SECURITY REPORT · 2026

WE SCANNED 600 NEW APPS.
100% HAD SECURITY HOLES.

Between April and July 2026, ScanMyVibe automatically security-scanned 600 apps the day they launched on Show HN — the indie and AI-built software the whole internet sees first. Not one of them was clean. Here is what we found.

600
APPS SCANNED
100%
HAD AT LEAST ONE ISSUE
38%
SHIPPED A CRITICAL
10.3
AVG ISSUES PER APP

THE FINDINGS

Across 600 freshly-launched apps we surfaced 6,191 security issues — an average of 10.3 per app. The average security score was 68.9/100, and half of all apps (49.8%) scored below 70.

More alarming than the volume is the severity: 38.3% of apps shipped with at least one critical vulnerability and 63.8% carried a high-severity issue — the classes that leak databases, expose secrets, or let anyone bypass your login. These aren't theoretical. They were live, on the public internet, on launch day.

It matches what the wider research has been screaming about AI-assisted development:

62%
of AI-generated code ships with vulnerabilities
OX Security, 2026
53%
of AI code contains security weaknesses
industry research, 2026
2,000+
vulnerabilities found across 5,600 vibe-coded apps
security research, 2025

When you ship an app from a prompt in an afternoon, security is the step that silently gets skipped. The tools optimize for "it works" — not "it's safe."

THE 6 THINGS AI-BUILT APPS GET WRONG

WHAT SCANMYVIBE CHECKS

01

Exposed secrets & API keys

Live keys, tokens and .env values shipped to the browser or committed to public builds.

02

Open databases

Supabase RLS disabled, Firebase rules wide open — anyone can read or write your data.

03

Broken auth & authorization

Auth silently weakened during AI iteration; endpoints anyone can call without a login.

04

Missing security headers

No CSP, HSTS or frame protection — the default state of most AI-scaffolded apps.

05

Injection & XSS

Unsanitized inputs and DOM sinks that hijack sessions or leak the database.

06

Unintended exposure

Reachable .git, source maps and admin/staging subdomains that map your whole stack.

METHODOLOGY

ScanMyVibe runs an automated daily job that scans new Show HN launches with its 150+ security checks across 16 modules. Figures above are computed from 600unique apps scanned between 19 Apr and 7 Jul 2026 (5 malformed records excluded). "Issue" = any finding of info severity or higher; "critical"/"high" follow CVSS bands. Show HN apps skew toward indie, early-stage and AI-assisted builds — the same profile as vibe-coded software.

IS YOURS IN THE 100%?

Scan your Lovable, Bolt, Cursor, v0 or Replit app in 30 seconds. Free, no signup — and get the AI fix prompt for every issue we find.

SCAN MY APP FREE
300+ CRITICAL ISSUES FOUND SO FAR · RESULTS IN ~20S