Lovable
The fastest idea-to-working-app path a non-coder can buy — treat every output as a first draft and budget a security review before real user data touches it.
Element scores
Strengths
Nothing gets a non-technical founder from plain-English prompt to a live full-stack app faster: Build mode autonomously edits, tests in-browser and self-verifies; Lovable Cloud bundles hosting, database, storage and an AI runtime with zero external accounts; MCP support runs in both directions (server + connectors); and the generated React/Supabase code exports cleanly to GitHub. Growth is real — $500M run rate and 1M projects/week by June 2026, with Uber, HubSpot and Microsoft teams among users.
Honest dings
Security is the defining risk: CVE-2025-48757 (RLS exposure across 170+ apps), a February 2026 single-app leak of 18,697 user records, and an April 2026 BOLA flaw left open 48 days after the bug report was closed unescalated — the company's first response was denial. Credit economics punish iteration: you pay to fix the AI's own mistakes in documented debugging loops, and metered Cloud/AI billing sits on top of the subscription. The complexity wall past prototypes is real, and it is greenfield-only.
Sources
Every audit lists the research it rests on — transparency and traceability are the product. Tools evolve: each audit is a snapshot of its audit date, and re-audits supersede older versions (kept below for reference).
- docs.lovable.dev/integrations/lovable-mcp-server — Official: Lovable as MCP server — external agents (ChatGPT, Claude, Cursor, VS Code) create, inspect and deploy Lovable projects (accessed 2026-07-10)
- docs.lovable.dev/integrations/mcp-servers — Official: chat connectors — prebuilt (Notion, Linear, Jira, Miro, n8n) and custom MCP servers on all plans (accessed 2026-07-10)
- docs.lovable.dev/changelog — Official changelog: Subagents (May 2026), Basic/Deep security scan profiles, AI-request debugging with token/cost visibility (June 2026) (accessed 2026-07-10)
- docs.lovable.dev/features/security — Official security docs: scan scopes, auto-fix of eligible RLS findings, security memory, publish-dialog gating (accessed 2026-07-10)
- forbes.com/sites/rashishrivastava/2026/06/05/ai-cod… — $400M ARR (Feb 2026), 8M users, $20M enterprise ARR, Uber/HubSpot/Microsoft usage; $12B round in talks (unconfirmed) (accessed 2026-07-10)
- googlecloudpresscorner.com/2026-06-03-Lovable-Expan… — Official (Google Cloud): 1M+ new projects per week, enterprise infrastructure expansion (03/06/2026) (accessed 2026-07-10)
- nvd.nist.gov/vuln/detail/CVE-2025-48757 — CVE record (CVSS 9.3, disputed by vendor): insufficient row-level security in Lovable-generated sites, 170+ apps / 303 endpoints exposed (accessed 2026-07-10)
- thenextweb.com/news/lovable-vibe-coding-security-cr… — April 2026 BOLA vulnerability open 48 days after closed bug report; company response cycled denial → deflection → partial apology (accessed 2026-07-10)
- theregister.com/software/2026/02/27/ai-built-app-on… — 18,697 user records exposed via one Lovable-hosted app: 16 vulnerabilities, 6 critical, inverted auth logic; Lovable CISO response (accessed 2026-07-10)
- eesel.ai/blog/lovable-pricing — Independent pricing verification: Free/Pro $25/Business $50, credit mechanics, separate Cloud billing layer, top-up behavior (accessed 2026-07-10)
- awesomeagents.ai/reviews/review-lovable — Independent 3-week hands-on review: credit-burning debug loops (14 credits on one Stripe fix), VibeScamming score 1.8/10, Supabase integration quality (accessed 2026-07-10)
- vibewrench.dev/security/lovable — Independent scan of 29 Lovable apps: avg security score 56/100, 86% missing CSRF protection, scanner checks RLS presence not correctness (accessed 2026-07-10)