The Vibe Coder's Pre-Launch Security Checklist: 25 Checks for Cursor, Lovable, Bolt & Replit Apps

I scanned 62 Lovable apps in early 2026.

63% had critical or high severity vulnerabilities. The average app had 10 findings.

These weren't obscure edge-case bugs. They were the same mistakes, over and over: exposed API keys, disabled row-level security, missing authentication on routes, no rate limiting on login endpoints.

The apps looked great. They worked perfectly. They were completely open to anyone who knew where to look.

This is the vibe coding security problem in one sentence: AI tools optimise for working, not safe. Those aren't the same thing.