AI Code Is Not More Secure: 74 CVEs Tracked to AI-Generated Code, Real Number Likely 5-10x Higher
Georgia Tech SSLab researchers have tracked 74 CVEs definitively attributable to AI-generated code, with the actual number estimated to be 5 to 10 times higher due to detection limitations. Claude Code leads with 49 CVEs (11 critical), followed by GitHub Copilot with 15.
The Numbers
| AI Tool | Total CVEs | Critical | Period |
|---|---|---|---|
| Claude Code | 49 | 11 | May 2025 - Mar 2026 |
| GitHub Copilot | 15 | 2 | Same |
| Aether | 2 | 0 | Same |
| Google Jules | 2 | 1 | Same |
| Devin | 2 | 0 | Same |
| Cursor | 2 | 0 | Same |
| Others | 2 | 1 | Same |
The Trend
- August 2025: Just 2 CVEs from Claude Code
- March 2026: 35 CVEs (27 from Claude Code alone)
- Claude Code added 30.7 billion lines of code to public repos in 90 days
- Claude Code appears in 4%+ of all public GitHub commits
Why the Numbers Are Misleading
Researcher Hanqing Zhao: "If AI were truly responsible for only 74 out of 50,000 public vulnerabilities, that would imply AI-generated code is orders of magnitude safer than human-written code. We do not think that is credible. The low number reflects detection blind spots, not superior AI code quality."
Previous Research
Georgetown University (November 2024) tested five models and found:
- ~48% of generated code was compilable but contained security bugs
- ~30% passed verification and was deemed secure
The Implication
As AI coding tools explode in popularity (Claude Code alone responsible for 4%+ of GitHub commits), the security debt being accumulated is enormous — and most of it goes undetected.
Source: The Register, Georgia Tech SSLab