Vibe coding security statistics
The numbers behind the security posture of vibe-coded applications — drawn from peer-reviewed research, verified CVE disclosures, and primary-source publications. Every data point on this page has a direct link to the original source. Cite freely.
Industry-wide research
AI-built apps with vulnerabilities
Peer-reviewed audit of vibe-coded applications: only 10.5% of apps in the study were secure.
Source: SusVibes (arXiv:2512.03262) · Dec 2025
Apps missing basic security controls
Tenzai's audit of popular AI coding agents found 98% of resulting apps shipped without basic security controls.
Source: Tenzai · 2025
PII records exposed in a single audit
Escape Security's methodology piece documented 175 personally identifiable records exposed across vibe-coded apps they scanned.
Source: Escape Security · 2025
Lovable RLS bypass disclosed May 2025
Affected 10.3% of analyzed Lovable apps — 303 endpoints across 170 projects out of 1,645. Allowed unauthenticated reads of arbitrary tables.
Source: Matt Palmer (statement on CVE-2025-48757) · May 2025
Stanford: AI-assisted code with vulnerabilities
Stanford controlled study found participants using AI coding assistants produced code with security vulnerabilities ~40% of the time on security-sensitive tasks — and believed the code was more secure than non-AI code.
Source: Stanford University (arXiv:2211.03622) · 2023
Statistics by platform
Verified funding, usage, and security data for each major vibe-coding platform. One page per platform — every claim linked.
Lovable statistics
$530M raised · $6.6B valuation · 8M users · CVE-2025-48757
Cursor statistics
$29.3B valuation · $2.3B Series D · rumored $60B xAI offer
Replit statistics
Replit Agent · $60B reported valuation · July 2025 database-deletion incident
Base44 statistics
$80M Wix acquisition · 6 months old · solo founder · 250K users
Bolt.new statistics
$40M ARR in 5 months · 5M signups · 1M DAU · $700M valuation
v0 statistics
Vercel parent at $9.3B · Webby Award 2025 · launched 2023
Claude Code statistics
Anthropic at $380B · Claude 4.6 · GA since May 2025
Primary research sources
SusVibes: Auditing the Security of Vibe-Coded Applications
arXiv preprint · 2025
Only 10.5% of vibe-coded apps studied were secure.
Bad Vibes: Comparing the Secure-Coding Capabilities of Popular AI Coding Agents
Tenzai · 2025
98% of AI-generated apps missing basic security controls.
Methodology: How We Discovered Vulnerabilities in Apps Built with Vibe Coding
Escape Security · 2025
175 PII records exposed in audited vibe-coded apps.
Statement on CVE-2025-48757
Matt Palmer · 2025
RLS bypass affecting 10.3% of analyzed Lovable apps (303 endpoints / 170 projects / 1,645 analyzed).
Do Users Write More Insecure Code with AI Assistants?
Stanford University (arXiv:2211.03622) · 2023
Developers using AI assistants wrote significantly less secure code while believing their code was more secure.
Methodology & sourcing
Every figure on this page comes from a publicly-citable source with a direct link. We exclude any statistic we can't trace back to a primary publication — even widely-repeated numbers — because if a source can't be verified, it shouldn't be cited.
SusVibes (arXiv:2512.03262): Peer-reviewed audit study of vibe-coded applications. Sample size and methodology are documented in the paper.
Tenzai: Comparative audit of popular AI coding agents including Lovable, Bolt.new, Cursor, Replit, v0, and Claude. Methodology described in the linked write-up.
Escape Security: Live application scanning of deployed vibe-coded apps. Methodology piece linked above.
Stanford (arXiv:2211.03622): Controlled experiment with developers performing security-sensitive coding tasks with and without AI assistance.
CVE-2025-48757: Coordinated disclosure by Matt Palmer affecting Lovable apps using Supabase RLS.
Scan your app
VAS scans your live vibe-coded app for the issues this research describes — exposed keys, missing RLS, broken auth — and gives you copy-paste fixes for your AI tool.