Epoch AI · 2026-07-02 · major
Epoch AI — CVE severity spike after Claude Mythos Preview
Epoch AI shows serious CVE disclosures from 21 major vendors jumped to about 1,500 high- or critical-severity fixes in June 2026, more than 3.5 times the pre-Mythos monthly record.

Epoch AI tracks a 3.5× jump in serious CVE fixes at 21 top vendors after Anthropic put Claude Mythos on autonomous vulnerability hunting.
Quick facts
| Publisher | Epoch AI |
|---|---|
| Published | 2026-07-02 |
| Signal tracked | High/critical CVE fixes from 21 major vendors |
| June 2026 volume | ~1,500 fixes |
| Vs prior monthly record | More than 3.5× |
| Anthropic Project Glasswing claim | 10,000+ high/critical vulns found |
What is it?
'CVE severity spike' is a data-insights post by Epoch AI arguing that Anthropic's Claude Mythos Preview and its Project Glasswing vulnerability effort are visible in the world's CVE feeds. Epoch's team counted high- and critical-severity CVE fixes from 21 vendors — Microsoft, Google, Apple, Adobe, Oracle, Cisco, IBM and peers — from 2024 into June 2026 and charted the monthly totals.
How does it work?
The chart focuses on 21 notable organizations to filter out low-signal advisories, and only counts high- and critical-severity fixes. Against that baseline, June 2026 stands out: about 1,500 fixes disclosed in a single month — more than 3.5 times the previous record — arriving right as Anthropic ramped Mythos-based vulnerability discovery through Project Glasswing.
Why does it matter?
Epoch AI's read is that AI-assisted vulnerability finding has broken out of internal reports and into public CVE feeds, which changes the workload for every defender and vendor downstream. If Project Glasswing already found 10,000+ serious bugs and most are still undisclosed, June's spike is likely the leading edge of a sustained wave of patch traffic.
Who is it for?
Security teams, vendor PSIRTs, policy watchers, AI safety researchers
Frequently asked questions
- What does Epoch AI's CVE severity spike analysis actually measure?
- Epoch AI counted high- and critical-severity CVE fixes disclosed by 21 notable vendors — Microsoft, Google, Apple, Adobe, Oracle, Cisco, IBM and peers — from January 2024 through June 2026, then charted the monthly totals against the release timing of Claude Mythos Preview and Anthropic's Project Glasswing vulnerability-hunting effort.
- How big is the June 2026 CVE spike Epoch AI found?
- Epoch AI reports around 1,500 high- or critical-severity CVE fixes across those 21 vendors in June 2026 — more than 3.5 times the previous monthly record. Prior peaks in the same cohort sat well under 500 per month, so the June bar dwarfs every earlier month in the analyzed window.
- Is Claude Mythos causing the CVE surge?
- Epoch AI does not claim direct causation — it flags the timing correlation with Anthropic's April 2026 Mythos vulnerability-detection announcement and the Project Glasswing effort, which Anthropic says has already found more than 10,000 high- or critical-severity vulnerabilities. Many of those, per the piece, remain undisclosed.
- Why does the CVE spike matter for AI users?
- Epoch AI's data insight is one of the first outside measurements that AI-assisted vulnerability hunting is showing up in official CVE feeds, not just internal reports. That reframes the debate around Mythos-class safeguards: defenders and vendors have to plan for a sustained surge in serious patch flow, not a one-off event.
Try it
Read the Epoch data insight: https://epoch.ai/data-insights/cve-severity-spike