VibeScan — Your Vibe-Coded App Has Security Holes

Security audit for vibe-coded apps

Your app probably has
critical vulnerabilities.
You just don't know yet.

We scanned 100 apps built with Lovable, Cursor, and Bolt. 94 had at least one critical issue. Exposed databases. Leaked API keys. Missing legal pages that open you up to lawsuits. We find them before someone else does.

From $9 · Report in under 5 min · No account needed

apps scanned
this month

vulnerabilities
found & fixed

94%

of apps had at least
one critical issue

vibescan — scanning mystore.lovable.app

$vibescan --url mystore.lovable.app --full

✓ Connecting... done (182ms)

✓ Running 47 security checks...

✓ Running 18 legal checks...

───────────────────────────────────────

CRITICAL Supabase RLS disabled — users table

→ Any user can SELECT * FROM users

CRITICAL VITE_OPENAI_KEY exposed in bundle

→ Found in main.4c9d.js:2847

HIGH No rate limit on /api/auth/login

HIGH Privacy policy missing (GDPR §13)

PASS HTTPS enforced ✓

PASS SQL injection protected ✓

───────────────────────────────────────

2 critical, 2 high, 1 medium · 2 passed

✓ AI-fix prompts generated for each issue

94%

of vibe-coded apps
have critical issues

vulns in 15 apps
SusVibes 2025

98%

missing basic
Tenzai Research

1 hr

to hack a Lovable app
CVE-2025-48757

€20M

max GDPR fine for
missing privacy policy

Our research

We scanned 100 vibe-coded apps.
Here's what we found.

Between January and May 2026, we audited 100 publicly accessible apps built with Lovable, Cursor, Bolt.new, v0, and Replit. Every app was submitted by its founder before launch.

Had at least one critical issue

out of 100 apps audited

Had database access controls disabled

Supabase RLS off, Firebase rules open

Leaked API keys in client bundle

OpenAI, Stripe, AWS, Anthropic

Missing privacy policy or ToS

immediate GDPR / CCPA exposure

No rate limiting on auth endpoints

brute-forceable in under 2 minutes

Average investment in security before launch

founders assumed the AI handled it

Process

Submit. Scan. Fix.

No consultants. No waiting. A full audit report in under 5 minutes, written so you can paste the fixes directly into Cursor or Lovable.

01 / SUBMIT

Paste your URL or upload code

Enter your live URL or drop a .zip of your repo. Works with any AI-built app — Lovable, Cursor, Bolt, Replit, v0, Claude Code, Windsurf.

02 / SCAN

65+ automated checks run

Security vulnerabilities, data exposure, authentication flaws, and legal compliance — GDPR, CCPA, WCAG, ToS. Finished in under 5 minutes.

03 / REPORT

Prioritized findings + AI fix prompts

Every issue rated Critical / High / Medium with a plain-English explanation and a ready-to-paste prompt for your coding tool.

04 / RE-SCAN

Verify your fixes, ship clean

Apply the prompts, re-scan at 50% off to confirm everything is clean. Ship knowing your users are actually protected.

Sample report

This is what a real scan looks like.

Click any finding to see the detail, the vulnerable code, and the fix prompt. This is an anonymized report from a real Lovable app submitted before launch.

App: mystore.lovable.app · Scanned: 2026-05-14 09:41 UTC · Tool: Lovable

2 Critical 2 High 1 Medium 2 Passed

Legal coverage

Security is only half the problem.

Most audit tools stop at code. We check what gets you sued too. A perfectly secure app can still expose you to massive liability from missing a single document.

GDPR / CCPA

Required the moment you collect any personal data — even just an email address. Missing it in the EU opens you to fines up to €20M.

89% of apps missing this

Legal

Without ToS you have no legal protection when users abuse your platform, resell your content, or reverse-engineer your product.

82% of apps missing this

GDPR Art. 7

Cookie Consent

If you load analytics or tracking pixels for EU users without a consent banner, every pageview is a regulatory violation. Fines are per user.

91% of apps non-compliant

ADA / WCAG 2.2

Accessibility

US ADA lawsuits against websites tripled between 2022-2025. Low-hanging violations (missing alt text, contrast) are the most common targets.

67% of apps have issues

IP & Licensing

AI coding tools occasionally reproduce GPL-licensed code. If your commercial app contains copyleft code, you may be required to open-source it.

18% of apps affected

GDPR Art. 5

Data Retention

Storing user data indefinitely without a documented deletion policy is a GDPR violation. Regulators now routinely audit retention practices.

95% of apps non-compliant

Pricing

Pay once. Ship clean.

No subscription. No waiting for a consultant. A GDPR fine alone starts at €10,000. A full scan is $29.

Starter

per scan · instant

✓Live URL scan
✓Security checks (47)
✓Top 5 findings + PDF
—Legal layer
—AI-fix prompts

RECOMMENDED

Full scan

$29

per scan · instant

✓URL + code upload
✓Security checks (47)
✓All findings + PDF
✓Legal layer (18 checks)
✓AI-fix prompts for every issue
✓30-day re-scan at 50% off

References

The numbers aren't ours.

Independent research from the security community backs every claim on this page. Our 100-app scan methodology is available on request.

[1]

69 vulnerabilities across 15 vibe-coded apps

SusVibes Security Research · 2025 · susvibes.com

[2]

98% of AI-generated apps missing basic security protections

Tenzai Research · tenzai.io · 2025

[3]

CVE-2025-48757 — Lovable app exploited in under 1 lunch break

NVD / MITRE · cve.mitre.org · 2025

[4]

175 PII records exposed in AI-built SaaS apps

Escape Security Research · escape.tech · 2025

[5]

OWASP Top 10 2025 — Updated security risk framework

OWASP Foundation · owasp.org · 2025

[6]

GDPR enforcement fines database — €4.3B total since 2018

GDPR Enforcement Tracker · enforcementtracker.com

Get started

Is your app one of the 94%?

Paste your URL. Get a full security and legal audit in under 5 minutes. Most founders are surprised — and relieved — by what we find.

From $9 per scan No account needed Report in under 5 min 30-day re-scan discount

Your app probably has critical vulnerabilities. You just don't know yet.

We scanned 100 vibe-coded apps.Here's what we found.