study
The state of vibe-coded app security (99 repos)
Based on 99 repos · published 10 June 2026
the numbers
| figure | what it measures |
|---|---|
| 21.2% | had at least one exposed-secret finding (~1 in 5) |
| 27.3% | had at least one critical or high security finding |
| 12.1% | had at least one critical finding |
| 40.4% | had at least one injection-category finding (2nd most-hit category) |
| 33.3% | used dangerouslySetInnerHTML — the single most common finding |
| 97 / 91.2 | median score (an A) vs mean of 91.2 — the median is inflated by tiny demo repos; 26 of 99 scored B, C or D |
methodology
secure·vibes heuristic rules engine (no AI pass) run over 99 public GitHub repos that describe themselves as AI- or vibe-coded, collected June 10 2026.