Been building with Cursor and Bolt lately like a lot of people here.
Started wondering — is the code these tools generate actually secure?
So I dug into it.
Turns out the numbers are bad:
- 45% of AI-generated code has OWASP Top 10 vulnerabilities (Veracode)
- 65% of vibe-coded apps have security issues (Escape.tech, 1400+ apps)
- 35 CVEs in a single month attributed to AI-generated code (March 2026)
Patterns I kept seeing in AI-generated code:
- Hardcoded API keys and Supabase service keys
- RLS disabled on Supabase tables
- Hallucinated npm packages that don't exist
- Wildcard CORS in backends
- eval() calls with dynamic values
So I scanned my own projects. Found 4 vulnerabilities in my own
LLM eval platform that's already live:
- 3 eval() XSS risks in frontend
- Wildcard CORS in Flask backend
Built an open source CLI to automate this scan for anyone:
pip install vibesec
vibesec scan ./your-project
Full writeup: https://medium.com/@ayushiskhati305/i-built-a-security-scanner-for-ai-generated-code-then-found-vulnerabilities-in-my-own-projects-82974fc97e43
Repo: github.com/AyushkhatiDev/vibesec
Curious what others find when they scan their Cursor projects —
anyone else checked their AI-generated code?me
Top comments (0)