curl Order directly, but still rely on libcurl, the engine behind curl, through another product.
On May 11, 2026, Daniel Steinberg, founder and lead developer of Curl, announced that Anthropic’s Mythos model had found a single CVE in Curl. His blog post sparked a wave of research, which led to a flood of security reports for the curl project and, ultimately, the highest number of CVEs ever issued for a curl release, 18.
AISLE led all security organizations with 6 of those 18 CVEs, as well as additional valid findings in curl and libcurl. The next closest AI-powered organization received 3 CVEs, while researchers using Anthropic and OpenAI models received 1 each. These findings provide confirmation that AISLE’s model-agnostic system can outperform frontier models at a fraction of the cost in any deployment environment.
All AISLE findings were responsibly disclosed to the curl project and fixed in the release of curl 8.21.0 on June 24, 2026. We urge everyone to update to the latest version.
Finding the oldest curl security issue ever reported
Curl is of particular interest to security researchers: the easy bugs are long gone, and what’s left is hard to find: old protocol paths, state reuse, callback behavior, credential selection, and code paths that are easily forgotten about. That’s why we used AISLE’s autonomous vulnerability detection capability to detect vulnerabilities in the fall of 2025, discovering 29 valid findings and 5 CVEs.
The 6 CVEs recently identified by AISLE range from classic memory-lifetime issues to logic bugs in how libcurl decides whether a connection, credential, or host identity is still valid. These include CVE-2026-8932, which is the oldest curl vulnerability ever reported at over 25 years old. Shipped in releases since curl version 7.7, it was first shipped on March 22, 2001.
Summary of AISLE findings
Notably, several issues affect only libcurl applications, not the curl command line tool. This means that they affect the underlying code inside products where users may not know it exists, and where they become potential targets reachable through application behavior.
AISLE also reported several other curl bugs, including three memory safety issues:
Not every bug becomes a CVE, but these reports fall into that category. They’re all subtle edge cases in mature infrastructure code, especially around memory safety, state transitions, and esoteric API paths.
Strengthening the case for model-agnostic security systems
The fact that AISLE claimed 6 out of a total of 18 findings in this release provides further support to our premise that well-engineered, model-agnostic systems rival high-powered frontier models on cybersecurity tasks.
Furthermore, AISLE did more than just discover vulnerabilities. Three CVEs were also patched using fixes generated by our platform. This suggests that cybersecurity capability is irregular: for well-defined security tasks, smaller models can outperform much larger and more expensive LLMs. Specifically, they can do this locally, completely on-premises, without making API calls.
The challenge is to match model capability and security requirements. In other words, AI-native cybersecurity is not primarily a computation problem, but an engineering problem.
Engineering AI for Security with AISLE
AISLE’s end-to-end vulnerability management platform provides autonomous protection within your deployment constraints, from air-gapped networks to the cloud. If you want to see what AI would find in your codebase, talk to us.
Our heartfelt thanks to Curl Project for their professionalism during the disclosure process. All of our CVEs were reported and disclosed by Joshua Rogers of the AISLE Research team.
<a href