Summary
Mozilla’s April 21, 2026 post says Firefox 150 includes fixes for 271 vulnerabilities identified during an initial Claude Mythos Preview evaluation. Mozilla frames the result as evidence that frontier models can now reason through browser source code in ways comparable to elite human security researchers, but at a different scale.
The public CVE layer is narrower than the 271 headline. Mozilla’s advisory for Firefox 150 credits researchers “using Claude from Anthropic” on CVE-2026-6746, a high-impact DOM use-after-free, and on CVE-2026-6757 and CVE-2026-6758, moderate JavaScript/WebAssembly issues.
Why this is grouped
The 271 number is too important to omit, but it should not be treated as 271 separate public CVEs. The ledger records it as a browser-release cluster and calls out the CVEs where the public advisory credit is explicit.
Editorial note
This is a strong example of bugflation pressure on triage and release engineering. Mozilla’s post says the initial volume caused “vertigo” but that the team reprioritized around remediation and shipped the fixes.
References
- Mozilla: The zero-days are numbered
- Mozilla MFSA 2026-30: Firefox 150
- Mozilla MFSA 2026-32: Firefox ESR 140.10
Catalogued in the Bugflation public ledger. Disagree with the attribution or severity label? Email the desk.