When AI-Generated Code Breaks
When AI-Generated Code Breaks
The Lovable incident, IDE vulnerabilities, and the 45% problem
The Lovable Incident: CVE-2025-48757
Lovable, one of the hottest vibecoding platforms, had a critical security flaw. A scan of 1,645 apps built on Lovable found that 170 apps exposed user data to anyone — names, email addresses, financial information, and API keys. All because the AI-generated database security policies were misconfigured.
The Discovery
Security researcher Matt Palmer found he could access email addresses of 500 users on a Lovable-built site just by modifying API requests.
The Scale
A Palantir engineer independently found the same issue. Public exploits showed attackers retrieving personal debt amounts and home addresses.
The 'Fix'
Lovable released a 'security scan' feature — but it only checked if security was present, not if it worked. False sense of security.
The Fallout
By February 2026, one single Lovable app had exposed 18,000 users' data.
The Numbers: AI Code Security
| Vulnerability Type | AI Code vs Human Code | Frequency |
|---|---|---|
| XSS (Cross-Site Scripting) | 2.74x more likely | 86% of AI code |
| Insecure Object References | 1.91x more likely | High |
| Improper Password Handling | 1.88x more likely | High |
| SQL Injection | Present in samples | 20% of AI code |
| Logging without Sanitization | Pervasive | 88% of AI code |
Source: Veracode 2025 GenAI Code Security Report, testing 100+ LLMs. By June 2025, AI-generated code was adding 10,000+ new security findings per month across monitored repositories — a 10x increase from December 2024.
IDEsaster: Your Tools Are Vulnerable Too
In December 2025, security researcher Ari Marzouk discovered 30+ vulnerabilities in AI coding IDEs themselves — Cursor, Windsurf, GitHub Copilot, and others. These flaws enabled data exfiltration and remote code execution through prompt injection.
The Core Problem
AI agents optimize for making code run, not making code safe. When an AI encounters an error, it will remove validation checks, relax database policies, or disable authentication to resolve runtime errors. It prioritizes 'it works' over 'it's secure'.
Key Takeaway
45% of AI-generated code introduces security vulnerabilities. The Lovable incident proved this isn't theoretical — real users had their data exposed. When you vibecode, you're not just accepting code you don't understand — you're accepting security decisions you can't evaluate.
There are no comments for now.