The Security Scanner Blog

Findings, write-ups, and notes from scanning AI-built apps in the wild.

What we find when we point the scanner at apps built with Cursor, Lovable, Replit, Bolt, v0 — plus the occasional opinion on why it keeps happening.

Latest Findings May 6, 2026 · 5 min read

We scanned 5,850 web apps. 1,630 had critical issues. 855 of them have nowhere to receive a security report.

1,630 web apps have at least one critical or high-severity vulnerability. We tried to disclose every one of them. After exhausting Apollo, HTML scraping, WHOIS, DNS SOA, security.txt, and GitHub profile lookups, we can reach 775 owners. The other 855 are deployed on platforms that route the public to the app but hide the developer. There is no inbox to put a security report into.

Read the post →
Findings May 5, 2026

We probed 6,000 web apps for Stripe webhook signature checks. 1,542 don't bother.

A fake Stripe event in a curl one-liner. No Stripe-Signature header. 1,542 of the apps we scanned this week returned a 200. That means anyone can forge payment events on those endpoints. Here is what we found and the six-line fix.

6 min read
Research Apr 27, 2026

Your vibe-coded app is probably violating GDPR right now

We scanned 3,030 vibe-coded apps and found 120 with critical vulnerabilities. 92 had user data (names, emails, phone numbers) readable by anyone. Under GDPR, every one of these is a reportable data breach. Under CCPA, consumers can sue directly.

8 min read
Findings Apr 24, 2026

Beyond Supabase RLS: 5 other critical vulnerabilities we found in 1,000 vibe-coded apps

Supabase RLS is the headline, but it's not the only thing breaking. We found IDOR endpoints leaking health records, OpenAI keys burning money in public JS bundles, entire APIs with zero auth, and private key material shipped to production. Here are 5 non-RLS finding classes from our 1,000-app scan.

4 min read
Findings Apr 16, 2026

Lovable vs Bolt vs Replit: who's leaking the most Supabase data?

We scanned 1,750+ apps — 1,000+ vibe-coded across nine platforms, plus 200 YC companies as a control. Zero CRITs on YC. 53 CRITs on the vibe-coded side. Here's the per-platform breakdown.

5 min read
Case study Apr 12, 2026

When your Anthropic key leaks: a case study

We found a live Anthropic + OpenAI + Google key trio in the same JS bundle. Here's what it looked like, how we found it, and what happens next.

2 min read
Analysis Apr 7, 2026

Why Supabase RLS is the #1 vibe-coding mistake

One setting. Disabled by default. Exposes every user's data. Repeated across hundreds of apps. Here's why.

4 min read
Findings Apr 2, 2026

Top 5 security issues on Replit apps

Replit's quick-deploy is great. It also makes it really easy to ship your API keys to the internet.

3 min read
Findings Mar 29, 2026

Top 5 security issues we found on Lovable apps

We scanned ~50 published Lovable apps. About 1 in 5 of the Supabase-backed ones had at least one table readable by anyone. Here's the pattern.

3 min read
Product Mar 22, 2026

What Security Scanner actually does (and what it doesn't)

No marketing fluff — a direct walkthrough of every module we run.

4 min read
Product Mar 18, 2026

We're live: Security Scanner for the vibe-coding era

After months of scanning our own infrastructure and finding one hole too many, we're opening Security Scanner to everyone.

1 min read