Using AI to code does not mean your code is more secure

Summary

As more people use AI tools to write code, the tools themselves are introducing more vulnerabilities. Researchers affiliated with Georgia Tech SSLab have been tracking CVEs attributable to flaws in AI-generated code. Last August, they found just two CVEs that could be definitively linked to Claude Code – CVE-2025-55526, a 9.1 severity directory traversal vulnerability in n8n-workflows, and GHSA-3j63-5h8p-gf7c, an improper input handling bug in the x402 SDK. In March, they identified 35 CVEs – 27 of which were authored by Claude Code, 4 by GitHub Copilot, 2 by Devin, and 1 each by Aether and Cursor. Claude Code's overrepresentation appears to follow from its recent surge in popularity. In the past 90 days, Claude Code has added more than 30.7 billion lines of code to public repositories, according to Claude's Code, an analytics website created by software engineer Jodan Alberts. The Georgia Tech researchers started their measurements on May 1, 2025, and as of March 20, 2026, the CVE scorecard reads: 49 for Claude Code (11 critical) 15 for GitHub Copilot (2 critical) 2 for Aether 2 for Google Jules (1 critical) 2 for Devin 2 for Cursor 1 for Atlassian Rovo 1 for Roo Code That's 74 CVEs attributable to AI-authored code out of 43,849 advisories analyzed. Hanqing Zhao, a researcher with the Georgia Tech SSLab, told The Register in an email that those AI CVEs could be viewed as a lower bound and not as a ratio. "Those 74 cases are confirmed instances where we found clear evidence that AI-generated code contributed to the vulnerability," he said. "That does not mean the other ~50,000 cases were human-written. It means we could not detect AI involvement in those cases. "Take OpenClaw as an example. It has more than 300 security advisories and appears to have been heavily vibe-coded, but most AI traces have been stripped away. We can only confidently confirm around 20 cases with clear AI signals. Based on projects like that, we estimate the real number is likely 5 to 10 time...