Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: ai-security (12 articles)Clear

Anthropic Mythos Preview AI finds 10,000+ high-severity flaws in widely used software; Cyber Verification Program launched

Anthropic has unveiled Claude Mythos Preview, a research-only AI model purpose-built for security tasks, and disclosed that it has used the model to find more than 10,000 high-severity vulnerabilities in widely used open-source and commercial software. Mythos has also been adapted to build end-to-end exploit chains and, in one Glasswing partner-bank case, helped block a $1.5 million fraudulent wire transfer. Anthropic is urging defenders to shorten patch windows because models with similar capability will soon be broadly available. It has launched a Cyber Verification Program that lets vetted researchers use the model without guardrails for legitimate vulnerability research, red teaming, and penetration testing.

Check
Audit your patch SLAs: how fast does a critical CVE move from vendor advisory to production? Aim for under 72 hours on internet-facing services.
Affected
Any organization that relies on adversaries lacking time to develop exploits. Mythos and similar models (OpenAI's GPT-5.5-Cyber) compress the exploit-development timeline dramatically.
Fix
Shorten patch testing and deployment cycles. Harden default configurations. Enforce phishing-resistant MFA. Apply for the Anthropic Cyber Verification Program if you do legitimate vulnerability research.

AI security tool finds 38 previously unknown bugs in OpenEMR, the open-source health records system used by 100,000 healthcare providers - two of them rated maximum severity

Aisle, an AI-driven application security firm, ran its analyzer over OpenEMR's source code and found 38 previously unknown vulnerabilities, including two with maximum severity (CVSS 10.0). OpenEMR is the open-source electronic health records system used by 100,000 healthcare providers serving 200 million patients. The two critical bugs let attackers reach into patient databases without logging in: CVE-2026-24898 lets any unauthenticated visitor receive the medical practice's API tokens by sending a single POST request, and CVE-2026-24908 is a SQL injection in the patient REST API. OpenEMR has now patched all 38.

Check
If your organization runs OpenEMR, upgrade to the latest patched build today and audit access logs for unauthenticated POST requests to MedEx recall/reminder endpoints.
Affected
OpenEMR deployments before the April 2026 security update. Particularly acute for any internet-reachable instance because CVE-2026-24898 is unauthenticated. The 100,000 OpenEMR healthcare providers are typically smaller US clinics and under-resourced settings worldwide - the segments least likely to have a fast patching process.
Fix
Upgrade OpenEMR to the latest 8.x patched release. Audit application logs for any POST to the MedEx recall/reminder endpoint and for unusual _sort parameter values in the patient REST API - those are the exploit signatures. Restrict OpenEMR's admin and API endpoints to internal management networks. Rotate API tokens issued before the patch was applied since they may have been exposed via CVE-2026-24898.