Security scanner finds SQL injection and bare JWT secrets in vibe-coded repos
A Reddit post by u/OrdinaryEmpty7411 describes a security scanner built for AI-generated code that, after scanning ~90 public repos, found SQL injection in auth controllers, payment APIs with no authentication, and JWT secrets defaulting to `'default_secret'` in production.
Score breakdown
The post surfaces a concrete pattern of critical security vulnerabilities — SQL injection, missing authentication, and hardcoded secrets — appearing in real, publicly shipped AI-assisted codebases.
- 01u/OrdinaryEmpty7411 built a security scanner specifically for AI-generated code.
- 02Approximately 90 public repositories were scanned during development.
- 03Findings include SQL injection vulnerabilities in authentication controllers.
u/OrdinaryEmpty7411 posted to r/cursor describing a security scanner they built specifically to analyze AI-generated code. During the development process, they scanned approximately 90 public repositories and reported finding a range of serious vulnerabilities: SQL injection flaws inside authentication controllers, payment API endpoints with no authentication layer, and JWT secrets configured to fall back to the hardcoded value `'default_secret'` in production environments.
The post is a pre-launch recruitment call, inviting developers who have shipped projects built with Cursor, Claude Code, or GitHub Copilot to submit their codebases for a free security scan.
The post is a pre-launch recruitment call, inviting developers who have shipped projects built with Cursor, Claude Code, or GitHub Copilot to submit their codebases for a free security scan. Participants would receive a detailed report specifying the affected files, line numbers, and an explanation of each identified issue. The post specifies that submitted projects must contain real backend code.
Key facts
- 01u/OrdinaryEmpty7411 built a security scanner specifically for AI-generated code.
- 02Approximately 90 public repositories were scanned during development.
- 03Findings include SQL injection vulnerabilities in authentication controllers.
- 04Payment APIs with zero authentication were discovered in scanned repos.
- 05JWT secrets falling back to the hardcoded value `'default_secret'` in production were found.
- 06The author is recruiting Cursor, Claude Code, or Copilot users to receive free pre-launch scans.
- 07Free scan reports will include specific files, line numbers, and explanations of each issue.
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 11, 2026 · 08:34 UTC. How this works →