Security Scanner for Vercel / v0 Apps

We scanned 67 Vercel / v0 apps. 3.0% had critical vulnerabilities. Is yours secure?

Top issue: Hardcoded API keys in JS bundles (27% of AI-generated apps)

What we check on Vercel / v0 apps

• Supabase RLS — extracts real table names from your JS bundle, tests each with the anon key
• API keys in bundles — OpenAI, Anthropic, Stripe, Google, AWS keys shipped client-side
• Authentication — IDOR, OAuth misconfig, session entropy, JWT weak secrets, auth bypass on API endpoints
• Mass assignment — signup privilege escalation (role=admin), PATCH/PUT field injection
• Payment security — Stripe/Paddle webhook signature bypass, unsigned event acceptance
• Injection — SQL injection (boolean + error-based), server-side template injection, XSS
• Infrastructure — exposed /.env, /.git, admin panels, internal API endpoints, subdomain takeover
• AI code quality — hallucinated functions, unsafe eval(), hardcoded credentials
• 80+ total modules — nuclei CVE templates, CORS, CSP bypass, PII exposure, and more

Try it free

Paste your Vercel / v0 app URL on our homepage for a quick 10-second scan. For the full 80-module audit, sign up — one free scan, no card.

Scan your Vercel / v0 app free →

Research

• Lovable vs Bolt vs Replit: per-platform RLS breakdown
• Beyond Supabase RLS: 5 other critical vulnerabilities
• Q2 2026 State of Vibe-Coded Security report