Claude Mythos flags 10,000 high-severity vulnerabilities in widely used software

Anthropic says a restricted preview of Claude Mythos has already changed the bottleneck in software security. In an update on May 22, the company said Project Glasswing and roughly 50 partners had used Claude Mythos Preview to identify more than 10,000 high- or critical-severity vulnerabilities across “systemically important” software. Anthropic said the immediate constraint is no longer finding bugs, but verifying, disclosing, and patching them fast enough. (anthropic.com) The most important detail is that “10,000 vulnerabilities” does not mean 10,000 confirmed catastrophic bugs ready for attackers to use. Anthropic’s own public accounting, as summarized by The Hacker News from the company’s disclosures, says 6,202 findings were classified as high- or critical-severity candidates affecting more than 1,000 open-source projects, and later review identified 1,726 valid true positives. Of those, 1,094 were assessed as high- or critical-severity confirmed flaws. That is still a very large number, but it is smaller and more precise than the headline figure. (thehackernews.com) What Glasswing appears to show is scale. Anthropic said most partners found hundreds of high- or critical-severity vulnerabilities in the first month, and some reported bug-finding rates rising by more than 10x. The company cited Cloudflare as finding 2,000 bugs, including 400 high- or critical-severity issues, across critical-path systems. (anthropic.com) Why Anthropic is treating this as a release-governance issue, not just a product milestone, comes from the model’s offensive capability as well as its defensive utility. In a May 22 research note, Anthropic said Mythos Preview represented “a step-change” over prior frontier models in exploit development and said that was one of the main reasons it was rolled out through Project Glasswing rather than a general release. The company said internal testing showed the model could not only find complex vulnerabilities, but also turn them into exploit primitives and combine those into end-to-end attack chains. (red.anthropic.com) That is the core policy point behind the story: Anthropic is arguing that a model good enough to help defenders at scale may also lower the skill required for attackers. The company said it plans to publish more detail only after patches are broadly deployed, following standard coordinated disclosure timelines of about 90 days after discovery, or roughly 45 days after a patch is available. Anthropic also said the current lag in public evidence is a result of trying not to expose end users before fixes are in place. (anthropic.com) There are also already concrete downstream effects. The Hacker News reported that 97 findings had been patched upstream and 88 advisories had been issued. It also cited one example, a WolfSSL flaw tracked as CVE-2026-5194 with a CVSS score of 9.1, that could let an attacker forge certificates and impersonate a legitimate service. (thehackernews.com) For enterprises, the practical takeaway is narrower than the hype: model-driven vulnerability discovery is arriving faster than patch operations are adapting. Anthropic said developers should shorten patch cycles and defenders should speed testing and deployment timelines because models with Mythos-like capabilities could become broadly available soon. That frames the next phase less as “can AI find bugs?” and more as whether vendors and infrastructure operators can absorb AI-generated security findings at industrial scale. (thehackernews.com)