APREX · EST. 2026
The software industry has been running a silent experiment on itself — and the results are catastrophic. While tech companies race to boast about AI-driven productivity gains, insecure, faulty, and unmaintainable code is quietly seeping into production systems worldwide. This is not a future risk. It is happening right now.
The Numbers the Industry Prefers to Ignore
> KEYFIGURE
>
> 61% — share of organizational code that is AI-generated or AI-assisted (The Register / SmartBear, May 2026)
>
> 92% — share of AI-generated codebases containing at least one critical vulnerability (Sherlock Forensics, Jan–Apr 2026)
>
> 18 days — average time from deployment to first exploit attempt against AI-generated apps
>
> 10,000+ — monthly security findings at one Fortune 50 company after AI adoption, up from ~1,000 (Apiiro, Dec 2024–Jun 2025)
A SmartBear survey of 273 software leaders, published in May 2026, reveals that 70 percent believe application quality has already degraded as a direct consequence of AI-generated code. This is not anxiety about the future — it is a diagnosis of the present.
AI Code vs. Human Code: What the Data Shows
| Category | AI code vs. human code |
|---|---|
| Total defects | 1.7x more |
| Logic and correctness errors | 75% more common |
| Security vulnerabilities | up to 2.74x higher |
| Readability problems | 3x more common |
| Error-handling gaps | nearly 2x more common |
| Hallucinated packages | 20% of all AI code |
| Wrong output | 26.6% of programs |
Sources: CodeRabbit (470 GitHub PRs), Veracode (100+ LLMs, 80 coding tasks), Sherlock Forensics 2026
The Tools Themselves Are Now Attack Targets
Veracode tested over 100 different language models on 80 standardized coding tasks across four programming languages — Java, Python, C#, and JavaScript. The result: 45 percent of all AI-generated code contains security vulnerabilities.
Java fared worst, with a failure rate of 72 percent. 86 percent of AI-generated Java code does not defend against XSS attacks (CWE-80). 88 percent is vulnerable to log injection (CWE-117). And since January 2025, the average pass rate has barely moved — sitting flat at around 55 percent, despite vendor claims of security-focused model training.
> HIGHLIGHT
> "Silent logic failures" account for 60 percent of all errors in AI-generated code. They pass automated tests — and only fail in edge cases in production, where real users pay the price.
Georgia Tech's Vibe Security Radar, launched in May 2025, tracks CVEs that can be directly attributed to AI coding tools. In March 2026, the radar recorded 35 confirmed CVEs — a nearly sixfold increase from January of the same year (6 CVEs). A total of 74 CVEs have been confirmed. Claude Code alone accounted for 27 of these, identifiable through commit signatures. GitHub Copilot, Cursor, Devin, and Aether account for the rest. Researchers estimate the real number in public repositories is somewhere between 400 and 700 — and that enterprise codebases are not included in that estimate.
Iteration Makes It Worse, Not Better
Perhaps the most alarming finding comes from a study published by IEEE-ISTAS in 2025, conducted by researchers at the University of San Francisco, the Vector Institute, and the University of Massachusetts Boston. They tested 400 AI-generated code samples through 40 iterative rounds, asking models to improve their own code.
Result: After just 5 rounds, critical vulnerabilities had increased by 37.6 percent. After 10 rounds, the average number of vulnerabilities per code sample had climbed from 2.1 to 6.2 — nearly tripling. The pattern held even when researchers explicitly instructed the models to prioritize security.
> PULLQUOTE
> "Iterative AI improvement is not quality assurance. It is a vulnerability multiplier."
