Vibe Security Radar

Real CVEs where AI-generated code introduced the vulnerability.

by Georgia Tech SSLab

Actively developed. Results may contain errors or omissions. How it works

Star on GitHub Contribute

Coverage: May 1, 2025 – Mar 24, 2026

AI-linked CVEs

AI tools

Critical / High

46,831

Advisories scanned (24% with fix)

Vulnerabilities by Month

Aether

Atlassian Rovo

Claude Code

Cursor

Devin

GitHub Copilot

Roo Code

Recent Vulnerabilities

ID	Severity	Tools	Language	Verified By	Description
CVE-2026-33890	HIGH		TypeScript	GPT-5.4 High	MyTube has an Unauthenticated Admin Privilege Escalation via Passkey Registration
GHSA-vrqm-gvq7-rrwh	MEDIUM		TypeScript	GPT-5.4 High	PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS
CVE-2026-32890	CRITICAL		JavaScript	GPT-5.4 High	Anchorr: Stored XSS in User Mapping dropdown allows unprivileged Discord users to exfiltrate all secrets via /api/config
CVE-2026-32021	MEDIUM		TypeScript	GPT-5.4 High	OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the Feishu allowFrom allowlist implementation that accepts mutable sender display names instead of enforcing ID-only matching. An attacker can set a display name equal to an allowlisted ID string to bypass authorization checks and gain unauthorized access.
CVE-2026-30924	CRITICAL		Go	GPT-5.4 High	qui CORS Misconfiguration: Arbitrary Origins Trusted
CVE-2026-3503	MEDIUM		C/C++	GPT-5.4 High	Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cryptographic outcomes via induced transient faults that corrupt or redirect seed/pointer values during Keccak-based expansion. This issue affects wolfSSL (wolfCrypt): commit hash d86575c766e6e67ef93545fa69c04d6eb49400c6.
CVE-2026-31998	HIGH		TypeScript	GPT-5.4 High	OpenClaw versions 2026.2.22 and 2026.2.23 contain an authorization bypass vulnerability in the synology-chat channel plugin where dmPolicy set to allowlist with empty allowedUserIds fails open. Attackers with Synology sender access can bypass authorization checks and trigger unauthorized agent dispatch and downstream tool actions.
CVE-2026-31990	MEDIUM	PR	TypeScript	GPT-5.4 High	OpenClaw versions prior to 2026.3.2 contain a vulnerability in the stageSandboxMedia function in which it fails to validate destination symlinks during media staging, allowing writes to follow symlinks outside the sandbox workspace. Attackers can exploit this by placing symlinks in the media/inbound directory to overwrite arbitrary files on the host system outside sandbox boundaries.
CVE-2026-31989	MEDIUM		TypeScript	GPT-5.4 High	OpenClaw versions prior to 2026.3.1 contain a server-side request forgery vulnerability in web_search citation redirect resolution that uses a private-network-allowing SSRF policy. An attacker who can influence citation redirect targets can trigger internal-network requests from the OpenClaw host to loopback, private, or internal destinations.
CVE-2026-22171	HIGH		TypeScript	GPT-5.4 High	OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media download flow where untrusted media keys are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who can control Feishu media key values returned to the client can use traversal segments to escape os.tmpdir() and write arbitrary files within the OpenClaw process permissions.