// lead-gen scan — real AI, real bugs

Scan your last 10 PRs.
Get a real bug report.

Paste your public GitHub repo. PullLight runs the same AI review it uses in production on your last 10 merged PRs and emails you the findings. No install needed.

// what you'll receive
🔍
10 PR deep-scan
Same AI model and prompt used in production. No toy detector — real bugs.
📊
Severity breakdown
Critical, high, medium, low counts with top 3 findings shown inline.
📬
Email report in ~5 min
Every finding links back to the PR and line number. Mobile-friendly.

Public repos only  ·  3 scans/email/day  ·  Report arrives in ~5 min  ·  Review a single PR instead →  ·  See benchmarks →

// bugs PullLight has already caught

View all catches →
CRITICAL twentyhq/twenty · TypeScript

SQL Injection leading to OS Command Execution via timeZone

twentyhq/twenty 1.7.7–1.16.7 interpolates the timeZone GraphQL variable directly into a raw SQL template literal — any …

Injection 4 weeks ago
HIGH next · TypeScript

WebSocket Upgrade Handler SSRF

Next.js WebSocket upgrade path forwards the Host header to an internal service without validation — attacker can redire…

Ssrf 1 month ago
CRITICAL vm2 · JavaScript

Prototype Pollution / Sandbox Escape in vm2

vm2's object-bridge between guest and host pollutes Object.prototype via __proto__ in certain assignment patterns — att…

Deserialization 1 month ago
View all catches →