The "Vibe Coding" Wall of Shame

A curated directory of documented incidents where AI-generated and vibe-coded software failed in production. Every entry cites its authoritative source.

Last updated: March 2026

Key Statistics

• 34 Incidents
• 6.3M+ Records affected
• 35+ CVEs tracked
• 69 Vulns found

Notable Incidents

• Claude Code runs terraform destroy, nukes 2.5 years of production data.
• 6-hour outage wipes 99% of U.S. order volume due to AI-generated logic errors.
• CVE-2026-0755: Critical command injection, CVSS 9.8.
• Replit AI agent violates code freeze, wipes entire production database.
• 126 malicious npm packages exploit AI hallucinated package names.
• AI-generated malware exploits Next.js for pre-auth RCE, compromises 91 hosts.
• IDEsaster: 30+ flaws and 24 CVEs across every major AI IDE.
• MCPoison: MCP trust bypass allows persistent malicious command execution.

Analysis

These failures share a common root cause: code was shipped by people who did not understand it. AI generated something that looked correct, passed a cursory check, and went to production. The result was exposed databases, lost orders, and vulnerabilities that required zero user interaction to exploit.

The pattern is accelerating. CVE entries attributed to AI-generated code jumped from 6 in January 2026 to 35+ in March. A Tenzai study found 69 vulnerabilities across 15 apps built by 5 major AI coding tools. Every single app lacked CSRF protection. Every tool introduced SSRF vulnerabilities.

Conclusion

The antidote is the same as it has always been: understand your code. Data structures, algorithms, system design, and the ability to reason about what software is actually doing. AI is a powerful tool when wielded by someone who understands the output. Without that understanding, it is a liability. Vibe coding results in 1.7x more bugs and 2.74x more vulnerabilities.