Anthropic’s unreleased Mythos model scanned curl’s 176K-line C codebase and found one confirmed low-severity CVE out of five claimed findings.
Key Takeaways
Mythos flagged five “confirmed” vulnerabilities; curl’s security team reduced that to one real CVE, three false positives, and one plain bug.
The single confirmed flaw is low severity, slated for the curl 8.21.0 release in late June 2026.
Prior AI tools (AISLE, Zeropath, OpenAI Codex Security) drove 200-300 bugfixes and a dozen-plus CVEs over 8-10 months; Mythos found fewer because the easy bugs are gone.
Mythos also surfaced ~20 non-vulnerability bugs with high explanation quality and almost no false positives; fixes are being worked through.
curl lead Daniel Stenberg’s verdict: Mythos is marginally better than existing AI analyzers, not categorically superior; the April 2026 hype was primarily marketing.
