Mar 24, 2026|Cyber Services,Red Team Thevibe codingis radically transforming the way applications are developed. Thanks to AI assistants and LLMs, it is now possible to generate a complete application – frontend, backend and API – simply by describing the functional intent. This approach means that prototypes can be produced in a matter of hours instead of weeks. The product : The application tested was 100% vibe coded with Claude’s Opus 4.6. It took the developer two weeks to generate a finished product that was both ergonomic and aesthetically pleasing. The developer had even asked Claude to carry out a pentest, which had already revealed a number of more or less critical flaws. But a key question arises for cybersecurity teams:what happens when these AI-generated applications go into production without a security audit? To answer this question, we carried out a pentest of an entire web application, in a grey-box context, with standard user access. The results are instructive and several critical vulnerabilities were identified on the first day, including : These vulnerabilities illustrate a key point:AI-generated code is often perfectly functional, but rarely secure by default. In this article, we analyze the main vulnerabilities discovered and the lessons to be learned forCISOs and DevSecOps teams. The security test was carried out in a“grey-box web application pentest” context. This means that : The aim was to reproduce the behavior of an external attacker. The methodology used is based on : Tools used : This approach makes it possible to identify both : The most critical vulnerability discovered during the pentest is aLocal File Inclusion (LFI). This vulnerability allows an attacker to access sensitive files on the server. In the application analyzed, a user-controlled parameter was used directly to load files onto the system. Here is the equivalent vulnerable code: The “full_path” parameter was not correctly filtered, so an attacker could use a“path traversal” attack. For example: