THE article reports that Anthropic’s Mythos AI analysed curl and identified five vulnerabilities, but after further review by curl’s maintainers only one real vulnerability remained, rated as low severity. Three of the original findings were false positives, described as documented in the API, and the fourth was deemed simply a bug rather than a security issue. The sole confirmed vulnerability was slated for inclusion in curl 8.21.0 in late June.
Daniel Stenberg, the creator and lead developer of curl, is quoted noting that Mythos’ findings did not demonstrate a major advantage over existing security tools and that the hype around Mythos was largely marketing. The piece adds that curl comprises 176,000 lines of C code (excluding blank lines) and is used by billions of devices, with Mythos having analysed the codebase through the Linux Foundation’s Alpha Omega project.
According to Daniel Stenberg, Mythos found five “confirmed security vulnerabilities” but the curl security team trimmed this to one real issue. May 12, 2026.