AI coding assistants ship vulnerabilities faster than security teams find them.
Tenzai's December 2025 testing ran identical prompts through Claude Code, Cursor, Windsurf, Replit, and Devin. All five generated 69 vulnerabilities, 6 critical. The pattern? AI avoids generic mistakes but fails at authorization and business logic. Understanding what the app should do, not just what it does is not AI's strong suit.
Meanwhile, AI tools became attack targets. Google Gemini leaked calendar data through weaponized meeting invites. Microsoft Copilot sessions got hijacked via single-click phishing. Anthropic's Git MCP server exposed three CVEs affecting Claude Desktop, Cursor, and Windsurf.
Same week. Different vectors.
Tenzai's December 2025 research tested identical prompts through Claude Code, Cursor, Windsurf, Replit, and Devin. 69 vulnerabilities across 15 test applications. Six critical. Business logic and authorization failures dominated—not SQL injection, not XSS.
AI tools avoid basic SQL injection. They escape outputs properly. They fail at context-dependent decisions: preventing negative pricing in e-commerce, enforcing user ownership checks (IDOR), validating that admin-only endpoints actually require admin access.
Traditional SAST flags generic patterns AI already avoids. Authorization bypass and business logic failures require human review. New Sonar data (January 2026): 96% of developers distrust AI-generated code, yet only 48% consistently verify before committing.
Your scanner catches SQL injection. It misses "this endpoint should require admin but doesn't." 48% of devs skip AI code verification. Audit authorization logic in AI-generated code manually.
Three incidents proved prompt injection is operational, not theoretical.
Google Gemini Calendar Theft: Miggo Security researchers demonstrated weaponized calendar invites with hidden instructions. Users ask Gemini about their schedule; it parses malicious events and creates new calendar entries containing private meeting summaries visible to the attacker. Google patched, confirming the vector.
Microsoft Copilot Reprompt Attack: Varonis researchers disclosed single-click session hijacking. "Double-request" bypasses initial safeguards; "chain-request" maintains persistent exfiltration. Real instructions hide in server follow-up requests, not the starting prompt. Fixed January 14.
Anthropic Git MCP Server CVEs: Three vulnerabilities affecting Claude Desktop, Cursor, and Windsurf. CVE-2025-68143 allowed Git repository creation in arbitrary filesystem paths. CVE-2025-68145 bypassed path validation. Patches available.
Your AI tools have API access you didn't explicitly grant. Map every connector this week.
CIRCL launched db.gcve.eu on January 7 with 25+ data sources and a decentralized GNA (Global Numbering Authority) model.
The launch followed the US CVE program's near-collapse in April 2025. Funding disputes involving DOGE and MITRE threatened a global blackout of vulnerability data. MITRE faced cancellation of over $28 million in contracts. That near-collapse demonstrated single-point-of-failure risk for global vulnerability tracking.
The database aggregates data from European national CSIRTs, vendor advisories, and research organizations. Unlike CVE's centralized model, each GNA manages its own namespace. Security tools built on CVE identifiers now face multi-database normalization. If a scanner reports CVE-2026-101 and GCVE-1-2026-505 for the same library, vulnerability management platforms must reconcile potentially inconsistent identifiers.
Add GCVE to your vuln intel sources now. NIS2 compliance may require it soon. CVE-only tooling means gaps—and duplicate tickets when the same vuln has two IDs.
Aikido Security raised $60M at a $1B valuation. Two-year-old startup positioning around "self-securing software" and continuous pentesting. Novee emerged from stealth with $51.5M for AI-powered vulnerability discovery.
CrowdStrike's acquisition spree continues. Seraphic Security joins their portfolio for ~$420M, extending into browser security. Their SGNL acquisition added identity security for $740M. Anthropic granted $1.5M to the Python Software Foundation for PyPI security automation.
The World Economic Forum reports 94% of executives identify AI as their most significant cybersecurity change driver. 87% say AI-related risks increased faster than any other category in 2025.
$1B valuations mean aggressive sales motions incoming. Demand production evidence, not platform promises. Some vendors won't survive consolidation.
FortiSIEM CVE-2025-64155 – Public exploit code released for critical command injection (CVSS 9.4). Unauthenticated RCE. Fortinet has 23 CVEs on CISA's KEV list. Patch immediately.
Node.js async_hooks – Critical vulnerability causes server crashes via stack overflow. DoS impact across popular frameworks. Update immediately.
ServiceNow BodySnatcher – AI agent impersonation flaw (CVE-2025-12420) enables authentication bypass. First major AI agent impersonation vulnerability in enterprise SaaS.
VoidLink Malware – First confirmed AI-developed malware. Check Point analysis found leaked planning documents proving LLM-assisted development. Solo developer compressed sophisticated malware creation from months to days.
From Pixee - What Security Leaders Learned in 2025 – 10 expert perspectives on where AppSec is heading
Technical Deep Dives - Weaponized Invite Enabled Calendar Data Theft via Google Gemini – Miggo Security's prompt injection research - Three vulnerabilities in Anthropic Git MCP Server – CVE details affecting Claude Desktop, Cursor, Windsurf
Strategic - GCVE Database Launch Announcement – CIRCL's official db.gcve.eu launch - Global Cybersecurity Outlook 2026 – WEF report: 94% of executives cite AI as top security change driver
Market Intelligence - Aikido Security Raises $60M at $1B Valuation – "Self-securing software" category gains unicorn