In December 2025 and January 2026, an AI system identified zero-day vulnerabilities in Node.js and React, two core components in many JavaScript applications. One significant issue, CVE-2026-21636, involves a flaw in Node.js's Permission Model, which is designed to restrict the capabilities of untrusted JavaScript code. The vulnerability arises from the model failing to enforce network restrictions for Unix Domain Sockets (UDS). This oversight allows malicious scripts to interact with privileged services like Docker or databases, potentially leading to serious security breaches. Another critical vulnerability, CVE-2026-23864, affects React Server Components (RSC). The flaw exists in the RSC reply decoder, which processes HTTP requests to server functions. Attackers can exploit this vulnerability by sending crafted requests that cause the server to enter infinite loops, trigger out-of-memory errors, or crash entirely. Affected versions include Next.js 13 through 16, as well as various frameworks using RSC. The lack of authentication for these endpoints exacerbates the risk. The AI system's approach to discovering these vulnerabilities mirrors traditional human security practices but operates autonomously. It builds a comprehensive understanding of the codebase, generates hypotheses about potential threats, identifies specific vulnerabilities, and tests exploit scenarios. The AI has previously found other security issues across different technologies, demonstrating its capacity to independently conduct the full cycle of security research. This challenges the limitations of standard Static Application Security Testing (SAST) tools that typically rely on known patterns without deeper context.