Anthropic Project Glasswing CVD Dashboard: Claude Mythos Preview Discloses 1,596 Vulnerabilities Across 281 Open-Source Projects

On May 22, 2026, Anthropic published the initial update for Project Glasswing and launched a public Coordinated Vulnerability Disclosure (CVD) dashboard showing that Claude Mythos Preview has autonomously found over 10,000 high- or critical-severity vulnerabilities across widely-used software, with 1,596 disclosed to maintainers across 281 open-source projects at a 90.8% true-positive rate confirmed by external security research firms including Trail of Bits, ADA Logics, and Calif.io. Of the disclosed findings, 97 have been patched and 88 have been assigned CVE or GHSA identifiers; notable CVEs include a 17-year-old FreeBSD RCE (CVE-2026-4747) and Firefox vulnerabilities discovered in collaboration with Mozilla. The model remains gated to ~50 partner organisations (AWS, Apple, Google, Microsoft, Cisco, NVIDIA, CrowdStrike, JPMorgan Chase) under controlled access, as Anthropic has permanently withheld public release citing catastrophic weaponisation risk.

This is the first vendor publication to document AI-powered autonomous vulnerability discovery at scale with external-firm-validated true-positive rates; it fundamentally changes the economics of offensive and defensive vulnerability research. The bottleneck has shifted from finding vulnerabilities to human-speed patch triage and coordination — Cloudflare's analysis of Mythos noted that it constructs multi-bug exploit chains autonomously, and maintainers have asked Anthropic to slow disclosures because patching capacity is the new constraint. Security teams must now plan for burst-rate patch drops from foundational OSS (browsers, TLS libraries, kernels) as the 90-day disclosure windows begin to close.

All organisations that depend on open-source software for AI infrastructure or general use should increase patch-cadence monitoring for Firefox, wolfSSL, nginx, FreeBSD, libyang, mastodon, and freerdp. Security teams evaluating frontier AI for vulnerability discovery should treat Glasswing's 90.8% TPR as the reference benchmark for similar in-house programmes. CISOs should brief their boards that patch-window compression — from CVE disclosure to working exploit — is now measured in hours, not weeks.