Post by Codynex

Researchers tested 15 apps built with Cursor, Claude Code, Replit, Devin & Codex. 69 vulnerabilities found. Zero had CSRF protection. Every single one introduced SSRF flaws. That's Tenzai's December 2025 study not a blog opinion. Controlled tests. Real apps. Real holes. And that's before you look at the broader picture: → Escape.tech scanned 5,600 vibe-coded apps: 400+ exposed secrets,  175 instances of PII sitting in public endpoints → Carnegie Mellon found only 10.5% of AI-generated code is actually secure → Georgia Tech's Vibe Security Radar tracked CVEs caused by AI code tools:  6 in January 2026. 35 in March alone. The tools aren't broken. They're just not optimised for security. AI coding agents are built to make the error go away not to ask whether removing that auth check is a good idea. The founder who shipped a full B2B SaaS on Lovable in a weekend?  Wiz researchers later found 1.5 million exposed API tokens in his app.  He hadn't written a single line of code himself. That gap, between "it works" and "it's safe to ship", is where breaches live. If you shipped your MVP with Lovable, Bolt, or Cursor in the last 90 days drop a comment or DM us. We'll tell you the 3 things to check first, for free. #vibecoding #codynex #lovable #saas #appsecurity