Severe cybersecurity vulnerability disclosures (CVEs) spiked in 2026. In June, notable organizations published around 1,500 high- and critical-severity CVEs — more than 3.5× the monthly record prior to Mythos’ release.
The spike follows Anthropic’s April announcement that Claude Mythos Preview could autonomously discover software vulnerabilities, and that the company’s Project Glasswing partners — including Microsoft, Google, Apple, and AWS — had been using it to find and fix bugs ahead of the model’s public release. Since its commencement, Project Glasswing claims to have found over 10,000 high- or critical-severity vulnerabilities, many of which have yet to be individually disclosed. Similar efforts have been undertaken by OpenAI with their Daybreak product.
Data: Monthly high- and critical-severity CVEs from 21 notable organizations in CSV format.
Source: Epoch AI.

