Vibe coding enables users to create web applications by simply prompting a large language model (LLM). An analysis of over 20,000 such applications revealed that, while security has improved since the early days of AI-generated code, many vulnerabilities persist. Researchers generated these apps using various LLMs, including gpt-5 and Claude Sonnet 4.5, employing a wide range of themes and frameworks to ensure diversity. The generated applications included full-stack solutions and REST APIs, all containerized for deployment. The most significant security issues identified stem from a reliance on hardcoded secrets, such as JWT signatures and database passwords. Many apps reused common secrets across different models, with the term "supersecretkey" appearing in 1,182 instances among the generated applications. Such predictable values pose a risk, as they can be easily exploited by attackers to gain unauthorized access. Despite the presence of these vulnerabilities, the manual analysis revealed that many automated security scan alerts were false positives, indicating a marked improvement in the overall security of modern LLM-generated code. Specific examples illustrate the risks. In the RestoOrder Pro app created by gpt-5, a hardcoded JWT secret value made it easy for an attacker to forge authentication tokens and potentially escalate privileges. By simply decoding and manipulating the JWT token payload, an attacker could change a user's role from customer to admin, leveraging the predictable secret for unauthorized access. This highlights the critical need for developers to avoid hardcoding sensitive information and to adopt better security practices when using AI tools to generate applications.