CVE Severity Spike After Claude Mythos Preview Release — Epoch AI Data

✍️ OpenClawRadar📅 Published: July 4, 2026🔗 Source
CVE Severity Spike After Claude Mythos Preview Release — Epoch AI Data
Ad

Epoch AI's analysis of publicly disclosed CVEs reveals a dramatic spike in high- and critical-severity vulnerabilities following Anthropic's April 2026 announcement of Claude Mythos Preview. In June 2026, 21 notable organizations — including Microsoft, Google, Apple, AWS, Oracle, Cisco, and others — disclosed approximately 1,500 high- and critical-severity CVEs. That's more than 3.5 times the previous monthly record set before Mythos Preview's release.

Key Findings

  • 3.5x spike in high/critical CVEs in June 2026 over pre-Mythos monthly record.
  • Anthropic's Project Glasswing — whose partners include Microsoft, Google, Apple, and AWS — has already discovered over 10,000 high- or critical-severity vulnerabilities, many not yet publicly disclosed.
  • OpenAI runs a similar effort called Daybreak.
  • Data is drawn from the public CVE repository, filtered to 21 reputable vendors to avoid noise.
Ad

Method & Caveats

Epoch filtered CVE.org data to only submissions from 21 named organizations (e.g., Microsoft, Google, Apple, Adobe, Oracle, etc.). This avoids capturing low-quality submissions from smaller vendors. The tracked metric is disclosed CVEs — not found but undisclosed ones. Anthropic claims Glasswing alone has identified over 10k, so the disclosed numbers may be a fraction of total discoveries. The increase could also partly reflect more research interest, not just model capability.

Impact for Developers

If you maintain or depend on software from major vendors, expect a wave of high-severity patches. The data suggests AI-assisted vulnerability discovery (both ethical and adversarial) is accelerating the zero-day discovery-to-patch cycle. Keep your dependency scanners updated and prioritize patching critical CVEs from these sources.

📖 Read the full source: HN AI Agents

Ad

👀 See Also

Claude Code source map leak reveals minified JavaScript was already public on npm
Security

Claude Code source map leak reveals minified JavaScript was already public on npm

A source map file accidentally included in version 2.1.88 of the @anthropic-ai/claude-code npm package revealed internal developer comments, but the actual 13MB cli.js file containing 148,000+ plaintext strings has been publicly accessible on npm since launch.

OpenClawRadar
Bitwarden Agent Access SDK integrates with OneCLI for secure credential injection
Security

Bitwarden Agent Access SDK integrates with OneCLI for secure credential injection

Bitwarden's new Agent Access SDK enables AI agents to access credentials from Bitwarden's vault with human approval, while OneCLI acts as a gateway that injects credentials at the network layer without exposing raw values to agents.

OpenClawRadar
Claude Code Security Plugin: Pushing AppSec into the Developer Workflow
Security

Claude Code Security Plugin: Pushing AppSec into the Developer Workflow

Anthropic shipped a security-guidance plugin for Claude Code that identifies and fixes vulnerabilities during coding. Available to all users via the plugin marketplace, not just Enterprise. Discusses whether this becomes a lightweight assistant, serious AppSec layer, or bridge to Claude Security.

OpenClawRadar
AppLovin Mediation Cipher Broken: Device Fingerprinting Bypasses ATT
Security

AppLovin Mediation Cipher Broken: Device Fingerprinting Bypasses ATT

Reverse-engineering revealed that AppLovin's custom cipher uses a constant salt + SDK key, a SplitMix64 PRNG, and no authentication. Decrypted requests carry ~50 device fields (hardware model, screen size, locale, boot time, etc.) even when ATT is denied, enabling deterministic re-identification across apps.

OpenClawRadar