ANTHROPIC said it discovered 22 new security vulnerabilities in the Firefox web browser as part of a security partnership with Mozilla, with 14 classified as high, seven as moderate, and one as low in severity. The issues were addressed in Firefox 148, released late last month, and were identified over a two-week period in January 2026.
According to Mozilla, Claude Opus 4.6 detected a use-after-free bug in the browser’s JavaScript after just 20 minutes of exploration, which was then validated by a human researcher in a virtualised environment to rule out a false positive. By the end of the effort, Anthropic said it had scanned nearly 6,000 C++ files and submitted 112 unique reports, with most issues fixed in Firefox 148 and the remainder to be addressed in upcoming releases.
One exploit Claude wrote was for CVE-2026-2796 (CVSS 9.8), described as a just-in-time miscompilation in the JavaScript WebAssembly component. The disclosure comes weeks after Anthropic released Claude Code Security for AI-powered vulnerability scanning, and Mozilla noted that AI-assisted analysis found 90 other bugs, most of which have been fixed.