We pentested a web app built 100% with AI β no human-written code. Functional, clean, well-structured. But security-wise, we found critical issues on day one: LFI, IDOR, vulnerable dependencies, and more.
AI-generated code is not secure by default. And vibe coding moves fast enough that security gets skipped entirely.
Full writeup with technical details and recommendations: https://www.hackmosphere.fr/en/?p=3803
Anyone else seeing this pattern in AI-generated apps?
Breach occurred at Navia Benefit Solutions, a 3rd party, not HackerOne infra.
Around 287 HackerOne employees PII leaked.
Navia delayed breach notifications by weeks. Filed at Maine AG.
Navia was independently breached. Over 10K US employee's PII exposed.
Reports point to an auth flaw (BOLA-type) enabling access to employee PII (SSNs, DoB, addresses, benefits data).
Exposure window: Dec 2025 to Jan 2026.
Root cause: EspoCRM's formula engine operates outside the field-level restriction layer β fields marked readOnly (like Attachment.sourceId) are writable through it. sourceId is concatenated directly into a file path in getFilePath() with no sanitization. Chain: modify sourceId via formula β upload webshell via chunked upload β poison .htaccess β RCE as www-data. Six requests, admin credentials required. Coordinated disclosure β patched in 9.3.4.
End-user compute vendor Omnissa, the company formed by the spin-out of VMwareβs virtual desktops, applications, and device management biz, has dug into the telemetry it collects from customers and painted a picture of the worldβs enterprise hardware fleet β and the news is better for Google and Apple than it is for Microsoft.β¦
Login