Read, Watch or Listen

Stockholm, Sweden – The curl project, an open-source data transfer tool used on more than 30 billion devices worldwide, will stop accepting and processing vulnerability reports for the entire month of July 2026. Lead developer and founder Daniel Stenberg described the planned break as the “curl summer of bliss,” saying the pause follows a relentless surge of AI-generated security submissions that overwhelmed the project’s small, volunteer-led maintenance team. The volume of incoming reports, many produced by automated tools, has strained the project’s capacity to triage, verify and fix legitimate issues while maintaining regular development work. Project maintainers said they intend to use the July shutdown to clear the existing backlog of reports and stabilize their workflows before reopening the reporting channels. Stockholm, Sweden – The pressure on curl escalated after a spike in security findings tied to advances in AI-assisted code analysis. On June 24, 2026, the project released version 8.21.0, addressing a record 18 Common Vulnerabilities and Exposures (CVEs), the highest number of flaws ever patched in a single curl release and a record for vulnerabilities published in a single calendar year for the project. Among the fixed issues was CVE-2026-8932, a vulnerability present since version 7.7, released on March 22, 2001, making it the oldest known security flaw in curl’s 25-year history. The surge in discoveries began on May 11, 2026, after Stenberg disclosed that Anthropic’s restricted AI model, Claude Mythos, had successfully identified a curl vulnerability, prompting a wave of automated security scanning by independent researchers, bug bounty hunters and cybersecurity firms using various AI tools.

Prepared by Jonathan Pierce and reviewed by editorial team.