GPT-5.6 (Sol / Terra / Luna) is now evaluated on TrustVector โ€” with day-1 independent verification, incl. METR's benchmark-cheating findings.

Read the evaluation
Evaluation record ยท lovable

Lovable

vLovable Agent (2026)

Lovable AB

Agentapp-buildervibe-codingno-codeproprietary
61
Adequate
About This Agent

Leading prompt-to-app 'vibe coding' platform from Stockholm-based Lovable AB (ex GPT Engineer): natural language in, deployed full-stack web app out, with Supabase-backed Lovable Cloud. Launched Nov 2024; crossed $400M ARR in Feb 2026 with ~8M users ($330M Series B at $6.6B, Dec 2025). The epicenter of the vibe-coding security debate: its own posture is certified (SOC 2, ISO 27001), but apps it generates have repeatedly shipped without proper access controls.

Last Evaluated: July 9, 2026
Official Website

Trust Vector Analysis

Dimension Breakdown

๐Ÿš€Performance & Reliability
+
task completion accuracy

Assessment of prompt-to-working-app completion from adoption data and user reports; reliability drops on complex multi-service apps and long iterative sessions

Evidence
TechCrunch - Lovable added $100M in revenue in a month โ€” 8M+ users shipping working apps at scale (25M+ projects, 1M+ new projects weekly by mid-2026) evidences strong completion on prototype- and MVP-class builds
mediumVerified: 2026-07-09
tool use reliability

Review of platform tool reliability across code generation, backend provisioning, and deployment

Evidence
Lovable Blog - Introducing Lovable Cloud and AI โ€” Lovable Cloud provisions Supabase-backed databases, auth, storage, and edge functions automatically; Lovable AI routes model calls without user API keys
mediumVerified: 2026-07-09
multi step planning

Evaluation of task decomposition and plan adherence on multi-feature builds

Evidence
Lovable Documentation โ€” Agent mode decomposes feature requests into multi-step build plans across frontend, backend, and integrations, though planning is shallower than spec-first tools
mediumVerified: 2026-07-09
memory persistence

Review of project-scoped context, chat history, and knowledge persistence

Evidence
Lovable Blog - How Lovable protects your apps automatically โ€” Project chat history and a 'security memory' of past findings persist per project; knowledge files carry conventions across sessions
mediumVerified: 2026-07-09
error recovery

Assessment of automatic error resolution behavior and documented failure loops from user reports

Evidence
Lovable Documentation โ€” 'Try to Fix' loops resolve many build errors automatically, but users commonly report credit-consuming fix loops on stubborn errors
mediumVerified: 2026-07-09
agent collaboration

Review of multi-agent and team collaboration capabilities

Evidence
Lovable Documentation โ€” Single-agent model per project with team collaboration features; no parallel multi-agent orchestration comparable to IDE-native agent platforms
lowVerified: 2026-07-09
๐Ÿ›ก๏ธSecurity
+

Score the product two ways: Lovable's own corporate posture (SOC 2 Type II, ISO 27001, WAF, security scanning) is solid mid-tier; the systemic security of what it produces is the industry's cautionary tale (CVE-2025-48757, ~10% of scanned apps leaking data, phishing abuse at scale).

tool sandboxing

Security architecture review of the managed-cloud execution model; no user-machine exposure, but platform-side controls are the single boundary

Evidence
Lovable Security โ€” Generation and hosting run entirely in Lovable's managed cloud (no local execution); Lovable Cloud is fronted by WAF controls, network isolation, encrypted storage, and adaptive rate limiting
mediumVerified: 2026-07-09
access control

Review of identity and org-level controls across plan tiers

Evidence
Lovable Pricing โ€” SSO and security-center features are gated to Business ($50/mo) and Enterprise tiers; SOC 2 Type II and ISO 27001:2022 certifications cover the platform's own controls
mediumVerified: 2026-07-09
prompt injection defense

Assessment of resistance to adversarial prompting and misuse, anchored on the published Guardio benchmark and Proofpoint reports of tens of thousands of Lovable-hosted phishing URLs monthly since Feb 2025

Evidence
The Hacker News - Guardio VibeScamming benchmark โ€” Guardio's VibeScamming benchmark scored Lovable 1.8/10 (worst of tested tools): it generated and auto-hosted working phishing pages with minimal jailbreaking, evidencing weak misuse and injection resistance
lowVerified: 2026-07-09
data isolation

Review of platform tenant isolation (one confirmed 2026 exposure incident) plus the systemic isolation failure in generated apps (missing RLS); both directions weigh on this score

