Mozilla says Anthropic’s new cybersecurity-focused Claude Mythos AI model has discovered 271 vulnerabilities in Firefox.
The vulnerabilities, identified with an early version of Claude Mythos Preview, were patched in the popular web browser this week with the release of version 150.
More than 40 CVEs have been addressed in Firefox 150, but only three are credited to Claude in the official advisory: CVE-2026-6746, CVE-2026-6757, and CVE-2026-6758.
This indicates that many of the 271 bugs are likely lower-severity issues or flaws that don’t meet the threshold for a public CVE. This can include defense-in-depth issues, hardening, or bugs in non-exploitable code paths.
Mozilla has not shared any information on the type or nature of the vulnerabilities, but has made an important clarification.
“Encouragingly, we also haven’t seen any bugs that couldn’t have been found by an elite human researcher. Some commentators predict that future AI models will unearth entirely new forms of vulnerabilities that defy our current comprehension, but we don’t think so,” Firefox CTO Bobby Holley noted.
The fact that Claude Mythos found so many Firefox vulnerabilities is not surprising. When Anthropic released Mythos, the AI giant said the new frontier model can autonomously discover thousands of zero-day vulnerabilities.
That is why the company decided to withhold its public release and instead offer it only to a relatively small number of major organizations through a program called Project Glasswing.
The list of companies in Project Glasswing includes AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks.
[ Read: OpenAI Widens Access to Cybersecurity Model After Mythos Reveal ]
Palo Alto Networks has also shared some preliminary data from testing Mythos, saying that in terms of vulnerability discovery it accomplished the equivalent of a year’s worth of pentesting in less than three weeks.
The cybersecurity company also noted that the AI has impressive vulnerability-chaining capabilities, combining medium- and low-severity issues into a critical exploit.
In addition, Mythos can identify logic-based issues that traditional tools may not detect.
“Within six months, advanced AI models with deep cybersecurity capabilities will become commonplace. Organizations that have not put appropriate safeguards in place will face an entirely new class of risk across their enterprise and critical infrastructure,” said Lee Klarich, chief product and technology officer at Palo Alto Networks.
Klarich pointed out that similar advances will likely come from other AI companies and the models may not be as restricted as Mythos.
In addition, there are already some reports of Mythos being accessed by unauthorized users.
Related: ‘By Design’ Flaw in MCP Could Enable Widespread AI Supply Chain Attacks
Related: ‘Mythos-Ready’ Security: CSA Urges CISOs to Prepare for Accelerated AI Threats
Related: CoChat Launches AI Collaboration Platform to Combat Shadow AI
