Security Scan of 100 Vibe-Coded Apps Finds 318 Vulnerabilities With 58 Percent Having Critical Flaws
Apps built with Lovable, Bolt.new, Cursor, and v0.dev scored an average D grade on security basics
The study examined apps built with Lovable, Bolt.new, Cursor, and v0.dev, looking for basic security issues rather than obscure zero-days. The most common flaw was missing CSRF protection, found in 70 percent of apps. Exposed secrets and API keys appeared in 41 percent, while 21 percent had endpoints with no authentication at all.
Lovable-built apps fared worst with an average score of 58 out of 100 and 72 percent containing critical vulnerabilities. Cursor performed best at 75 out of 100, though half its apps still had issues. The overall average security score across all platforms was 65 out of 100 — a D grade.
The findings highlight a growing concern in the industry: AI coding tools make it trivially easy to build and deploy applications, but they consistently fail to implement security fundamentals. XSS vulnerabilities appeared in 18 percent of apps, and 12 percent had exposed Supabase credentials that could give attackers direct database access.
Analysis
Why This Matters
Vibe coding is putting production applications into the wild at unprecedented speed, but the security baseline of these apps is alarmingly low. As more non-security-aware developers use AI tools to ship products, the attack surface of the internet is expanding rapidly.
Background
Vibe coding — using AI tools to generate entire applications from natural language prompts — has exploded in popularity. Tools like Lovable and Bolt.new let users go from idea to deployed app in minutes, but security is rarely part of the prompt.
What to Watch
Whether AI coding platforms respond by building security checks into their generation pipelines, or whether the market decides that speed-to-deploy matters more than security fundamentals.