Evidence
The Register - Lovable denies data leak, cites 'intentional behavior' โ€” A February 2026 backend regression exposed public-project chat histories, source code, and embedded credentials via a BOLA flaw until 2026-04-20; the researcher's report was initially dismissed as 'intentional behavior' before a fix shipped within hours of public disclosure
NVD - CVE-2025-48757 โ€” CVE-2025-48757: Lovable-generated apps shipped without Supabase Row Level Security; a scan of 1,645 apps found ~10.3% exposing sensitive data to unauthenticated requests. No platform patch, remediated via workarounds and later scanning
mediumVerified: 2026-07-09
open source transparency

Source availability assessment; credit for full code export, none for the closed platform

Evidence
Lovable โ€” Platform and agent are proprietary (the predecessor GPT Engineer was open source); generated app code is exportable to GitHub, which aids auditability of outputs but not of the platform
highVerified: 2026-07-09
๐Ÿ”’Privacy & Compliance
+
data retention

Review of retention practices and the 2026 incident's implications for stored prompt/chat data

Evidence
Lovable Privacy Policy โ€” GDPR-aligned privacy policy and DPA; the Feb-Apr 2026 exposure of public-project chat histories showed prompts/chat data are retained and were insufficiently protected until all public projects were converted private
mediumVerified: 2026-07-09
gdpr compliance

Compliance documentation and certification assessment

Evidence
Lovable Security โ€” SOC 2 Type I and Type II, ISO 27001:2022 certified (Aug 2025), GDPR DPA available, public trust center at trust.lovable.dev; EU (Swedish) company subject to GDPR natively
highVerified: 2026-07-09
third party data sharing

Data flow analysis across model providers and backend subprocessors

Evidence
Google Cloud Press Corner - Lovable expands collaboration โ€” Prompts and code are processed by Gemini (default via Lovable AI) and Anthropic Claude via Google Cloud/Vertex under Lovable's multi-year Google Cloud deal; app backends run on Supabase
mediumVerified: 2026-07-09
local deployment option

Deployment options assessment

Evidence
Lovable Documentation โ€” Fully hosted SaaS; no self-hosted or offline option. Code export to GitHub allows leaving the platform but not running it locally
highVerified: 2026-07-09
๐Ÿ‘๏ธTrust & Transparency
+

Transparency caveat: the April 2026 disclosure was mishandled at first (researcher's report dismissed as 'intentional behavior', HackerOne triage failure) before Lovable published a same-week postmortem admitting its response 'missed the mark' (lovable.dev/blog/our-response-to-the-april-2026-incident, 2026-04-22).

documentation quality

Documentation completeness review

Evidence
Lovable Documentation โ€” Well-organized docs covering features, security view, integrations, and a public changelog; security guidance for builders has expanded materially since 2025
highVerified: 2026-07-09
execution traceability

Review of action visibility, code inspectability, and audit trail depth

Evidence
Lovable Documentation - Project security view โ€” Chat history records agent actions per project, all generated code is inspectable/exportable, and the security view surfaces scan findings; there is no step-level tool-call audit trail comparable to agent IDEs
mediumVerified: 2026-07-09
decision explainability

Assessment of build rationale quality, considering the platform's non-developer audience

Evidence
Lovable Blog - How Lovable protects your apps automatically โ€” The agent narrates what it builds and the June 2026 security features explain findings and fixes, but architectural decisions are largely implicit for the non-technical target audience
mediumVerified: 2026-07-09
open source code

Open source assessment crediting OSS heritage and code ownership, not platform openness

Evidence
TechCrunch - Lovable becomes a unicorn โ€” Grew out of the open-source GPT Engineer project (50K+ GitHub stars), but the Lovable platform itself is closed source; users own and can export generated code
highVerified: 2026-07-09
community activity

Community engagement and release cadence analysis

Evidence
TechCrunch - Lovable added $100M in revenue in a month โ€” ~8M users, $400M ARR (Feb 2026), 25M+ projects, and one of the largest builder communities in AI; fast feature cadence through 2026
highVerified: 2026-07-09
โš™๏ธOperational Excellence
+
ease of integration

Onboarding and integration friction assessment

Evidence
Lovable โ€” Prompt-to-published-app in minutes with built-in hosting, auth, and database; the lowest barrier to entry of any evaluated agent, aimed at the 99% who cannot code
highVerified: 2026-07-09
scalability

Platform scalability assessment; generated apps inherit Supabase scaling characteristics

Evidence
Google Cloud Press Corner - Lovable expands collaboration โ€” Multi-year Google Cloud deal with a 5x infrastructure expansion; platform processes 1M+ new projects weekly and 600M monthly visits
mediumVerified: 2026-07-09
cost predictability

Pricing model analysis; simple tiers offset by variable credit consumption and a second usage-based cloud billing layer

