Skip to main content
Security Hub
Live Research

The State of Vibe-Coded Web Security

What 827 production websites reveal about AI-built code

UNPWNED continuously scans production websites and classifies each one as AI-built, modern stack, or traditional. This page aggregates the results: one row per domain, latest scan only, continuously updated. No individual site is ever identified.

18%
of AI-built sites expose secrets
3.8x the rate of traditional sites (4.8%)
15%
ship a critical vulnerability
2.8x the rate of traditional sites (5.3%)
87%
have no Content-Security-Policy
vs 67% of traditional sites
59%
run on Supabase
one backend, one shared class of misconfigurations

The Average Hides the Damage

On average security scores, AI-built sites look almost identical to traditional ones (71.3 vs 71.6). The difference is in the tail: AI-built sites fail catastrophically far more often. Same average, very different worst case.

SECURITY BY STACK ORIGIN
StackSitesAvg ScoreExposing SecretsWith CriticalNo CSP
AI-BuiltLovable, Base44, Bolt, V010071.318%15%87%
Modern StackNext.js, React, Vercel, Netlify19077.212.1%12.6%61.6%
TraditionalWordPress, PHP, Magento20871.64.8%5.3%67.3%

Which Platforms We Detect in the Wild

Detected via deterministic fingerprints (hostname patterns and HTML/header markers), never self-reported. Platforms with fewer than 5 detected sites are not shown.

Lovable
36 sites
Base44
13 sites

Security Score Distribution

All 827 sites in the research population, scored 0 (worst) to 100 (best).

0-9
1
10-19
1
20-29
1
30-39
16
40-49
56
50-59
73
60-69
189
70-79
173
80-89
206
90-100
111

The Gaps Are Everywhere

69%
No CSP
n=827
61%
No DMARC
n=827
91%
No DNSSEC
n=827
72%
No Rate Limiting
of sites with public APIs (n=278)

Methodology

PopulationOne row per domain: only the most recent completed scan of each site counts, so rescans never inflate a statistic. Demo and internal test scans are excluded. Current population: 827 distinct production websites across 1,710 scans.

ClassificationAI-Built means a specific builder was detected by deterministic fingerprints: hostname patterns (highest confidence) or HTML and response-header markers that survive custom domains. Modern Stack covers JS-era frameworks and hosting (Next.js, React, Vite, Vercel, Netlify) that could be either AI-assisted or hand-built. Traditional covers established platforms (WordPress, PHP, Magento, classic web servers). Sites with no reliable signal are excluded from comparisons rather than guessed.

PrivacyAggregates only. No domain names, scores, or findings of individual sites are ever published. Comparison groups under 30 sites and platforms under 5 detections are hidden. Site owners can opt out of aggregate telemetry entirely.

FreshnessNumbers are recomputed from the live dataset and cached for one hour. Last generated: 2026-07-04. As the dataset grows, the numbers on this page update automatically.

Where Does Your Site Land?

Scan your site and see your score against this dataset. No signup, 60 seconds.

Scan Now

Building With AI?

The security checklist for vibe coders: ship fast without shipping your API keys.

Read Guide