Live · 394 scans completed OWASP-aligned · framework-aware

Find what your AI didn't.
The security scanner
for vibe-coded apps.

Lovable, Cursor, bolt.new, v0 and Claude Code ship fast — and skip security. 45% of AI-generated code has a vulnerability. vibeAudit launches real attacks against your live URL, chains them adaptively across 5 rounds, and hands back copy-paste fixes.

vibeaudit / scan
ready enter to run
$
00:00.00READYPaste your app's URL above. We run a 5-round adaptive scan using a real headless browser — no source code needed.
00:00.01INFOread-only · never modifies data · refund if we find nothing
Round
0 / 5
Surface tested
Findings
0
vibeAudit score
Read-only · never modifies data No source code needed Refund if we find nothing
Forensic note · 001

46 production apps · 100% vulnerable · 254 critical findings.

We ran vibeAudit against 46 apps shipped on Lovable, Bolt, Cursor and v0. Zero were clean. Most criticals were fixed in a single copy-paste. Read the data →

What we look for
RLS leaks
Supabase · any table
Exposed secrets
Stripe · OpenAI · AWS
Auth bypass
API routes · IDOR
Fix code
Copy-paste ready
→ loads supabase_rules, nextjs_rules, clerk_rules, 7 more
Pricing preview
$4.99
deep scan · 5 rounds
vs.
$5,000
traditional pentest
Live feed · anonymized

What we've been finding this week.

Rolling feed of real findings from production scans. Targets redacted; severity and class are real.
Time
Severity
Finding
Target
CVSS
T-4d
High
Missing Content-Security-Policy (CSP)
redacted-864.com
patch available ↗
T-7d
High
Form Missing CSRF Token on / (2 instances)
redacted-147.cz
4.3
patch available ↗
T-7d
High
Missing Content-Security-Policy (CSP)
redacted-694.cz
patch available ↗
T-18d
High
Missing Content-Security-Policy (CSP)
redacted-371.com
patch available ↗
T-19d
Critical
Scan incomplete — target was not reachable from our scanner
redacted-225.app
patch available ↗
T-19d
Medium
Missing HSTS Header
redacted-788.com
patch available ↗
T-21d
High
Form Missing CSRF Token on /
redacted-059.hr
4.3
patch available ↗
T-21d
Medium
Missing X-Frame-Options Header
redacted-044.com
4.3
patch available ↗
+ 394 scans total · see the full research →
The patient log · April 2026

We scanned 46 AI-built apps. The numbers.

All apps were shipped in the previous 60 days on Lovable, Bolt, Cursor or v0. Targets notified via responsible disclosure. Full methodology at /research.
Critical findings
254/46 apps
Apps with at least one critical-severity vulnerability: 100%. Most common: Supabase RLS disabled, leaked anon-keys with write scope, auth middleware skipping entire route trees.
Total vulnerabilities
1,232
Across severities. Avg 26 findings per app. Lovable apps averaged 8 criticals each — 2.4x the Bolt baseline.
Average time to fix
4 min
Most findings are one ALTER TABLE or one middleware config away. Every finding ships with copy-paste code.
The method

Not a checklist. An adaptive loop.

Every cycle's findings feed the next cycle's strategy. Like a pentester probing from a new angle after each failed door.

Static scanners run the same 30 checks on every app. They miss the specific thing wrong with your app because they've never heard of your stack's combination of Supabase + Clerk + a hand-rolled middleware.

vibeAudit's autoresearch loop re-plans each round. A leaked anon-key in round 1 becomes "now test every table that key unlocks" in round 2. An open IDOR in round 3 becomes "now enumerate every /api/*/:id route" in round 4.

001

Editable strategy

Hypotheses, focus areas, and chain triggers all mutate each cycle based on what worked.

002

Severity-weighted metric

One scalar score drives every branching decision — no arbitrary priorities.

003

Time-boxed with early stop

Per-test budget enforced; stops when the score plateaus. No wasted rounds.

CYCLE 03
01 Scan
Parallel surfaces
02 Dedup
Exact + group
03 Track
Hypothesis results
04 Chain
A → B detection
05 Hypothesize
AI proposes next
06 Decide
Continue or stop
Framework-aware

Generic scanners can't test what they don't understand.

vibeAudit auto-detects your stack on the first request and loads framework-specific rulesets.
Stack vibeAudit tests Others
SupabaseRLS bypass · anon-key privilege audit · storage ACL checks · service_role leak detection···
FirebaseRealtime rules fuzzing · Firestore public-read detection · admin key scanning···
Next.jsServer-Component data leak · API route auth bypass · env-var exposure · middleware skip (CVE-2025-29927)partial
GraphQLIntrospection · depth bomb · batch attack · unauth mutation · field-level permspartial
Clerk / Auth0Secret-key exposure · session fixation · missing auth middleware on protected routes···
Prisma / DrizzleRaw-query SQL injection · ORM-specific bypass via $queryRaw and tagged templates···
Vercel / Netlify edgePreview deployment leaks · env on public build · serverless timeout DoS···
Generic (any stack)OWASP Top 10 · 43 XSS payloads · IDOR across users · JWT alg-switch · CORS · headers · 30+ moreyes
Sample report · anonymized

Every finding ships with the fix.

