I Scanned 100 Vibe-Coded Apps for Security. I Found 318 Vulnerabilities.

Source: Dev.to

In early March I scanned 100 apps built with Lovable, Bolt.new, Cursor, and v0.dev. I wasn’t looking for obscure zero‑days; I was looking for the basics—missing CSRF protection, exposed API keys, no authentication—the stuff that gets you hacked on day one.

65 % had security issues. 58 % had at least one CRITICAL vulnerability.

The Numbers

I ran automated security scans on 100 public GitHub repos built with AI coding tools. Here’s what I found:

Total vulnerabilities: 318 (89 CRITICAL)
Average Security Score: 65/100 — a D grade.

That might sound “okay” until you realize 65 % of apps scored below the passing threshold of 70, and nearly half (47 %) received a D.

Platform Breakdown

These scores reflect individual apps, not the platforms themselves. The tools generate what you ask for—security is on you.

Lovable apps were the most vulnerable—10 out of 38 had Supabase credentials exposed directly in their code.

The Scariest Find

One Lovable app had its Supabase keys—including the service‑role key—committed to the repo in a .env file. The service‑role key bypasses Row‑Level Security, allowing anyone to read every row in every table. The developer had no idea; Lovable didn’t warn them because it’s a code generator, not a security auditor.

Why This Happens

AI coding tools are incredible at generating working code, but “working” ≠ “secure.”
When you tell Lovable “connect to Supabase,” it generates code that queries the database. It works, but it might also commit the service key to source control because the AI optimizes for “make it work,” not “make it safe.”

This isn’t Lovable’s fault, nor Bolt’s, nor Cursor’s. They’re doing exactly what you asked—writing code that works. Nobody asked, “also make it secure.” The gap lies in the prompt.

The same pattern appears across Claude, ChatGPT, Copilot, and other AI code generators. I’ve built apps with Claude Code and found the same issues. It’s an industry‑wide problem, not a platform‑specific one.

What I Built

After seeing these results, I built VibeWrench—a tool that scans vibe‑coded apps for security holes, speed issues, SEO problems, and more. It’s designed for non‑programmers: instead of “Missing CSP header on response object,” it says “Your website doesn’t tell browsers to block suspicious scripts—like leaving your front door unlocked.”

For every problem it finds, VibeWrench provides a Fix Prompt—a copy‑paste prompt for Cursor or Claude that fixes the issue automatically.

Your first scan is free. No signup required.

What it checks (18 tools)

• Security: exposed keys, XSS, CSRF, missing auth, input validation, security headers
• Prompt Injection Scanner: tests your AI app’s system prompt against 10 attack categories (OWASP LLM01)
• Speed: Lighthouse analysis in plain English—why your site takes 8 seconds
• SEO: missing meta tags, no sitemap, “Vite App” as page title (63 % of vibe‑coded apps fail basic SEO)
• Accessibility: WCAG 2.1 compliance, missing alt tags, form labels
• Legal: GDPR‑ready privacy policy and terms (5 questions → done)
• And more: error translation, deploy guides, code explainer, cost forecasting…

The Uncomfortable Truth

If you built an app with AI and deployed it without a security check, you probably have at least three of the issues above. The average app had 3.2 findings. I’m not saying this to scare you (okay, maybe a little); I’m saying it because it’s fixable. In most cases, 10 minutes with the right prompts gets you clean.

Try it: — paste your GitHub URL or site URL, get results in 30 seconds.