AI systems are beginning to change how software flaws are found, reported and fixed. A sharp rise in disclosed security vulnerabilities suggests that automated bug hunting is no longer a theoretical use case. It is already showing up in public vulnerability reporting.
According to Epoch AI, June 2026 saw an unusually large surge in high-severity and critical vulnerability reports. The timing follows the arrival of AI programs designed to find software bugs, including Anthropic's Claude Mythos Preview and OpenAI's "Daybreak" program.
A record month for reported CVEs
In June 2026, 21 organizations reported about 1,500 high-severity and critical vulnerabilities, also known as CVEs. That figure was more than 3.5 times the previous monthly record.
The source describes this as a massive spike in reported security vulnerabilities. The important point is not only the size of the number, but the type of reports involved. These were high-severity and critical vulnerabilities, meaning the disclosed issues were not presented as minor findings.
Epoch AI says the increase reflects a wave of AI-driven discoveries. Based on the source, the spike is being interpreted as part of a broader change in how software vulnerabilities are being uncovered.
Why AI vulnerability discovery matters
Traditional vulnerability reporting depends on people, organizations and security processes finding flaws and turning them into public reports. AI bug hunting changes the pace of that workflow because models can be used to search for software vulnerabilities on their own.
The source links the June 2026 surge to recent AI-assisted security work. Anthropic announced in April that Claude Mythos Preview can find software vulnerabilities on its own. According to Anthropic, trusted partners were already using the model to find and fix bugs before its release.
That matters because the public reporting spike may not represent a sudden decline in software quality. It may instead show that more hidden issues are being discovered and prepared for disclosure. The source does not say which interpretation is complete, but it does connect the jump to AI-driven discoveries.
Anthropic's role in the surge
Anthropic's "Glasswing" program is one of the clearest examples named in the source. It has reportedly uncovered more than 10,000 high-severity or critical vulnerabilities so far.
Some of those vulnerabilities have not been published yet. That detail is important because it suggests the visible June 2026 CVE surge may not show the full scale of AI-assisted security discovery. If additional findings remain unpublished, the public record may still be catching up with work already done by AI systems and trusted partners.
Claude Mythos Preview is described as a model that can find software vulnerabilities on its own. The source does not provide technical details about how the model works, but it does make clear that Anthropic connected the model to practical bug-finding before release.
OpenAI's "Daybreak" program is also in view
The source also says OpenAI's "Daybreak" program is likely adding to the surge. No additional figures are provided for "Daybreak," so the safest conclusion is narrow: it is named as another AI-driven effort that may be contributing to the increase in reported vulnerabilities.
Taken together, the named programs point to a broader pattern. AI models are being used not just to discuss code or assist developers, but to identify security vulnerabilities that can become formal CVE reports.
- Epoch AI charted the spike in reported security vulnerabilities.
- June 2026 reached about 1,500 high-severity and critical CVEs from 21 organizations.
- Anthropic's Claude Mythos Preview can find software vulnerabilities on its own.
- Anthropic's "Glasswing" program has reportedly uncovered more than 10,000 high-severity or critical vulnerabilities so far.
- OpenAI's "Daybreak" program is likely contributing as well.
The near-term implication for security teams
The immediate implication is that vulnerability management may need to deal with a higher volume of serious reports. If AI models continue to uncover flaws at this pace, organizations may see more disclosures, more triage work and more pressure to fix issues quickly.
The source does not say how many of the June 2026 reports came from any single model or program. It also does not say how many unpublished vulnerabilities may eventually become public CVEs. What it does show is a strong connection between new AI bug-hunting systems and an unusually large month for high-severity and critical vulnerability reporting.
For the software industry, the core question is practical. AI vulnerability discovery can surface bugs that need repair, but the value depends on how quickly those findings become fixes. The June 2026 numbers suggest the discovery side is accelerating. The next challenge is whether reporting and remediation workflows can keep up.