35 New CVEs in March From AI-Generated Code: The Numbers Are Getting Worse

Georgia Tech researchers just dropped a stat that should scare every vibe coder: 35 new CVEs in March 2026 were traced directly to AI-generated code. That's up from 6 in January and 15 in February. The trend line is vertical. The Vibe Security Radar The Vibe Security Radar is a research project from Georgia Tech's Systems Software & Security Lab. They track vulnerabilities specifically introduced by AI coding tools that made it into public advisories (CVE.org, NVD, GitHub Advisory Database, OSV, RustSec). Their method: Pull from public vulnerability databases Find the commit that fixed each vulnerability Trace backwards to find who introduced the bug If the commit has an AI tool's signature (co-author tag, bot email), flag it AI agents investigate the root cause using actual Git history 74 confirmed cases so far. The real number is estimated at 5-10x higher (400-700 across open source) because tools like Copilot leave no metadata traces. Which Tools Introduce the Most Vulnerabilities?