Plain-English explanation · framework-specific patch · CVSS score · compliance mapping · reproduction steps.
critical · sample finding_id · f_9a4c01

Supabase Row Level Security disabled on user_profiles

Any request holding your public anon-key can read and modify every row in user_profiles via the REST API — including email, phone, stripe_customer_id and address fields for all your users. Discovered via unauthenticated GET to /rest/v1/user_profiles?select=*.

CVSS 3.1
9.1 · Critical
Confidence
99%
Compliance
GDPR · SOC 2
before — vulnerable
-- RLS is not enabled on the table
CREATE TABLE user_profiles (
  id uuid PRIMARY KEY,
  email text,
  stripe_customer_id text,
  address jsonb
);
after — copy / paste
ALTER TABLE user_profiles ENABLE ROW LEVEL SECURITY;

CREATE POLICY "users read own profile"
ON user_profiles FOR SELECT
USING (auth.uid() = id);
critical · sample finding_id · f_9a4c02

Clerk publishable-key bundled with secret-key in client JS

We pulled /_next/static/chunks/page.js and grepped the bundle: the live production secret key was hard-coded next to the publishable key. Any site visitor can exfiltrate it and mint sessions as any of your users.

CVSS 3.1
9.8 · Critical
Confidence
100%
Compliance
PCI DSS · SOC 2
before — shipped to browser
// app/layout.tsx  — client component
const clerk = new Clerk({
  publishableKey: "pk_live_•••",
  secretKey: "sk_live_•••"  // never in client
});
after — server-only
// app/api/session/route.ts  — server
import { clerkClient } from "@clerk/nextjs/server";

const session = await clerkClient.sessions
  .verifyToken(req.cookies.get("__session"));
Samples anonymized from real production scans · see 8 more disclosed cases →
Pricing · launch tier

Cheaper than one false alarm from your pentester.

Every plan comes with a "found nothing" refund.
Free · try it
$0/ scan
share on X to unlock all findings
  • 1 attack round (of 5)
  • 15 tests (of 40+)
  • Total issue count revealed
  • Severity + fix locked
  • No AI chain discovery
Start free →
Deep scan · one-time
$9.99
$4.99/ scan
full refund if we find nothing
  • 5 adaptive attack rounds
  • All 40+ test types
  • Every finding + fix code
  • vibeAudit score + CVSS
  • Compliance mapping (SOC 2 · GDPR)
Run deep scan · $4.99
Pro · monthly
$29
$19/ mo
50 deep scans · $0.38 effective
  • Everything in Deep Scan
  • Scan history dashboard
  • Rescan for free (30-day window)
  • Slack webhook notifications
  • Authenticated scans (2-user IDOR)
Subscribe
Unlimited
$49/ mo
for agencies & platforms
  • Unlimited scans
  • API access (coming soon)
  • White-label reports (coming soon)
  • Priority support
  • First access to new rulesets
Subscribe unlimited
Questions

Things people ask before running it.

Can't find your question? Email us — we answer within a day.

Why not just hire a pentester?

You should, eventually — but a human pentest costs $5,000–$50,000 and takes weeks. vibeAudit catches the obvious stuff (leaked keys, disabled RLS, missing middleware) in minutes for $4.99, so when you do hire a pentester, they can focus on the hard stuff that actually needs a human.

Is it safe to scan my production app?

Yes. Every test is read-only — we never POST, PUT, DELETE, or mutate data. We identify ourselves clearly in every request (User-Agent, custom header) so your rate limits and WAFs can whitelist us. We test from the outside, exactly like an attacker would, without touching your data.

Will I get false positives?

Rarely. We make real HTTP requests and analyze real responses — no guessing from source-code patterns. Every finding includes a confidence score, and anything below 70% is filtered out of the report. If you do hit one, reply to the report email and we refund the scan.

What frameworks do you support?

First-class support for Next.js, Supabase, Firebase, Clerk, Auth0, GraphQL, Prisma, Drizzle, Vercel Edge, Netlify Functions. Generic OWASP Top 10 tests work on any stack — Python, Go, Ruby, PHP, etc.

How long does a scan take?

Free scan: ~60 seconds (1 round, 15 tests). Deep scan: 3–8 minutes (5 adaptive rounds, 40+ tests). Authenticated scans add 2–4 minutes for login and crawl.

Do I need to give you source code?

No. vibeAudit only needs a live URL. We test your app from the outside, the same way a real attacker would. Your source code never leaves your machine. (Optional: point us at a public GitHub repo and we'll add SAST to the scan.)

What happens to my scan data?

Results are stored in your account dashboard, encrypted at rest. We never store credentials beyond the single scan session. You can delete any scan and all its data at any time from the dashboard.

Is the free scan actually useful?

If you have one big critical issue — leaked key, RLS off, middleware missing — the free scan will usually find it. If you want the full picture with fix code, the $4.99 deep scan is the right tool.

Point it at your app. Find what your AI missed.

Run a free scan See pricing
scan in ~60s · no card for free · refund policy applies