AI-assisted vulnerability discovery has triggered an unprecedented surge in cybersecurity disclosures, with high-severity CVEs reaching 1,500 in June 2026—more than 3.5 times the previous monthly record.
The Numbers
Epoch AI’s Cyber Vulnerabilities explorer documents a sharp inflection point beginning in early 2026. Twenty-one major organizations disclosed approximately 1,500 high and critical-severity CVEs in June alone—a figure that exceeds the combined total of previous peak months.
The spike correlates with the widespread deployment of AI-powered vulnerability scanning tools, particularly those leveraging large language models for code analysis and exploit discovery.
Finding vs. Fixing
The surge raises a critical question: does faster vulnerability discovery translate to faster remediation, or does it simply expose more security debt?
Security researchers offer conflicting views. Some argue that AI-assisted scanning surfaces issues that would eventually be discovered anyway—merely accelerating the disclosure timeline. Others contend that AI tools are finding novel vulnerability classes that human reviewers routinely miss, representing genuinely new security surface.
“There’s a difference between scanning faster and scanning differently,” noted one security analyst. “The jury’s still out on which category this falls into.”
Enterprise Response
Organizations face pressure to respond to disclosures faster while managing the cognitive load of processing record vulnerability volumes. Traditional patch management workflows are straining under the volume, prompting interest in automated remediation tools.
The U.S. government’s CISA has emphasized the need for organizations to adopt AI-assisted security tooling to keep pace with the vulnerability landscape—arguably accelerating an arms race between attackers and defenders both leveraging artificial intelligence.
Looking Forward
Epoch AI has launched a Cyber Vulnerabilities data explorer to help researchers analyze trends in disclosure patterns, severity distributions, and affected systems. The tool aims to provide clearer signals amid the noise of record disclosure volumes.
Whether the CVE spike represents a temporary anomaly or a new baseline remains to be seen. What seems certain is that AI is fundamentally changing the speed at which security vulnerabilities become known—and the pressure to fix them.