Summary
OpenAI’s March 6, 2026 Codex Security research-preview post says Codex Security had been used to scan open-source repositories and that 14 CVEs had been assigned. The post lists examples across GnuTLS, Gogs, Thorium, GnuPG, and OpenSSL.
This ledger entry counts the 14 non-OpenSSL example CVE IDs listed in that appendix. The two OpenSSL examples, CVE-2025-15467 and CVE-2025-11187, are already counted in the AISLE OpenSSL cluster because AISLE’s public material and OpenSSL records provide the stronger per-release OpenSSL context.
Why it matters
OpenAI moved Aardvark from private beta to Codex Security research preview and published concrete CVE examples. That shifts the OpenAI entry from a system-level claim with unnamed CVEs to an auditable disclosure cluster.
Caveat
The OpenAI post is the primary source for the AI attribution. Individual CVE records should still be checked for affected versions, severity, and vendor language before treating any one item as a standalone finding.
References
Catalogued in the Bugflation public ledger. Disagree with the attribution or severity label? Email the desk.