Vibe Security Radar: Real CVEs where AI-generated code introduced Bugs

vibe-radar-ten.vercel.app · tsgates · 18 days ago · view on HN · research
quality 9/10 · excellent
0 net
Tags
auth-bypass cloud cors cve dos exploit lfi rce ssrf xss
Entities
CVE-2026-22171 CVE-2026-30924 CVE-2026-31989 CVE-2026-31990 CVE-2026-31998 CVE-2026-32021 CVE-2026-33331 CVE-2026-3503 CVE-2026-4269
Vibe Security Radar Vibe Security Radar Real CVEs where AI-generated code introduced the vulnerability. by Georgia Tech SSLab Actively developed. Results may contain errors or omissions. How it works Star on GitHub Contribute Coverage: May 1, 2025 – Mar 20, 2026 74 AI-linked CVEs 8 AI tools 39 Critical / High 43,849 Advisories scanned ( 22 % with fix) Vulnerabilities by Month ← → Aether Atlassian Rovo Claude Code Cursor Devin GitHub Copilot Roo Code Recent Vulnerabilities ID Severity Tools Language Verified By Description GHSA-vrqm-gvq7-rrwh MEDIUM TypeScript GPT-5.4 High PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS CVE-2026-32021 MEDIUM TypeScript GPT-5.4 High OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the Feishu allowFrom allowlist implementation that accepts mutable sender display names instead of enforcing ID-only matching. An attacker can set a display name equal to an allowlisted ID string to bypass authorization checks and gain unauthorized access. CVE-2026-30924 CRITICAL Go GPT-5.4 High qui CORS Misconfiguration: Arbitrary Origins Trusted CVE-2026-3503 MEDIUM C/C++ GPT-5.4 High Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cryptographic outcomes via induced transient faults that corrupt or redirect seed/pointer values during Keccak-based expansion. This issue affects wolfSSL (wolfCrypt): commit hash d86575c766e6e67ef93545fa69c04d6eb49400c6. CVE-2026-31998 HIGH TypeScript GPT-5.4 High OpenClaw versions 2026.2.22 and 2026.2.23 contain an authorization bypass vulnerability in the synology-chat channel plugin where dmPolicy set to allowlist with empty allowedUserIds fails open. Attackers with Synology sender access can bypass authorization checks and trigger unauthorized agent dispatch and downstream tool actions. CVE-2026-31990 MEDIUM PR TypeScript GPT-5.4 High OpenClaw versions prior to 2026.3.2 contain a vulnerability in the stageSandboxMedia function in which it fails to validate destination symlinks during media staging, allowing writes to follow symlinks outside the sandbox workspace. Attackers can exploit this by placing symlinks in the media/inbound directory to overwrite arbitrary files on the host system outside sandbox boundaries. CVE-2026-31989 MEDIUM TypeScript GPT-5.4 High OpenClaw versions prior to 2026.3.1 contain a server-side request forgery vulnerability in web_search citation redirect resolution that uses a private-network-allowing SSRF policy. An attacker who can influence citation redirect targets can trigger internal-network requests from the OpenClaw host to loopback, private, or internal destinations. CVE-2026-22171 HIGH TypeScript GPT-5.4 High OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media download flow where untrusted media keys are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who can control Feishu media key values returned to the client can use traversal segments to escape os.tmpdir() and write arbitrary files within the OpenClaw process permissions. CVE-2026-4269 MEDIUM Python GPT-5.4 High A missing S3 ownership verification in the Bedrock AgentCore Starter Toolkit before version v0.1.13 may allow a remote actor to inject code during the build process, leading to code execution in the AgentCore Runtime. This issue only affects users of the Bedrock AgentCore Starter Toolkit before version v0.1.13 who build or have built the Toolkit after September 24, 2025. Any users on a version >=v0.1.13, and any users on previous versions who built the toolkit before September 24, 2025 are not a CVE-2026-33331 HIGH TypeScript Vue GPT-5.4 High oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.9, a stored cross-site scripting (XSS) vulnerability exists in the OpenAPI documentation generation of orpc. If an attacker can control any field within the OpenAPI specification (such as info.description), they can break out of the JSON context and execute arbitrary JavaScript when a user views the generated API documentation. This issue has been patched in version 1.13.9.
← Back to stories