mythoscve tracker
live · 2026-06-06

Glasswing Results beta

Project Glasswing vulnerability discovery · data from Anthropic's CVD dashboard, May 22, 2026

Total findings
23,019
across 281 OSS projects
True positive rate
90.8%
1,726 reviewed by firms
Disclosed
1,596
total reported to maintainers
Patched
97
median 6.2d to patch
Advisories
88
28 CVEs + 60 GHSAs
Disclosure funnel
Steep drop-off at each phase — finding is easy, fixing is hard
Total findings23,01992%Candidates for triage1,9009%Reviewed by firms1,7269%Confirmed true positives1,56770%Reported to maintainers46779%Patched upstream9773%Advisories published26
Partner velocity
Bugs found in first month
2,0001,3336670Cloudflare2,000Mozilla271wolfSSL9
Cloudflare2,000 bugs across critical-path systems
MozillaFirefox 150 — 10x vs Firefox 148
wolfSSL9 CVEs including certificate forgery
Patch pipeline
From discovery to patch — where the bottlenecks are
Total findings
23,019100.0%
Triaged
1,9008.3%
Reviewed by firms
1,7267.5%
True positive
1,5676.8%
Reported (triaged)
4672.0%
Reported (direct)
1,1294.9%
Disclosed total
1,5966.9%
Acknowledged
1,4516.3%
Patched
970.4%
Median time to ack0.2d
Median time to patch6.2d
Acknowledged1,451
Bug class breakdown
Top vulnerability categories across all disclosed findings
Other512Heap buffer overflow162Auth bypass116Broken access control88Denial of service66Stack buffer overflow49Info disclosure43Privilege escalation42SSRF37Path traversal34Segfault25Open redirect23
Project breakdown
Projects with disclosed vulnerabilities and published advisories
ProjectCVEsCriticalHighMediumLowFixed
wolfSSL9729
freerdp0314
nginx1112
mastodon022
CraftCMS011
Ghost011
ImageMagick011
nomad111
temporalio/temporal111
jq111
MapServer111
libyang011
junrar011
minio011
gitoxide011
Key findings
From Anthropic's May 22, 2026 CVD dashboard
🔍
10x bug-finding rate increase

Several partners reported their rate of bug-finding increased by more than a factor of ten. Cloudflare found 2,000 bugs (400 high/critical) with a false positive rate their team considered better than human testers.

🦊
Firefox 150 — 271 vulnerabilities

Mozilla found and fixed 271 vulnerabilities in Firefox 150 using Mythos Preview, over 10x more than Firefox 148 with Claude Opus 4.6. 180 were rated sec-high, 80 sec-moderate, 11 sec-low.

🔐
CVE-2026-5194 — wolfSSL certificate forgery

Mythos Preview constructed an exploit in wolfSSL that would let an attacker forge certificates, allowing them to host a fake website for a bank or email provider. Affects billions of devices worldwide. Now patched.

📊
90.8% true positive rate

Independent triage by 6 security firms confirmed 1,567 of 1,726 assessed vulnerabilities as true positives. External firms assessed 1,726 findings from 1,900 candidates.

Fast patch turnaround

Median time to maintainer acknowledgment: 0.2 days. Median time to patch: 6.2 days. 1,451 of 1,596 disclosed findings were acknowledged by maintainers.

🏢
281 open source projects in scope

23,019 total findings across 281 projects. 1,596 disclosed to maintainers (467 triaged + 1,129 direct). 97 patched upstream, 88 with published CVE or GHSA advisories.