Blog
Application Security

What happens when AI codes from vulnerable code

Eric Dupré
5
min read

We often hear that AI coding assistants improve software quality. But what happens when the code they learn from is already insecure?

To find out, I ran a simple experiment. I built a small application and intentionally left six well-known vulnerabilities (SQL injection, XSS, open redirect, and more). Then I used an AI coding assistant in “vibe coding” mode to add a new feature—without giving it any security instructions—to see whether it would fix the issues… or simply repeat them like a parrot.

You will find the results and the prompts I used in the video below:

Share this post

Checkout our latest post

Keep up with the latest videos, podcasts and research from Glev

A 7-step method to scale application security: cut false positives, prioritize by real risk, and remediate at the speed of AI-written code.
Rodolphe Mas
June 18, 2026
15
min read
500,000 alerts a year, under 5% actionable: the real AppSec crisis isn't detection, it's remediation. Our white paper breaks down the state of play.
Rodolphe Mas
May 21, 2026
15
min read
How and why Marc moved from software engineering to a security role, as an AppSec Engineer, in an Enterprise Software company
Rodolphe Mas
April 23, 2026
8
min read

Don't just find security issues in your code. Fix them for good.

Traditional code scanners stop at detection.
Glev goes further—investigating every issue in your code context, building agile remediation plans, and eliminating the security debt that holds teams back.