← The Wire

Security2026-06-23 · source-backed

A systematic study confirms vibe-coded apps ship with security holes.

Confidence
source-backed
Sources
1
Redaction
passed

Story

"Understanding the (In)Security of Vibe-Coded Applications" finds that LLM-driven app generation routinely outpaces security review, leaving common vulnerability classes in shipped code. (arXiv) If you build with agents daily, this is the empirical version of a thing you already suspect. Functional acceptance is not a security pass. Pair it with the Thoughtworks data point that ~25% of AI-generated samples carry critical vulnerabilities, and the move is obvious: a mandatory security review step in your loop, not an optional one.


Related stories

Each link below shares sources, entities, or timing with this story.

  1. Shared entity: LLM / Same source domain / Shared topic / Earlier coverage / Tension

    Your AI-Generated Code Compiles. It Doesn't Work.

    Both cover LLM; reported by the same outlet (arxiv.org); overlapping topics (agent, ai-generated, application, code).

  2. Shared entity: LLM / Same source domain / Shared topic / Earlier coverage

    Your AI-Written Code Works. Its Dependencies Don't.

    Both cover LLM; reported by the same outlet (arxiv.org); overlapping topics (ai-generated, code, critical, vulnerability).

  3. Shared entity: LLM / Same source domain / Shared topic / Earlier coverage / Tension

    10 actionable skills from today's findings:

    Both cover LLM; reported by the same outlet (arxiv.org); overlapping topics (agent, code).

  4. Shared entity: LLM / Same source domain / Shared topic / Earlier coverage

    Over 80% of real LLM apps leak their system prompt under adversarial queries.

    Both cover LLM; reported by the same outlet (arxiv.org); overlapping topics (already, application, apps).

  5. Shared entity: Security / Shared topic / Earlier coverage

    OWASP's State of Agentic AI Security v2.01: coding agents dominate, prompt injection is the root cause.

    Both cover Security; overlapping topics (agent, already, application, code, security); earlier Security coverage from 2026-06-14.

  6. Shared entity: Security / Same source domain / Shared topic / Earlier coverage

    Opus 4.8 found a 4-year counterfeiting bug in Zcash that cryptographers missed, and ZEC dropped 31%

    Both cover Security; reported by the same outlet (arxiv.org); overlapping topics (code, critical, review).

  7. Shared entity: LLM / Same source domain / Shared topic / Earlier coverage

    Nolan Lawson Says Use AI to Write Better Code More Slowly. 662 Hacker News Points Agree.

    Both cover LLM; reported by the same outlet (arxiv.org); overlapping topics (agent, code, review).

  8. AI Coding Agents Don't Write Clean Patches. They Can't.

    Both cover LLM; reported by the same outlet (arxiv.org); overlapping topics (agent, ai-generated, code).

Source trail

Entities

Provenance

AI generated
no
Story unit
2026-06-23-a-systematic-study-confirms-vibe-coded-apps-ship-with-security-holes
Labels
source-backed, canonical briefing excerpt