Lovable
vLovable Agent (2026)Lovable AB
Leading prompt-to-app 'vibe coding' platform from Stockholm-based Lovable AB (ex GPT Engineer): natural language in, deployed full-stack web app out, with Supabase-backed Lovable Cloud. Launched Nov 2024; crossed $400M ARR in Feb 2026 with ~8M users ($330M Series B at $6.6B, Dec 2025). The epicenter of the vibe-coding security debate: its own posture is certified (SOC 2, ISO 27001), but apps it generates have repeatedly shipped without proper access controls.
Trust Vector Analysis
Dimension Breakdown
๐Performance & Reliability+
Assessment of prompt-to-working-app completion from adoption data and user reports; reliability drops on complex multi-service apps and long iterative sessions
Review of platform tool reliability across code generation, backend provisioning, and deployment
Evaluation of task decomposition and plan adherence on multi-feature builds
Review of project-scoped context, chat history, and knowledge persistence
Assessment of automatic error resolution behavior and documented failure loops from user reports
Review of multi-agent and team collaboration capabilities
๐ก๏ธSecurity+
Score the product two ways: Lovable's own corporate posture (SOC 2 Type II, ISO 27001, WAF, security scanning) is solid mid-tier; the systemic security of what it produces is the industry's cautionary tale (CVE-2025-48757, ~10% of scanned apps leaking data, phishing abuse at scale).
Security architecture review of the managed-cloud execution model; no user-machine exposure, but platform-side controls are the single boundary
Review of identity and org-level controls across plan tiers
Assessment of resistance to adversarial prompting and misuse, anchored on the published Guardio benchmark and Proofpoint reports of tens of thousands of Lovable-hosted phishing URLs monthly since Feb 2025
Review of platform tenant isolation (one confirmed 2026 exposure incident) plus the systemic isolation failure in generated apps (missing RLS); both directions weigh on this score
Source availability assessment; credit for full code export, none for the closed platform
๐Privacy & Compliance+
Review of retention practices and the 2026 incident's implications for stored prompt/chat data
Compliance documentation and certification assessment
Data flow analysis across model providers and backend subprocessors
Deployment options assessment
๐๏ธTrust & Transparency+
Transparency caveat: the April 2026 disclosure was mishandled at first (researcher's report dismissed as 'intentional behavior', HackerOne triage failure) before Lovable published a same-week postmortem admitting its response 'missed the mark' (lovable.dev/blog/our-response-to-the-april-2026-incident, 2026-04-22).
Documentation completeness review
Review of action visibility, code inspectability, and audit trail depth
Assessment of build rationale quality, considering the platform's non-developer audience
Open source assessment crediting OSS heritage and code ownership, not platform openness
Community engagement and release cadence analysis
โ๏ธOperational Excellence+
Onboarding and integration friction assessment
Platform scalability assessment; generated apps inherit Supabase scaling characteristics
Pricing model analysis; simple tiers offset by variable credit consumption and a second usage-based cloud billing layer
Monitoring and security posture visibility assessment
Vendor maturity versus output production-readiness assessment; company trajectory is excellent, generated-app readiness is the persistent gap
- +Fastest prompt-to-published-app experience in the category; 8M+ users and 25M+ projects validate the workflow
- +Lovable Cloud integrates Supabase database, auth, storage, and model access with zero setup
- +Certified corporate posture: SOC 2 Type I/II, ISO 27001:2022, GDPR DPA, public trust center
- +Meaningful security response since 2025: automatic pre-publish scans, Deep Security Scan with Auto-Fix, security memory, and dependency checks (June 2026)
- +Full code ownership and GitHub export prevent platform lock-in
- +Exceptional commercial trajectory: $400M ARR (Feb 2026) with 146 employees, $6.6B valuation (Dec 2025)
- !Systemic output-security problem: CVE-2025-48757 (missing Supabase RLS) exposed ~10.3% of 1,645 scanned apps, and the pattern persists across the vibe-coding ecosystem (cf. the unattributed Moltbook breach exposing 1.5M tokens)
- !Feb-Apr 2026 platform incident exposed public-project chat histories and source code; initial dismissal of the researcher's report damaged disclosure credibility
- !Guardio's VibeScamming benchmark (1.8/10) and Proofpoint data show the platform is heavily abused to generate and host phishing pages
- !Non-technical users cannot evaluate the security of what they ship; scanning helps but is not enforced remediation
- !Credit consumption is unpredictable on error-fix loops, plus a second usage-based cloud billing layer
- !Cloud-only, closed-source platform with limited enterprise controls below the $50/mo Business tier
Use Case Ratings
code generation
Category-defining for prompt-to-app prototypes and MVPs; not designed for existing codebases, and outputs need security review before production
content creation
Excellent for landing pages, marketing sites, and interactive content shipped directly to hosting
education
Free tier and instant results make it a popular way for non-programmers to learn product building, though it teaches little about the underlying code
data analysis
Can build dashboards backed by Supabase, but has no analytics tooling of its own and struggles with complex data workloads