The security problems were known since the technology became usable. The tech companies even wrote on the cybersec problems. But i suppose vibe coders don't care
this post was submitted on 23 Feb 2026
62 points (88.8% liked)
Programming
25737 readers
569 users here now
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Rules
- Follow the programming.dev instance rules
- Keep content related to programming in some way
- If you're posting long videos try to add in some form of tldr for those who don't want to watch videos
Wormhole
Follow the wormhole through a path of communities !webdev@programming.dev
founded 2 years ago
MODERATORS
shipping to production without security review.
curtains.
I think the real problem is that nobody cares about security because there are very little consequences for data leaks. I guess what little safeguards existed in the past have been obliterated by the sheer velocity of AI code generation.
What we need is laws to hold people criminally responsible for negligence in handling user data. It isn't unprecedented, since we already have HIPPA. A watered-down version of that for ANY business that collects personal data would fix a lot of problems.
This blog is hosted at the Nazi bar, and gives advice to not read all the diffs after talking about security for the whole article.
I regret my click.
Vibe Coding is a security problem literally everybody except vibe coders warned about
I shit you not that one or the proposals for fixing AI security issues is throwing a AI agent in there.
It's not that nobody wants to talk about it.
It's that nobody wants to listen.
As a security professional it amuses me that you think non-AI generated code is manually reviewed for security. Either you are committed to code quality or you are not. If you are you have automated testing, standard architectural patterns and vulnerability scanning. Peer reviews are great but do not scale and are far from comprehensive.
Read the diffs. Not all of them.
How do you write this whole article and come to the conclusion you can merge unread diffs?
There's LLM apologists who actually believe that by reading code you're becoming a liability because you get in the way of "shipping faster." And there's a whole class of C levels and their sycophants who just eat that up.
I hate to say it, but there's a lot of "vibe coders" that use AI to write their code, then they (or someone else) use AI to review it. No human brains involved.
No shit. Why would they even say that?
Likely vibe-written and not audited
The article says:
None of the tools produced exploitable SQL injection or cross-site scripting
but I've seen exactly this. After years of not seeing any SQL injection vulnerabilities (due to the large increase in ORM usage plus the fact that pretty much every query library supports/uses prepared statements now), I caught one while reviewing vibe-coded code ~~written~~ generated by someone else.
Forget SQL injection and XSS, LLMs are bringing back unsanitised inputs as a whole, including reintroducing previously removed vulnerabilities. You can casually browse Github for submissions by Claude bot and find ../.. vulns all over.
Yes. And let's not forget bringing back the classic "forgot to even put a password on the sensitive files".
vibe-coded code written by someone else
“Someone else” “writes” vibe-coded code in the same way that someone buying a meal at a restaurant cooks said meal.
Haha good point - maybe "generated by" is a better description?
This really shouldn't be recent news to anyone. it's been like this since day one of vibe coding. It's all exploitable, none of it scales, and the "vibe coders" have zero clue how any of it works when it comes out the other end of the AI. none of them. and anyone that tells you otherwise is lying.
It's not a "growing blind spot" it's a blind spot that has always been there. And it happens with all companies even large ones like Amazon. look what happened with the AWS outages. hell you can even go on youtube and watch people who work at Amazon and you'll quickly realize these kids have no idea what the hell they're doing. I've followed one guy for the past year who documents his on calls with Amazon and this kid hasn't learned a single thing. He doesn't know what he's doing but will proudly tout how Amazon "helps" those that are laid off. The kid still gets tickets at 1am and has no clue how to fix the stuff and just hands it off to another team in the morning. he's been doing this for over a year!
So of course this stuff is going to go unchecked because the ones who are supposed to monitor it don't know what they're doing.
Nobody who's into vibe coding wants to talk about it. The sane people, on the other hand, are already well aware.
I will always talk about it when it matters - which is to anyone using or considering using it.
While human developers bring intuitive understanding
Well.... some do.
Jokes aside, I don't think this is an undiscussed topic, and ultimately, the solution is the same as it as always been: project culture. Project leaders need to insist that code is responsibly written and reviewed, and to make it part of the team culture. AI doesn't change that.
Vibe coding security problems is all we ever talk about these days.
HITL
AI augmented > AI generated.
Human review with AI co-review > AI generated review.
Human-arranged AI augmented documentation > AI documentation which always seems to believe that the most innocuous comment spelling correction is the most important change..
If you completely remove humans from the development cycle then you don't know what's in your codebase anymore.