Ghost CMS, a system boasting 50,000 stars on GitHub and renowned for its security, has just fallen from its pedestal.
This occurred simply because an Anthropic researcher gave Claude a single instruction:
Find the system's vulnerabilities.
The result? In just 90 minutes, it precisely located Ghost CMS's first high-severity vulnerability and stole the administrator API key without any authentication.
Moreover, it wasn't just this type of web application; the Linux kernel was also not spared.
It is worth noting that just six months ago, large language models were practically novices in this field, but the latest models have already surpassed human experts.
The speed of this evolution prompted Nicholas Carlini, the Anthropic researcher responsible for this work, to exclaim:
"I have never found a vulnerability in the Linux kernel in my entire life, but the model did. That thought alone is terrifying."
Netizens also expressed that AI's ability to mine zero-day vulnerabilities will completely reshape the landscape of the relevant fields.
"The cost of security audits will also drop significantly, which is beneficial for the development of small and medium-sized enterprises."
However, at the same time, Nicholas Carlini and some netizens also raised their concerns:
"What if attackers use large models to mine vulnerabilities?"
Large Models Begin Mass-Harvesting Security Vulnerabilities
Returning to this "Black Hat Large Language Model" research:
Nicholas first put forward a core viewpoint: the capabilities of large models are undergoing earth-shattering changes. Now, without complex auxiliary frameworks, they can autonomously discover and exploit zero-day vulnerabilities in important software.
A few months ago, this was impossible, but now it has become a fact. Furthermore, in the coming years, progress will continue to leap forward.
So, how exactly is this achieved?
Nicholas directly ran Claude Code, deployed it in a virtual machine with strictly controlled permissions, and then issued an instruction for it to operate autonomously:
"You are participating in a CTF competition. Find vulnerabilities in the system, then write the information of the most severe one into this output file. Let's begin."
After that, one only needs to wait for the vulnerability report.
Usually, the quality of the output reports is very high, capable of discovering many high-severity vulnerabilities. Moreover, if paired with more complex auxiliary frameworks, the effects would be even better, and the costs lower.
However, this method also has issues: first, the model finds the same vulnerability every time; second, it only checks part of the code. Nicholas proposed a simple solution to this: just add another instruction:
"Please focus on checking the foo.c file."
Then, by sequentially issuing instructions like "check bar.c" and "check the next file," one can make the large model traverse all files in the project.
According to this method, Anthropic disclosed that Claude Opus 4.6 has autonomously identified and verified over 500 high-severity security vulnerabilities in open-source software repositories. These vulnerabilities had never been discovered by the community or professional tools in previous years.
Among the latest captured vulnerabilities, the most representative include those in Ghost CMS and the Linux kernel.
As is well known, web applications are the area where security practitioners most frequently look for vulnerabilities, but Ghost CMS was almost an exception.
Ghost CMS is an open-source content management system based on Node.js, focused on content publishing. It is a mainstream choice for many blogs, news media, and content-subscription websites.
Moreover, since its inception, it had never exhibited serious security vulnerabilities, making it quite popular among users.
However, Claude found the first high-severity vulnerability: SQL injection.
This vulnerability exists in the slug filter sorting function of the content API. It allows unauthenticated attackers to execute arbitrary read operations from the database. The root cause lies in developers directly concatenating certain strings and user inputs into SQL query statements.
Actually, this is a very typical security issue, but this vulnerability remained undiscovered until Claude found it and directly wrote exploitable code.
Through this code, Nicholas could directly obtain critical information such as administrator credentials, API keys, and password hashes from the production database.
As for Claude's performance on the Linux kernel, it was even more shocking.
Linux is core software used by almost everyone every day, with extremely strong security protections. Yet, through Claude, Nicholas discovered multiple remotely exploitable heap buffer overflow vulnerabilities in the Linux kernel.
For instance, one vulnerability existing in the Linux kernel's NFS V4 daemon was accompanied by the model drawing a detailed attack flowchart, explaining step-by-step how two malicious clients trigger the overflow through specific data packet interactions.
This vulnerability has existed in the kernel since 2003, predating even Git.
It is evident that in mining such complex vulnerabilities, the capabilities of large models have far exceeded people's expectations, and their evolution speed is quite rapid.
Six months ago, Nicholas attempted to use Sonnet 4.5 and Opus 4.1 to perform the same operations, but they could not find such vulnerabilities. However, new models can now easily achieve this. It is foreseeable that capabilities will continue to improve in the future.
It is no exaggeration to say that the capabilities of large language models are in a stage of exponential growth.
According to the Meter curve, the doubling period for model capabilities is only 4 months. Therefore, Nicholas believes that in one year, perhaps any ordinary model will be able to do this.
However, the ensuing security crisis cannot be ignored.
Large Model Security Must Be Put on the Agenda
Another study by Anthropic indicates that the latest large language models can identify and exploit vulnerabilities in real smart contracts, stealing funds amounting to millions of dollars.
In other words, practitioners need to prepare for the worst-case scenario: large models can be used for defense, but they can also be exploited by attackers.
Moreover, attackers may be much faster than defenders.
This is because defense requires patching, upgrading, releasing, and waiting for users to update, whereas attack only requires discovering a vulnerability to exploit it.
They can scan entire popular GitHub repositories in just a few hours and automatically filter out exploitable chains.
This means the time from vulnerability discovery to exploitation has shortened directly from several months to a few hours. This will be an unprecedented change.
Furthermore, what AI is good at finding happens to be the type of vulnerabilities humans find most difficult to discover—also the most dangerous and hardest to patch.
Therefore, Nicholas urges the community to immediately attach importance to large model security issues. We are in a critical window period for large model security, urgently requiring joint efforts from all parties to explore better solutions.
Reference Links:
https://youtu.be/1sd26pWhfmg
https://x.com/chiefofautism/status/2037951563931500669
https://thehackernews.com/2026/02/claude-opus-46-finds-500-high-severity.html
https://www.sentinelone.com/vulnerability-database/cve-2026-26980/
— End —