I audited 50 Lovable / v0 / Bolt / Cursor / Claude Code apps over the last few months. Some were friends' side projects, some were YC-backed startups, some were 24-hour hackathon submissions that made it to production anyway. Same five bugs in nearly every one. This post is the writeup. Concrete grep commands, real CVEs, what to actually fix. If you want the kit at the end of the post: it's $10, 50 skills. https://rishabhvaai.gumroad.com/l/plddbd . Or skip it, this writeup has the patterns. Bug 1, Disabled Supabase Row-Level Security (44 of 50 apps) 70% of audited Lovable apps had RLS completely off. The Lovable RLS CVE (CVE-2025-48757, CVSS 9.3, March 2025) hit 170+ production apps in a single weekend. Lovable EdTech, exposed 18,697 student records, 4,538 of them UC Berkeley and UC Davis. Inverted auth check on top: anonymous users got full read access, authenticated users got blocked.…