Vibe Security Radar - NFHN Reader

Tracking the security cost of vibe coding

Coverage: May 1, 2025 – Mar 10, 2026

This project is under active development. Data may contain inaccuracies and more vulnerabilities are being analyzed.

Vulnerabilities by Month

Aider

Atlassian Rovo

Claude Code

Cursor

GitHub Copilot

Google Gemini

Google Jules

Roo Code

Recent Vulnerabilities

ID	Severity	Language	Verified By	Description
OSV-2026-371	HIGH	C/C++	ClaudeGeminiGPT	Heap-buffer-overflow in tinyobj::tryParseDouble
GHSA-hfpr-jhpq-x4rm	MEDIUM	TypeScript	ClaudeGeminiGPT	OpenClaw: `operator.write` chat.send could reach admin-only config writes
CVE-2026-31862	CRITICAL	JavaScript	ClaudeGeminiGPT	Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands. This vulnerability is fixed in 1.24.0.
CVE-2026-29787	MEDIUM	Python	ClaudeGeminiGPT	mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.21.0, the /api/health/detailed endpoint returns detailed system information including OS version, Python version, CPU count, memory totals, disk usage, and the full database filesystem path. When MCP_ALLOW_ANONYMOUS_ACCESS=true is set (required for the HTTP server to function without OAuth/API key), this endpoint is accessible without authentication. Combined with the default 0.0.0.0 binding, this ex
CVE-2026-29067	HIGH	TypeScript	ClaudeGeminiGPT	ZITADEL is an open source identity management platform. From version 4.0.0-rc.1 to 4.7.0, a potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. This issue has been patched in version 4.7.1.
GHSA-g9rg-8vq5-mpwm	HIGH	Python	ClaudeGeminiGPT	mcp-memory-service's Wildcard CORS with Credentials Enables Cross-Origin Memory Theft
CVE-2026-30944	HIGH	TypeScript	ClaudeGeminiGPT	StudioCMS has Privilege Escalation via Insecure API Token Generation
CVE-2026-29609	HIGH	TypeScript	ClaudeGeminiGPT	OpenClaw affected by denial of service via unbounded URL-backed media fetch
CVE-2026-28482	MEDIUM	TypeScript	ClaudeGeminiGPT	OpenClaw's unsanitized session ID enables path traversal in transcript file operations
CVE-2026-28472	CRITICAL	TypeScript	ClaudeGeminiGPT	OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated