AI Code Vulnerability Taxonomy

Unparameterized queries with user input directly concatenated into SQL statements

MongoDB or other NoSQL queries vulnerable to operator injection attacks

Shell commands constructed with unsanitized user input

LDAP queries built with unvalidated external data

API keys, passwords, or tokens embedded directly in source code

No length requirements, complexity rules, or common password checks

Endpoints accessible without proper role or permission verification

Predictable session IDs or tokens stored insecurely

Passwords, tokens, or PII written to application logs

API responses include unnecessary sensitive fields

API keys or credentials exposed in frontend JavaScript

Development endpoints exposing system information left enabled

Using MD5 or SHA-1 for password hashing instead of bcrypt/argon2

Using Math.random() or similar for security-critical operations

Sensitive data stored unencrypted in databases

Weak cipher suites or outdated TLS versions

User input rendered without sanitization or escaping

File paths constructed with unvalidated user input

XML parsers configured to process external entities

Application makes requests to user-controlled URLs

Concurrent operations on shared resources without proper locking

No throttling on authentication or resource-intensive endpoints

Deserializing untrusted data without validation

Payment, discount, or workflow steps that can be skipped

AI generates plausible-looking but non-existent security libraries or methods

Try-catch blocks with empty handlers or generic error messages that leak information

CORS configured with wildcard origins allowing any domain to access APIs

No maximum length constraints on user inputs, enabling DoS attacks