Curl powers more than 30 billion devices, from OS utilities to NASA’s Ingenuity helicopter. On May 11, 2026, founder Daniel Stenberg revealed that Anthropic’s Mythos model uncovered a single CVE. That spark ignited a deluge of research, eventually yielding the most CVEs ever for a single curl release globally integrated.

AISLE led the charge, identifying six of the 18 CVEs reported for curl 8.21.0. Its model‑agnostic system produced discoveries that outpaced other AI tools, including two double‑free bugs and a 25‑year‑old authentication bypass, CVE‑2026‑8932, first shipped in 2001 and highlighted the need for stricter audit trails.

The findings affect libcurl internals, meaning applications that embed the library—often without user awareness—may expose credentials or allow malformed callbacks. Fixes landed in the June 24, 2026 release, and all vulnerabilities were responsibly disclosed to the curl project by Joshua Rogers, including complex state‑reuse scenarios.

AISLE’s success demonstrates that smaller, locally run models can match large LLMs on security tasks, delivering autonomous fixes without API calls. The curl team praised the collaboration, and developers now face a clear mandate: upgrade to curl 8.21.0 to eliminate these critical flaws for all dependent ecosystems.