Security2026-06-23 · source-backed
A systematic study confirms vibe-coded apps ship with security holes.
Story
"Understanding the (In)Security of Vibe-Coded Applications" finds that LLM-driven app generation routinely outpaces security review, leaving common vulnerability classes in shipped code. (arXiv) If you build with agents daily, this is the empirical version of a thing you already suspect. Functional acceptance is not a security pass. Pair it with the Thoughtworks data point that ~25% of AI-generated samples carry critical vulnerabilities, and the move is obvious: a mandatory security review step in your loop, not an optional one.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entity: LLM / Same source domain / Shared topic / Earlier coverage / Tension
Your AI-Generated Code Compiles. It Doesn't Work.
Both cover LLM; reported by the same outlet (arxiv.org); overlapping topics (agent, ai-generated, application, code).
Shared entity: LLM / Same source domain / Shared topic / Earlier coverage
Your AI-Written Code Works. Its Dependencies Don't.
Both cover LLM; reported by the same outlet (arxiv.org); overlapping topics (ai-generated, code, critical, vulnerability).
Shared entity: LLM / Same source domain / Shared topic / Earlier coverage / Tension
10 actionable skills from today's findings:
Both cover LLM; reported by the same outlet (arxiv.org); overlapping topics (agent, code).
Shared entity: LLM / Same source domain / Shared topic / Earlier coverage
Over 80% of real LLM apps leak their system prompt under adversarial queries.
Both cover LLM; reported by the same outlet (arxiv.org); overlapping topics (already, application, apps).
Shared entity: Security / Shared topic / Earlier coverage
OWASP's State of Agentic AI Security v2.01: coding agents dominate, prompt injection is the root cause.
Both cover Security; overlapping topics (agent, already, application, code, security); earlier Security coverage from 2026-06-14.
Shared entity: Security / Same source domain / Shared topic / Earlier coverage
Opus 4.8 found a 4-year counterfeiting bug in Zcash that cryptographers missed, and ZEC dropped 31%
Both cover Security; reported by the same outlet (arxiv.org); overlapping topics (code, critical, review).
Shared entity: LLM / Same source domain / Shared topic / Earlier coverage
Nolan Lawson Says Use AI to Write Better Code More Slowly. 662 Hacker News Points Agree.
Both cover LLM; reported by the same outlet (arxiv.org); overlapping topics (agent, code, review).
AI Coding Agents Don't Write Clean Patches. They Can't.
Both cover LLM; reported by the same outlet (arxiv.org); overlapping topics (agent, ai-generated, code).
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — June 23, 2026
- AI generated
- no
- Story unit
- 2026-06-23-a-systematic-study-confirms-vibe-coded-apps-ship-with-security-holes
- Labels
- source-backed, canonical briefing excerpt