ANTHROPIC used Claude Opus 4.6 to identify 22 Firefox vulnerabilities in January 2026, with Mozilla addressing most of them in Firefox 148, released in January 2026. The team reported that 14 of the 22 vulnerabilities were high-severity and that the issues were fixed in Firefox 148. They documented 112 unique reports across nearly 6,000 C++ files after testing the model on Firefox, including reproducing historical CVEs from older versions.
In testing its ability to exploit the flaws, Claude produced working exploits in only two cases, spending around $4,000 in API credits, and the exploits were described as crude and usable only in controlled environments with sandboxing disabled. According to the report published by Anthropic, Claude is much better at finding bugs than at exploiting them, and the cost of identifying vulnerabilities is far lower than creating an exploit.
Mozilla praised the collaboration and noted an AI-assisted security research approach, highlighting AI’s growing role in rapidly detecting and reporting critical software flaws.