- Epoch AI confirmed that roughly 1,500 high- and critical-severity CVEs poured out of 21 major vendors in June 2026 alone — more than 3.5× any single prior monthly record.
- The UK AI Security Institute independently found that Mythos Preview hits 73% on expert capture-the-flag tasks and is the first model to finish a simulated 32-step corporate network intrusion end-to-end.
- ZeroFox claims, without independent corroboration, that over 99% of Mythos-identified vulnerabilities are still unpatched and queued on rolling 90-day disclosure timelines.
Well, Somebody Kicked the Hornets' Nest
Boy howdy, if you want to watch the cybersecurity world go sideways faster than a tractor on a wet hill, just check what Epoch AI turned up this summer. According to Epoch AI's data, organizations published somewhere in the neighborhood of 1,500 high- and critical-severity CVEs in June 2026 — a figure the researchers describe as exceeding 3.5 times the highest single-month total ever recorded before Anthropic's Claude Mythos Preview arrived on the scene in April 2026. Epoch AI pulled those numbers straight from public CVE records covering 21 major software vendors and open-source projects, so the raw count is about as verified as a brand on a longhorn — it ain't going anywhere.
The timing here is what's got everybody's suspenders in a twist. Epoch AI separately noted that high- and critical-severity disclosures from those same organizations were already running 142% above the 2025 baseline in April and a gut-punching 262% above baseline in May, before June's full blowout. Whether Anthropic's model is the bootlegger or just the getaway car, something changed when Mythos Preview showed up, and the numbers are doing their level best to tell a story — analysts just can't agree on the plot.
What Is Actually Nailed Down, Far As Anybody Can Tell
The UK AI Security Institute — an independent government body, not Anthropic's PR department — put Mythos Preview through its paces and published findings confirming that the model succeeds on expert-level capture-the-flag challenges 73% of the time. The institute further confirmed it is the first model ever to complete an end-to-end simulated 32-step corporate network penetration scenario, which the AISI described as a meaningful step-change beyond prior frontier models. That evaluation carries real weight because it didn't come from a company blog post.
FIRST, the global vulnerability coordination body, issued a mid-year forecast update projecting the full-year 2026 CVE count at roughly 66,000 — running about 46% above FIRST's own original projection, an excess of more than 6,400 CVEs. FIRST attributed at least part of that surplus to AI-assisted discovery tools, naming Mythos Preview and OpenAI's GPT-5.4-Cyber specifically. That's a respectable outside organization saying out loud that AI tooling is reshaping the disclosure landscape, which is a long way from just one company hollering about its own barn.
What Anthropic Says It's Been Up To — And You Should Know Where That's Coming From
Anthropic describes what it calls Project Glasswing as a coordinated vulnerability disclosure effort powered by what the company characterizes as its Mythos Preview model. According to Anthropic's own coordinated disclosure dashboard, as of May 22, 2026, the program had triaged 23,019 findings, with 1,726 independently confirmed as valid by outside security firms, and 97 pushed as actual patches into open-source projects including nginx, wolfSSL, and Temporal. The Hacker News reported on those dashboard figures, but the underlying claim about the scale of discovery still originates with Anthropic.
Anthropic frames Glasswing as what the company calls a responsible disclosure platform and describes its approach as an organized pipeline for turning AI-generated findings into upstream fixes. That's Anthropic's own description of its structure and strategy, not an independent assessment of how the sausage gets made. The Cloud Security Alliance has offered technical analysis of the broader trend, but the specific 10,000-plus vulnerability headline traces back to Anthropic's self-reported numbers, which a good ol' boy would call 'measuring your own fish.'
The Parts That Are Still Muddier Than a Creek After a Thunderstorm
Here's where even the data-holders start hedging. Epoch AI's own opinion analysts, writing separately from the data team, raised the possibility that the CVE surge reflects a sharp jump in money spent hunting bugs through Glasswing rather than any fundamental capability leap by Mythos Preview itself. The analysts specifically noted that earlier models might have been capable of finding similar vulnerabilities all along, and that what changed was the coordinated investment to actually go find them — which is about as different from 'revolutionary AI' as a new tractor is from new land to plow.
