Fetching from the wire…
Top 5 · 2026-03-27 · source-backed
Six CVEs in January. Fifteen in February. Thirty-five in March. That's the trajectory of security vulnerabilities directly traced to AI coding tools, tracked by Georgia Tech's Vibe Security Radar project.
Claude Code is responsible for 49 of 74 total CVEs (11 critical). And researcher Hanqing Zhao estimates the real number is 5x to 10x higher, somewhere between 400 and 700 actual cases, because most teams strip AI traces from their code before committing and current detection methods can only catch what's explicitly flagged.
CrowdStrike independently confirmed the scale of the problem: 87% of AI-generated pull requests contain at least one security vulnerability. That's not a typo. Nearly nine out of ten.
I want to sit with that number for a second. If you're using AI to write code, and most of us are, the default output is insecure. Not sometimes. Almost always. The tools are fast and productive and they generate vulnerable code as their baseline behavior. We've been so focused on speed gains that we've been shipping security debt at a rate no human team could match.
This connects directly to today's supply chain story (Story #5). The security tooling designed to catch these vulnerabilities is itself getting compromised. So you've got AI writing vulnerable code faster than ever, security scanners getting backdoored, and the CVE count growing exponentially month over month.
What should builders do? First, stop assuming AI-generated code is "good enough" for production without review. I know the whole point is speed. But the 87% vulnerability rate means your review process is your actual product, not the code the AI writes. Second, run SAST on every AI-generated PR before merge. Tools like Snyk, Semgrep, and the new Harness Secure AI Coding (announced at RSAC this week) specifically target AI-generated code patterns. Third, consider the zero-degrees-of-freedom approach from John Regehr: every AI code change gets validated against executable oracles (test suites, type checkers, sanitizers) before acceptance. If it doesn't pass automated checks, it doesn't ship. Period.
The growth curve is what concerns me most. 6 to 15 to 35 in three months. If that continues, we're looking at 70+ CVEs in April. This isn't a problem that's getting better on its own.
Each link below shares sources, entities, or timing with this story.
Hanqing Zhao works at Georgia Tech / Shared entities / Shared topic / What happened next
Linked by a graph relationship (Hanqing Zhao works at Georgia Tech); both cover CVE, CVEs, February, Fifteen; overlapping topics (ai-generated, code, cves, march, security).
Vibe Security Radar criticizes Claude Code / Shared entities / Shared topic / What happened next
Linked by a graph relationship (Vibe Security Radar criticizes Claude Code); both cover Claude Code, Harness Secure AI Coding, RSAC, Semgrep; overlapping topics (ai-generated, catch, code, coding, security).
Snyk partners with Anthropic / Shared entities / Shared topic / Earlier coverage / Tension
Linked by a graph relationship (Snyk partners with Anthropic); both cover CVE, CVEs, February, RSAC; overlapping topics (code, cves, security, tool).