In April 2026, Anthropic made considerable noise announcing Mythos, a new artificial intelligence model described as extremely effective at identifying vulnerabilities in code. In a recent scan of the curl source code, Mythos found five vulnerabilities.
“Curl is currently 176,000 lines of C code when we exclude blank lines. The source code consists of 660,000 words, which is 12% more words than the entire English edition of the novel War and Peace.” wrote Daniel Stenberg, the creator of curl. “Five issues felt like nothing as we had expected an extensive list,” he added. “Once my curl security team fellows and I had poked on the this short list for a number of hours and dug into the details, we had trimmed the list down and were left with one confirmed vulnerability. The other four were three false positives (they highlighted shortcomings that are documented in API documentation) and the fourth we deemed just a bug.” The single confirmed vulnerability is going to end up a severity low CVE planned to get published in sync with the pending next curl release 8.21.0 in late June.
Some members of the cybersecurity industry have pointed out that curl has been heavily audited and tested, including by other AI tools, making it difficult for major vulnerabilities to remain hidden. They argue that Mythos’ limited findings reflect the maturity and robustness of curl’s codebase, rather than any shortcoming of the model itself.
Read more about it here.