Vibe Coding Security: 69 Vulnerabilities Found in AI-Generated Apps — Is Yours Safe?

Vibe coding security risks are no longer theoretical. A December 2025 study by Tenzai tested 15 applications built by the five most popular AI coding tools — Cursor, Claude Code, Replit, Devin, and OpenAI Codex — and found 69 security vulnerabilities across them. Every single tool introduced Server-Side Request Forgery. Zero of the 15 apps had CSRF protection. Zero set any security headers. If you shipped a vibe-coded app to production this year, there is a near-certain chance it has exploitable holes right now. I have been building developer tools at PinusX for a while now, and the volume of insecure AI-generated code I see passing through our VibeScan security scanner has tripled in the last six months. This is not a niche problem anymore. This is the default state of how software gets built in 2026. The Tenzai Study: 69 Vulnerabilities Across 5 AI Coding Tools The research methodology was straightforward. Tenzai asked each of the five major AI coding tools to build three web applica