FIRST and APNIC's analyses add another wrinkle worth chewing on: even though raw CVE volume has blown past forecasts, the actionable patching burden — that is, the slice of vulnerabilities that are actually exploitable in the wild by CISA and EPSS scoring standards — has stayed essentially flat. In plain terms, more bugs on paper don't automatically mean more attackers at the door, and defenders who were already prioritizing by exploitability signals might not be measurably worse off than they were a year ago. Some researchers cited by Epoch AI also pointed out that GPT-5.5 performs comparably on several individual cyber benchmarks but its launch didn't set off the same alarm bells, which complicates any clean story about Mythos being uniquely dangerous.
ZeroFox's Unverified Worry, Which Deserves a Mention and a Grain of Salt
ZeroFox published a blog post claiming — and this has not been independently verified by outside reporting — that more than 99% of the vulnerabilities Mythos is said to have turned up remain both unpatched and undisclosed, sitting in a queue on rolling 90-day timelines before they hit public records. ZeroFox also raised concerns that the way Anthropic describes Glasswing's structure could theoretically allow competitive misuse, including scenarios where mass disclosure timing could be weaponized to disadvantage rival organizations. Those are serious-sounding allegations, and they'd be worth losing sleep over if they were corroborated — but as of now, ZeroFox is standing in that field alone, hollering at clouds with no one else confirming the weather.
Analysis: What the Smoke Might or Might Not Mean
This is analysis, not reporting, so take it accordingly. The most uncomfortable reading of the available evidence is that both things could be true at once: Mythos Preview may represent a genuine capability improvement in automated vulnerability discovery, AND the spike may be partly a function of Anthropic and its partners throwing serious money at a coordinated search campaign. Epoch AI's benchmark aggregation places Mythos roughly seven months ahead of trend in exploit construction, which is not nothing — but 'ahead of trend' in a moving field is a harder claim to hang a barn door on than 'definitively caused this CVE explosion.'
The flatness of the actionable patching burden is either reassuring or a ticking alarm clock, depending on your risk appetite. If the 99%-unpatched-and-unannounced figure ZeroFox cites is anywhere near accurate — and that is a big if, given the lack of corroboration — then the public CVE records so far are just the appetizer, and the main course hasn't left the kitchen. Defenders watching this situation would be wise to remember that the scoreboard Epoch AI is tracking reflects disclosures already made, and the pipeline behind those disclosures remains opaque as pond water at midnight.
Who is doing the hollering
These links show where the chatter came from. A link is attribution, not our endorsement or independent confirmation.
- Disclosed CVEs: 3.5× Spike After Claude Mythos PreviewEpoch AI · specialist
- Are Mythos' cyber capabilities overhyped?Epoch AI Gradient Updates · specialist
- Our evaluation of Claude Mythos Preview's cyber capabilitiesUK AI Security Institute (AISI) · top tier
- Anthropic's coordinated vulnerability disclosure dashboardAnthropic Frontier Red Team · primary
- Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used SoftwareThe Hacker News · top tier
- The 2026 Vulnerability Forecast Update: Navigating the AI EpochFIRST · specialist
- Rising CVEs in the AI epochAPNIC Blog · specialist
- Claude Mythos and the Acceleration of Cybersecurity RiskBloomsbury Intelligence and Security Institute (BISI) · specialist
- The Claude Mythos Problem: AI Vulnerability Scanning Has Trust IssuesZeroFox · specialist
Last checked Jul 4, 2026, 9:08 AM EDT. Talk Around Town: The 3.5× CVE spike is real and documented in public disclosure records, but whether Claude Mythos Preview itself caused it — versus coordinated investment, structural reporting changes, or a combination — is actively disputed by analysts including Epoch AI's own researchers. The full pipeline of Mythos-discovered vulnerabilities has not yet entered public records, so the downstream patching burden and actual risk increase remain unknown.