35 CVEs Per Month: The AI Code Security Crisis Nobody Is Talking About
By EndOfCoding
In March 2026, 35 new CVEs were filed for vulnerabilities introduced by AI-generated code — 27 of them from Claude Code alone. That's not a statistical anomaly. It's a trend line that has been accelerating for six months. If you're shipping vibe-coded apps, here's what the data actually shows, which vulnerability patterns appear most often, and a practical self-audit checklist you can run in under 30 minutes.
What You'll Learn
You'll understand the scale of the AI code CVE problem, the most common vulnerability patterns AI tools introduce, how to audit your own vibe-coded apps, and what prompting habits prevent these vulnerabilities from being introduced in the first place.
The Numbers
March 2026 AI code CVE data:
- 35 total CVEs filed with AI-generated code as a contributing factor
- 27 attributed to Claude Code (the most widely deployed agentic tool)
- 2 critical CVEs in Claude Code itself: CVE-2025-59536 (RCE) and an API key exfiltration vulnerability — both patched in the March 15 update
- Estimated 400-700 unreported vulnerabilities in production apps based on researcher estimates
- This is a 40% increase from the 25 CVEs/month figure from Q4 2025
The cause isn't that AI tools are bad at coding. It's that AI tools are great at coding and terrible at security context. They generate syntactically correct, logically functional code that happens to be insecure — and most vibe coders don't notice.
The 5 Most Common Vulnerability Patterns
1. Insecure Direct Object Reference (IDOR)
AI tools generate API endpoints that trust client-supplied IDs without verifying ownership:
// AI-generated (VULNERABLE)
export async function GET(req: Request, { params }: { params: { id: string } }) {
const document = await db.documents.findUnique({ where: { id: params.id } })
return Response.json(document) // Returns any user's document
}
// Fixed
export async function GET(req: Request, { params }: { params: { id: string } }) {
const session = await auth()
if (!session) return Response.json({ error: 'Unauthorized' }, { status: 401 })
const document = await db.documents.findUnique({
where: { id: params.id, userId: session.user.id } // Verify ownership
})
if (!document) return Response.json({ error: 'Not found' }, { status: 404 })
return Response.json(document)
}
2. Missing Rate Limiting
AI generates API routes with no rate limiting, making brute force and enumeration trivial:
// Add to any sensitive endpoint
import { ratelimit } from '@/lib/ratelimit'
export async function POST(req: Request) {
const ip = req.headers.get('x-forwarded-for') ?? 'unknown'
const { success } = await ratelimit.limit(ip)
if (!success) return Response.json({ error: 'Too many requests' }, { status: 429 })
// ... rest of handler
}
3. SQL Injection via String Interpolation
AI tools sometimes generate raw SQL with template literals, especially when using older patterns:
// VULNERABLE (AI sometimes generates this)
const users = await db.query(`SELECT * FROM users WHERE email = '${email}'`)
// Safe (parameterized query)
const users = await db.query('SELECT * FROM users WHERE email = $1', [email])
// Or via ORM (Prisma, Drizzle always parameterize)
const user = await prisma.user.findUnique({ where: { email } })
4. Exposed Environment Variables in Client Components
AI frequently uses process.env.SECRET_KEY in React components, which Next.js bundles into the client:
// VULNERABLE — exposes secret to browser
export default function Component() {
const apiKey = process.env.OPENAI_API_KEY // Exposed to browser!
...
}
// Safe — use NEXT_PUBLIC_ prefix only for truly public values
// Keep secrets server-side only
export async function getServerSideProps() {
const apiKey = process.env.OPENAI_API_KEY // Server only
const data = await fetch('...', { headers: { Authorization: apiKey } })
return { props: { data: await data.json() } }
}
5. Overly Permissive CORS
// AI-generated (VULNERABLE)
response.headers.set('Access-Control-Allow-Origin', '*')
// Fixed
const allowedOrigins = ['https://your-app.com', 'https://staging.your-app.com']
const origin = request.headers.get('origin')
if (allowedOrigins.includes(origin ?? '')) {
response.headers.set('Access-Control-Allow-Origin', origin!)
}
The 30-Minute Self-Audit Checklist
Run this on any vibe-coded app before calling it production:
□ Every API route has server-side auth verification (not middleware-only)
□ Every endpoint that reads user data filters by userId/ownerId
□ Rate limiting on auth endpoints, sensitive mutations, and file uploads
□ No process.env secrets in client components or pages
□ No raw SQL with template literals (use ORMs or parameterized queries)
□ CORS is explicitly allowlisted, not open (*)
□ File upload endpoints validate MIME type and file size server-side
□ No API keys or credentials in git history (run: git log -p | grep -i 'api_key\|secret\|password')
□ All dependencies updated in last 30 days (npm audit --audit-level=high)
□ Error messages don't expose stack traces or internal paths to users
The CVE-2025-59536 Pattern (Claude Code RCE)
The Claude Code RCE vulnerability (patched in March 15 update) exploited a pattern where file path inputs were passed to shell commands without sanitization. If you used Claude Code before March 15 to generate any file processing, rename, or archive functionality, audit those specifically:
// Pattern that was vulnerable
exec(`process-file ${userFileName}`) // Shell injection possible
// Safe alternative
execFile('process-file', [userFileName]) // Argument array, no shell expansion
// Or validate input before use
const safeName = path.basename(userFileName).replace(/[^a-zA-Z0-9._-]/g, '')
Common Challenges
'My app uses Supabase/Prisma — am I safe from SQL injection?': Yes, ORMs protect you from SQL injection. But IDOR (accessing other users' data) is still your responsibility — Supabase RLS and Prisma both require you to add the userId filter explicitly.
'I used Claude Code before March 15 — should I be worried?': Audit file processing code. The RCE pattern required user-controlled input reaching shell execution. If your app doesn't do file processing with user-supplied names, you're likely fine. If it does, audit those paths now.
'The numbers seem inflated — 35 CVEs/month?': The count includes all CVEs where AI-generated code was identified as a contributing factor, not all CVEs in the world. Researchers are now routinely flagging 'AI-generated pattern' in CVE reports as tooling gets better at detecting the fingerprints.
Advanced Tips
Integrate security checking into your AI workflow: After generating code with any AI tool, run it through a security prompt before accepting: 'Review this code for: IDOR, missing auth, SQL injection, exposed secrets, and CORS misconfig. Show me any vulnerabilities and the fixes.' This takes 30 seconds and catches most issues.
The new 'AI Code Security Self-Audit Prompt' from Chapter 17: We've added a new prompt to the Vibe Coding Ebook prompt library (now 203 prompts total) specifically for auditing AI-generated code for the top 5 vulnerability patterns above.
CyberOS for automated scanning: cyberos.dev includes automated detection for all 5 vulnerability patterns above. If you're shipping vibe-coded apps, a pre-launch scan takes 5 minutes and has a free tier.
The trend line is the scary part: 25 CVEs/month in Q4 2025, 35 in March 2026. As AI coding adoption increases (73% of developers daily), this number will keep climbing unless the community adopts security-first AI coding practices. The Vibe Coding Ebook Chapter 10 security playbook is being updated this week with the March data.
Conclusion
35 CVEs per month is a signal, not an anomaly. AI tools write insecure code by default because security context requires understanding the threat model — and that's still the developer's job. The fix isn't to stop using AI tools. It's to add a 30-minute security audit to your pre-launch checklist and a security review prompt to your AI workflow.
For the complete security checklist and the new AI Code Security Self-Audit Prompt, see Chapter 10 and 17 of the Vibe Coding Ebook. For weekly AI security updates and CVE alerts, subscribe at EndOfCoding.