Georgia Tech's Vibe Security Radar Tracks 74 CVEs Directly Caused by AI Coding Tools, Warns True Count Is 5-10x Higher
Researchers at Georgia Tech have documented 74 confirmed CVEs directly introduced by AI coding tools like Claude Code, with 35 disclosed in March 2026 alone, and estimate the real number is 400-700 cases across open-source projects.
Georgia Tech researchers have launched the Vibe Security Radar project to track real-world vulnerabilities introduced by AI-powered coding tools, and the early numbers are stark. The project, run by the Systems Software & Security Lab (SSLab), has confirmed 74 CVEs that can be directly traced back to AI-generated code, with 35 of those disclosed in just March 2026 — up from six in January and 15 in February. The researchers warn that the true figure is likely five to ten times higher, estimating 400 to 700 cases across the open-source ecosystem, because many developers strip the metadata traces that allow attribution.
The Vibe Security Radar monitors approximately 50 AI-assisted coding tools, including Anthropic's Claude Code, GitHub Copilot, Cursor, Devin, Windsurf, Aider, Amazon Q, and Google Jules. To identify AI-introduced vulnerabilities, the team pulls data from public vulnerability databases such as CVE.org, the National Vulnerability Database (NVD), GitHub Advisory Database (GHSA), Open Source Vulnerabilities (OSV), and RustSec. They then find the commit that fixed each vulnerability and trace backwards to identify who introduced the bug. If that commit carries an AI tool's signature — such as a co-author tag or a bot email — the vulnerability is flagged.
Hanqing Zhao, founder of the Vibe Security Radar, told Infosecurity Magazine that the project aims to provide real numbers rather than benchmarks or hypotheticals. "Everyone is saying AI code is insecure, but nobody is actually tracking it. We want real numbers. Not benchmarks, not hypotheticals, real vulnerabilities affecting real users," Zhao said. He emphasized that this tracking work is fundamental now that more developers are "vibe coding" entire projects "straight to production," adding that "even teams that do code review aren't going to catch everything when half the codebase is machine-generated."
Among the 74 confirmed cases, Claude Code appeared most frequently, but Zhao noted this is partly because Anthropic's tool "always leaves a signature" in commit metadata. "Tools like Copilot's inline suggestions leave no trace at all, so they're harder to catch," he explained. The dominance of Claude Code dominance may also reflect the tool's widespread adoption in the software development community. The researchers use AI agents to understand the root cause of each vulnerability and determine whether AI-generated code contributed to it, with access to the actual Git repository and commit history for real investigation rather than simple pattern matching.
The project acknowledges significant undercounting is incomplete. Zhao admitted the real number is "almost certainly higher" than what the dashboard shows. "These are just the cases that leave metadata traces. Based on what we see in projects like that, we estimate five to 10 times what we currently detect, roughly 400 to 700 cases across the open-source ecosystem," he said. He cited OpenClaw as an example: the project has over 300 security advisories and relies heavily on vibe coding, but most AI tool traces have been stripped by the authors, allowing confirmation of only around 20 cases with clear AI signals. Additionally, many vulnerabilities never receive public identifiers like CVE or GHSA numbers, making them impossible to track.
Zhao is convinced the number of AI-induced vulnerabilities will only grow. "Last month, Claude Code alone accounted for over 4% of public commits on GitHub and that number is still climbing. More AI code means more AI-introduced vulnerabilities," he said. The Vibe Security Radar is a long-term project that the team plans to improve. "Right now, we rely on metadata like co-author tags and bot emails, but people strip those. The next step is looking at the bigger picture: the project as a whole, commit patterns and the overall coding style. AI-written code has a recognizable feel to it. We're working on models that can pick up on those signals without needing any explicit metadata," Zhao concluded.
The findings come amid growing industry concern about the security implications of AI-generated code. The UK NCSC head recently urged the industry to develop vibe coding safeguards, and Palo Alto Networks introduced a new security governance framework for AI-assisted development. The Georgia Tech project provides the first systematic, data-driven attempt to quantify the real-world impact of these tools on software security.