Anthropic — the company behind the Claude AI — has revealed that its new security research program, Project Glasswing, found more than 10,000 high-severity vulnerabilities hidden inside popular open-source software. The tool powering the hunt is Claude Mythos, an advanced AI model that can autonomously scan code for weaknesses the way a skilled security researcher would — only much faster. Of the flaws identified so far, 1,094 have been confirmed as high or critical severity across more than 1,000 software projects.
One notable example is CVE-2026-5194, a CVSS 9.1-rated flaw in WolfSSL — a widely used security library — that allowed forging trusted digital certificates. This is the kind of bug that, left unfound, could be exploited to make fake websites appear legitimate to your browser. The good news is that these flaws are being found and reported to software maintainers before attackers can weaponise them. Project Glasswing is currently in limited preview with about 50 partner organisations, including banks, which are already using it to detect suspicious transactions.