Anthropic’s Project Glasswing has uncovered more than 10,000 critical vulnerabilities across open-source software, exposing a growing patching bottleneck as IBM joins the initiative to strengthen ecosystem-wide security.
Anthropic’s Project Glasswing has identified more than 10,000 high- and critical-severity vulnerabilities across systemically important software, highlighting a growing challenge for the open-source community: fixing flaws is no longer keeping pace with discovering them.
According to Anthropic’s latest update, more than 1,000 open-source projects were scanned, uncovering 23,019 vulnerabilities in total, including 6,202 classified as high or critical severity. The company said vulnerability discovery is no longer the primary constraint, adding that “the relative ease of finding vulnerabilities compared with the difficulty of fixing them represents a structural problem for the entire software security ecosystem.”
The scale of the challenge is evident in remediation figures. Of 530 high-critical vulnerabilities disclosed to maintainers, only 75 had been patched and publicly disclosed at the time of reporting, while the average fix takes about two weeks. Anthropic also revealed that some open-source maintainers have asked the company to slow the pace of disclosures to allow more time for patch development.
The findings gained further credibility after six independent security research firms reviewed 1,752 vulnerabilities and validated more than 90 per cent as true positives.
On May 19, IBM joined the invitation-only Project Glasswing consortium, which now includes roughly 50 organisations. Rob Thomas, Senior Vice President of Software and Chief Commercial Officer at IBM, said the collaboration involves hardening IBM products and contributing fixes back to open-source projects, adding that it “makes the entire ecosystem stronger.”
Among the publicly disclosed findings is CVE-2026-5194, a certificate-forgery flaw in wolfSSL that could have enabled convincing fake banking or email-provider websites. The vulnerability has since been patched. Mozilla also patched 271 Firefox vulnerabilities identified with Mythos assistance, while Cloudflare reported hundreds of vulnerabilities discovered through Glasswing deployments.
To help maintainers manage the growing volume of reports, Anthropic has committed $4 million to the Open Source Security Foundation’s Alpha-Omega project.