Evidence
Lovable Pricing โ€” Free (5 daily credits, capped ~30/mo); Pro $25/mo for 100 credits; Business $50/mo; Enterprise custom. Credits per message are transparent, but fix-loops burn credits and a separate Lovable Cloud usage layer bills as apps scale
highVerified: 2026-07-09
monitoring capabilities

Monitoring and security posture visibility assessment

Evidence
Lovable Blog - How Lovable protects your apps automatically โ€” Automatic pre-publish security scan (10-15s), opt-in Deep Security Scan (2-4 min) with Auto-Fix, dependency checks, and a per-project security view; app-level operational observability remains thin
mediumVerified: 2026-07-09
production readiness

Vendor maturity versus output production-readiness assessment; company trajectory is excellent, generated-app readiness is the persistent gap

Evidence
TechCrunch - Vibe-coding startup Lovable raises $330M at a $6.6B valuation โ€” Strong vendor viability ($330M Series B at $6.6B closed 2025-12-18; $12B round in talks per Forbes 2026-06-05), but only ~$20M of ARR is enterprise, and generated apps routinely need security hardening before production use
mediumVerified: 2026-07-09
Strengths
  • +Fastest prompt-to-published-app experience in the category; 8M+ users and 25M+ projects validate the workflow
  • +Lovable Cloud integrates Supabase database, auth, storage, and model access with zero setup
  • +Certified corporate posture: SOC 2 Type I/II, ISO 27001:2022, GDPR DPA, public trust center
  • +Meaningful security response since 2025: automatic pre-publish scans, Deep Security Scan with Auto-Fix, security memory, and dependency checks (June 2026)
  • +Full code ownership and GitHub export prevent platform lock-in
  • +Exceptional commercial trajectory: $400M ARR (Feb 2026) with 146 employees, $6.6B valuation (Dec 2025)
Limitations
  • !Systemic output-security problem: CVE-2025-48757 (missing Supabase RLS) exposed ~10.3% of 1,645 scanned apps, and the pattern persists across the vibe-coding ecosystem (cf. the unattributed Moltbook breach exposing 1.5M tokens)
  • !Feb-Apr 2026 platform incident exposed public-project chat histories and source code; initial dismissal of the researcher's report damaged disclosure credibility
  • !Guardio's VibeScamming benchmark (1.8/10) and Proofpoint data show the platform is heavily abused to generate and host phishing pages
  • !Non-technical users cannot evaluate the security of what they ship; scanning helps but is not enforced remediation
  • !Credit consumption is unpredictable on error-fix loops, plus a second usage-based cloud billing layer
  • !Cloud-only, closed-source platform with limited enterprise controls below the $50/mo Business tier
Metadata
license: Proprietary (generated code owned by users, exportable to GitHub)
supported models
0: Google Gemini (default via Lovable AI, no user API keys)
1: Anthropic Claude via Google Cloud/Vertex partnership
programming languages
0: TypeScript/React frontends with Supabase (Postgres) backends
deployment type: Fully hosted SaaS (Lovable Cloud on Google Cloud + Supabase); one-click publish with custom domains
tool support
0: Supabase database, auth, and storage provisioning
1: Built-in hosting and publishing
2: GitHub two-way sync and code export
3: Security scanning (pre-publish + Deep Security Scan with Auto-Fix)
4: Figma import and visual edits
first release: November 2024 (evolved from the open-source GPT Engineer project)
pricing: Free (5 daily credits); Pro $25/mo (100 credits); Business $50/mo (SSO, security center); Enterprise custom; separate usage-based Lovable Cloud billing
company: Lovable AB (Stockholm; $200M Series A at $1.8B Jul 2025; $330M Series B at $6.6B closed 2025-12-18 led by CapitalG and Menlo; $400M ARR Feb 2026 with ~8M users and 146 employees; ~$12B round in talks as of Jun 2026)
security incidents: CVE-2025-48757 (generated apps missing Supabase RLS; disclosed 2025-05-29, no platform patch, mitigated via scanning/workarounds; CVSS scored 8.26-9.3 depending on source); Feb 3 - Apr 20, 2026 backend regression exposing public-project chat histories and source code (fixed within ~2h of public disclosure, postmortem 2026-04-22)

Use Case Ratings

code generation

Category-defining for prompt-to-app prototypes and MVPs; not designed for existing codebases, and outputs need security review before production

content creation

Excellent for landing pages, marketing sites, and interactive content shipped directly to hosting

education

Free tier and instant results make it a popular way for non-programmers to learn product building, though it teaches little about the underlying code

data analysis

Can build dashboards backed by Supabase, but has no analytics tooling of its own and struggles with complex data workloads