> — IEEE-ISTAS 2025 study, University of San Francisco / Vector Institute / UMass Boston
TIMELINE: The Crisis Escalates
TIMELINE
🔴 January 2025 — Georgia Tech Vibe Security Radar records 6 CVEs linked to AI coding tools since launch
🟠 February 2025 — Count doubles to 15 confirmed CVEs in a single month
🟡 December 2024–June 2025 — Apiiro documents AI-assisted developers at one Fortune 50 company increasing monthly security findings from ~1,000 to over 10,000
🔴 March 2026 — 35 CVEs in one month. Georgia Tech estimates 400–700 in public repos in total
🚨 January–April 2026 — Sherlock Forensics analyzes AI-generated codebases: 92% have critical vulnerabilities, average 8.3 exploitable findings per app
Vibe Coding: Apps in Production, Users at Risk
Escape.tech scanned 1,400 so-called "vibe-coded" apps — applications built rapidly with minimal human oversight using AI. The findings were stark: 2,038 critical vulnerabilities, over 400 leaked secrets, and 175 instances of exposed personal information, including medical data and financial records. These were not prototypes. They were live in production with real users.
The Sherlock Forensics report from January–April 2026 adds further detail: 78 percent of AI-generated applications store secrets in plaintext or in .env files. 91 percent lack security logging. 88 percent have no rate limiting on authentication. And on average, it takes just 18 days from deployment for an app to face its first exploit attempt.
The Speed Trap: More Output, More Mess
Apiiro analyzed data from a Fortune 50 company between December 2024 and June 2025. AI-assisted developers produced 3–4 times more commits than their non-AI colleagues. Syntax errors dropped by 76 percent. Logic bugs fell by 60 percent. It sounded promising.
But beneath the surface: privilege escalation paths increased by 322 percent. Design flaws rose by 153 percent. Pull request volume fell by nearly a third — not because less work was being done, but because larger PRs with more concentrated problems were being bundled into fewer review cycles.
An Uplevel survey of over 800 developers found that 96 percent are concerned about the reliability of AI-generated code. Even more revealing: 67 percent spend more time debugging after adopting AI tools — not less.
GitClear analyzed over 150 million lines of code and confirmed the trend: in AI-heavy codebases, code churn increases dramatically. AI-written code is modified or deleted far more frequently within the first two weeks than human-written code. It is copy-pasted more often, and maintained less consistently over time.
Slopsquatting: When Hallucinations Become Weapons
One of the stranger consequences of AI code generation is an attack scenario that has been dubbed "slopsquatting." Around 20 percent of all AI-generated code references packages that do not exist — the models hallucinate package names. Attackers are now registering these non-existent package names as malicious libraries, waiting for AI-assisted developers to install them automatically.
It is no longer just the code that is an attack surface. The tools themselves are too. In 2025, CVEs were documented against Amazon Q, Cursor, and GitHub Copilot's rule file processing — supply chain attacks aimed directly at the AI coding tools that millions of developers rely on daily.
FACTBOX: What the Industry Is Getting Wrong
Most common flaws in AI-generated code (Sherlock Forensics, 2026):
- 78% store API keys and passwords in plaintext
- 91% lack security logging
- 88% have no rate limiting on login endpoints
- 34% contain hallucinated dependencies (Node.js)
- Only 12% implement rate limiting at all
Stanford 2024: Developers using AI assistants were more likely to introduce security vulnerabilities — and more likely to assess insecure code as safe (authority bias).
BOTTOM LINE
The industry has traded quality for speed — and the bill is coming due. AI-generated code is not a future problem that will be solved by the next model generation. It is a present problem already embedded in production systems with real users. The answer is not to stop using AI. It is to stop pretending that AI code is finished code. Thorough review, automated security testing, and human expertise are not optional add-ons — they are mandatory countermeasures.
Verified against 10 open primary sources
Sources: SmartBear (273 software leaders, May 2026) via The Register and ShiftAsia; CodeRabbit (470 GitHub PRs); Veracode (100+ LLMs, 80 tasks); Sherlock Forensics AI Code Security Report (Jan–Apr 2026); IEEE-ISTAS 2025 (USF / Vector Institute / UMass Boston, 400 code samples, 40 iterations); Georgia Tech Vibe Security Radar; Apiiro Fortune 50 analysis (Dec 2024–Jun 2025); GitClear (150M+ lines); Uplevel survey (800+ developers); Escape.tech (1,400 vibe-coded apps); Stanford 2024 (authority bias study)