← Home
Report April 2026

State of Vibe-Coded Security

Q2 2026 — aggregate findings from 1,764 deployed apps built with AI coding tools.

1,764
Apps scanned
453
Critical findings
3325
High findings
53,145
Total findings
85
Apps with CRITs
2,039
Scan runs

Per-platform CRIT rate

PlatformScannedWith CRITRate
YC companies (W21–F25)20000%
Lovable476347.1%
Bolt.host289217.3%
Replit19442.1%
Vercel (v0/AI)6723.0%
Streamlit9000%
Other5335.7%

Finding breakdown

Top CRIT categories across all scans:

Methodology

Targets sourced from certificate transparency logs, Google search, and platform directories. All scans are read-only (GET + minimal POST probes). 50+ scanner modules per target. Every CRIT finding verified reproducible before disclosure. Private disclosures sent to all identifiable owners before publication.

Scanner: securityscanner.dev — open to anyone. One free scan, no card.

Detailed write-ups

This report is updated as we scan more apps. Data as of April 2026. Questions or corrections: [email protected].