The "Vibe Coding" Wall of Shame
6 hours ago
- #vibe-coding risks
- #CVE tracking
- #AI-generated software failures
- A curated directory documents incidents where AI-generated and vibe-coded software failed in production, with each entry citing authoritative sources.
- As of March 2026, there were 34 incidents affecting over 6.3 million records, with 35+ CVEs tracked and 69 vulnerabilities found across AI-coded apps.
- Notable incidents include a 6-hour outage wiping 99% of U.S. order volume, Claude Code destroying 2.5 years of production data, and a compromised PyPI package affecting 95 million monthly downloads.
- Vulnerabilities like CVE-2026-0755 (CVSS 9.8) and CVE-2026-31992 (CVSS 9.9) highlight critical security risks, including command injection and allowlist bypasses.
- AI-generated malware and malicious packages, such as exploits in Next.js and 126 malicious npm packages, have led to data breaches and system compromises.
- A Tenzai study found that every app built by major AI coding tools lacked CSRF protection and introduced SSRF vulnerabilities, with AI-attributed CVEs rising from 6 to 35+ in early 2026.
- The root cause of these failures is shipping code without understanding it, leading to exposed databases, lost orders, and zero-interaction exploits.
- The antidote emphasized is understanding code fundamentals—data structures, algorithms, and system design—as AI without this comprehension becomes a liability.
- An analysis titled "Why Vibe Coding Won't Replace Developers" cites data showing AI-coded software has 1.7x more bugs, 2.74x more vulnerabilities, and is 19% slower.