45% of AI-generated code contains security vulnerabilities according to Veracode's 2026 study of 150+ LLMs β and this rate hasn't improved despite rapid advances in functional correctness. The most common flaws include missing input sanitization, hardcoded credentials, over-permissive IAM defaults, hallucinated dependencies, and incomplete access control. Real CVE incidents from Lovable, Cursor, and a fully vibe-coded social platform illustrate the real-world impact. The author explains why AI models are structurally poor at security (optimized for functional correctness, lack adversarial reasoning, trained on insecure examples) and shares a practical review checklist: read every line, run SAST on every PR, verify all imports, audit auth separately, check env variable handling, use AI to review AI output, and keep a vulnerability log. A warning is raised about junior developers using AI tools without the security judgment to review outputs, and about organizations cutting senior engineers who provide that review capacity.
Table of contents
The Numbers You Need to KnowThe Most Common VulnerabilitiesReal Incidents: When This Goes Wrong in ProductionWhy AI Models Are Structurally Bad at SecurityMy Actual Review ProcessThe Junior Developer ProblemWhat I Actually Want from These ToolsWhere This Leaves UsSort: