideEP and Large-Scale Serving Toward Maturity on Blackwell (Part I)

Webgrid Eval: LLM vision + tool-use on Neuralink's cursor control task

You Can't Buy a Data Center

I rebuilt Game Boy on web using 1 prompt and 5 parallel agents in 48 hours

SQL Has Problems. We Can Fix Them: Pipe Syntax in SQL [pdf]

Built a Clone of Expedia but Better