The Intake — Saturday, May 23, 2026

More than 10,000 high- or critical-severity vulnerabilities were found across widely deployed software in Project Glasswing's first month. The finders were Claude Mythos Preview and approximately 50 partner organizations. Of 23,019 candidate findings submitted for review, external security firms confirmed 90.8% as true positives. That is roughly 20,900 valid findings from the Glasswing scan.

CVE-2026-5194 is a flaw in wolfSSL, a widely used cryptography library. Mythos flagged the vulnerability and constructed a working certificate-forgery exploit. wolfSSL patched the flaw in version 5.9.1.

Of the 1,596 vetted findings disclosed to maintainers, 97 have been patched upstream as of May 22, 2026. Eighty-eight advisories have been published. Anthropic's update attributes the gap between disclosure and patch count to volunteer maintainer capacity, not to detection accuracy.

Alongside the Glasswing update, Anthropic launched Claude Security in public beta for enterprise customers. Per Anthropic, it runs on Claude Opus 4.7 and reports 2,100 corporate vulnerabilities already patched.

Practitioners running wolfSSL older than 5.9.1 now have a named, exploit-demonstrated certificate-forgery path — the proof-of-concept was constructed by Mythos and verified true-positive by external review.

On May 18, 2026, an automated supply-chain campaign pushed 5,718 commits to 5,561 public GitHub repositories in roughly six hours. SafeDep named the campaign Megalodon. The accounts behind it used forged author names — build-bot, auto-ci, ci-bot, pipeline-bot — chosen to read as routine CI maintenance traffic.

Each injected workflow exfiltrates OIDC tokens, AWS and GCP credentials, SSH keys, Docker and Kubernetes configuration, Vault tokens, JWTs, and API keys. The exfiltration targets matched more than 30 secret regex patterns and sent to a command-and-control server.

SafeDep identified two variants. SysDiag adds a new workflow that triggers on every push and pull request — immediate execution from the first qualifying event. Optimize-Build replaces existing workflows with a workflow_dispatch trigger, creating a dormant backdoor the attacker can activate on demand via the GitHub API.

The npm package @tiledesk/tiledesk-server was separately compromised through the legitimate maintainer's account. Versions 2.18.6 through 2.18.12 propagated the Optimize-Build variant through routine publishes. StepSecurity independently analyzed the campaign and published indicators of compromise.

Practitioners with public GitHub repositories using GitHub Actions now have a documented at-scale pattern: dormant backdoors seeded via commits indistinguishable from routine CI maintenance, including through a legitimate maintainer's npm publish flow. Routine CI bot commit traffic is now a named attack surface.

Langflow is a Python multi-agent workflow orchestration platform. CISA added CVE-2025-34291 — an origin validation error in Langflow, scored CVSS 9.4 — to its KEV catalog on May 21, 2026, with evidence of active exploitation in the wild. Federal agencies under BOD 22-01 must remediate by June 4, 2026.

The flaw combines two misconfigured trust surfaces. The first is an overly permissive CORS configuration. The second is SameSite=None authentication cookies. Together, they let an attacker direct an authenticated user to a malicious cross-origin page. That page silently forwards the user's session credentials to authenticated Langflow API endpoints.

Exploitation enables privilege escalation and remote code execution — no attacker authentication required, no action from the victim beyond loading the page.

Practitioners running Langflow as part of any multi-agent workflow now have an actively exploited, CISA-catalogued path from an authenticated user's browser session to remote code execution on the Langflow instance. CISA's KEV listing confirms active in-the-wild exploitation — the flaw is not theoretical.

Claude Code versions 2.0.24 through 2.1.89 contained a SOCKS5 hostname null-byte injection vulnerability. The flaw bypassed the sandbox's network egress allowlist. Aonan Guan of Wyze Labs disclosed it on May 20, 2026. This is the second sandbox network allowlist bypass Guan has disclosed for Claude Code.

The mechanism: a crafted hostname passes the allowlist filter at the null byte boundary, while the operating system resolves the unfiltered portion beyond it. Combined with prompt injection, the path enables exfiltration of credentials, source code, GitHub tokens, and environment variables to arbitrary external hosts.

The vulnerability spanned sandbox general availability. The window ran from 2025-10-20 through approximately March 31, 2026 — roughly 5.5 months. Anthropic patched it in Claude Code 2.1.90, released 2026-04-01. The fix adds an isValidHost() check that rejects null bytes, percent signs, and CRLF characters before the allowlist matcher runs.

No Claude Code security advisory was issued. No CVE was assigned to Claude Code. CVE-2025-66479 covers the upstream sandbox-runtime component, not the Claude Code allowlist bypass specifically. Practitioners who ran Claude Code between version 2.0.24 and 2.1.89 had an unpatched credential-exfiltration path for the entire first 5.5 months of sandbox general availability — with no advisory to signal it had existed or been fixed.