New serious vulnerabilities spiked around release of Claude Mythos Preview

cubefox1 pts0 comments

Disclosed CVEs: 3.5× Spike After Claude Mythos | Epoch AI

Data Insight<br>Jul. 2, 2026

Disclosure of serious cyber vulnerabilities spiked around the release of Claude Mythos Preview

Cite

By Luke Emberson

Severe cybersecurity vulnerability disclosures (CVEs) spiked in 2026. In June, notable organizations published around 1,500 high- and critical-severity CVEs — more than 3.5× the monthly record prior to Mythos’ release.

Enable JavaScript to see an interactive visualization.

The spike follows Anthropic’s April announcement that Claude Mythos Preview could autonomously discover software vulnerabilities, and that the company’s Project Glasswing partners — including Microsoft, Google, Apple, and AWS — had been using it to find and fix bugs ahead of the model’s public release. Since its commencement, Project Glasswing claims to have found over 10,000 high- or critical-severity vulnerabilities, many of which have yet to be individually disclosed. Similar efforts have been undertaken by OpenAI with their Daybreak product.

Epoch's work is free to use, distribute, and reproduce provided the source and authors are credited under the Creative Commons BY<br>license.

Learn more about this graph<br>In April 2026, Anthropic announced that its latest internal model (Claude Mythos Preview) was capable of autonomous cybersecurity vulnerability discovery and exploitation. Since then, both Anthropic and OpenAI have launched efforts to use frontier models to harden critical software before malicious actors are able to use the same models for harm.

We show that the number of Common Vulnerabilities and Exposures (CVEs) jumped significantly following these announcements. Compared to the previous monthly record before the Mythos Preview announcement, the number of high- and critical-severity vulnerabilities increased more than 3.5x in June.

Data

Our Cyber Vulnerability Reports hub visualizes data from cve.org, a public repository of CVE reports from software companies and third-party security researchers. We focus our analysis on CVEs reported by 21 notable organizations to avoid capturing noisy submissions from less reputable sources. These notable organizations include:

Microsoft · Google · Apple · Adobe · Oracle · Cisco · IBM · Red Hat · Intel · AMD · NVIDIA · Qualcomm · Samsung · SAP · Amazon (AWS) · VMware (Broadcom) · GitHub (own products) · Linux · Mozilla · Apache · OpenSSL

Assumptions and limitations

Our figures come from publicly disclosed vulnerabilities, which do not include discovered but not publicly disclosed vulnerabilities. Anthropic claims that their Project Glasswing alone has identified over 10,000 high- and critical-severity vulnerabilities.

While some of the increase in observed vulnerability disclosure is almost certainly due to increased feasibility of discovery, the spike may also be caused in part by an increase in the amount of interest in discovering bugs.

Download this data<br>Monthly high- and critical-severity CVEs from 21 notable organizations<br>CSV, Updated Jul. 2, 2026

Related topics<br>CapabilitiesAdoption and use

Cite

Epoch AI’s work is free to use, distribute, and reproduce provided the source and authors are credited under the Creative Commons Attribution license.<br>Citation<br>Luke Emberson (2026), "Disclosure of serious cyber vulnerabilities spiked around the release of Claude Mythos Preview". Published online at epoch.ai. Retrieved from 'https://epoch.ai/data-insights/cve-severity-spike' [online resource]. Accessed 3 Jul 2026.

BibTeX Citation<br>@misc{epoch2026cveseverityspike,<br>title={Disclosure of serious cyber vulnerabilities spiked around the release of Claude Mythos Preview},<br>author={Luke Emberson},<br>year={2026},<br>url={https://epoch.ai/data-insights/cve-severity-spike},<br>note={Accessed: 2026-07-03}}

Feedback<br>Feedback

Have a question? Noticed something wrong? Let us know.<br>Message

If you would like a reply, please include your name and email address.<br>Name

Email address

CancelSubmit

Disclosure of serious cyber vulnerabilities spiked around the release of Claude Mythos Preview<br>Notable organizations disclosed ~1,300 high- and critical-severity CVEs in June 2026, roughly 3.5× the pre-Mythos monthly record. Epoch AI's breakdown of vulnerability disclosures following Anthropic's Project Glasswing.

vulnerabilities mythos claude preview severity release

Related Articles