380,000 vibe-coded apps found vulnerable · May 2026

Find the holes in your
AI-built app
before attackers do.

Paste your deployed URL. Get a plain-English security report with one-click fix prompts formatted for Lovable, Cursor, and Claude. Free for your first scan.

Add Supabase credentials
Don't skip this — Supabase RLS is the #1 vibe coding vulnerability. Affected 170+ Lovable apps.

We test tables with your anon key only. We never store your key beyond this scan.

Free · No account required · No code access needed

What we check

🔑
Exposed API Keys
OpenAI, Stripe, AWS, Anthropic and more — in your JS bundles
🛡
Supabase RLS
Row Level Security — the #1 vibe coding vulnerability
🗺
Source Map Exposure
Is your original source code readable in production?
🔒
Security Headers
Missing HTTP headers that protect against common attacks
🌐
CORS Misconfiguration
Wildcard policy that lets any website read your API responses
🚪
Admin Route Exposure
Unauthenticated access to /api/admin, /api/users, and more
🔐
HTTPS & Redirect
Does your app enforce HTTPS and redirect HTTP visitors?
Page Load Speed
Response time check — is your app fast enough to keep users?
🤖
robots.txt
Guides search engine crawlers away from private paths
🛑
Rate Limiting
Are your auth endpoints protected against brute-force attacks?
📋
security.txt
Responsible disclosure contact for security researchers
380K+
vibe-coded apps found vulnerable by RedAccess scan
5,711
bugs found across 1,430 AI-built apps (vibe-eval)
170+
Lovable apps affected by the Supabase RLS CVE