Mozilla has released updates to address two critical flaws in Firefox for which exploit code has been published. Google has shipped fixes for 15 security flaws, including two critical use-after-free bugs in Ozone. Adobe has published security updates for 88 vulnerabilities, including multiple critical bugs in ColdFusion, Commerce, Experience Manager, and Illustrator.
Firefox: Two Critical Flaws with Public Exploit Code
The two Firefox vulnerabilities are tracked as CVE-2026-15718 and CVE-2026-15719. The first is an invalid pointer issue in the JavaScript: WebAssembly component. The second is a site isolation problem in the DOM: Navigation component.
Mozilla confirmed that exploit code for both vulnerabilities is publicly available. However, the company stated it is not aware of any attacks in the wild abusing these flaws. Both vulnerabilities have been addressed in Firefox version 152.0.6.
Google Chrome: Use-After-Free in Ozone
Google has patched 15 security flaws in Chrome, including two critical use-after-free vulnerabilities in Ozone. Ozone is a cross-platform abstraction layer that allows the browser to interact natively with various display servers and windowing systems. It supports Linux, ChromeOS, and Fuchsia.
CVE-2026-15764 and CVE-2026-15765 are use-after-free bugs that could allow a remote attacker to exploit heap corruption via a crafted HTML page. Successful exploitation requires the user to engage in specific UI gestures.
The flaws have been patched in Chrome version 150.0.7871.124 and 150.0.7871.125 for Windows and Mac, and 150.0.7871.124 for Linux.
Adobe: 88 Vulnerabilities Patched
Updates have been issued by Adobe on a total of 88 vulnerabilities in its various products.
The eight critical vulnerabilities affecting ColdFusion include:
- CVE-2026-48318 (CVSS 9.9): Vulnerability in path traversal causing arbitrary code execution
- CVE-2026-48322 (CVSS 9.6): Vulnerability within code injection leading to arbitrary code execution
- CVE-2026-48284 (CVSS 9.6): Vulnerability within input validation leading to arbitrary code execution
- CVE-2026-48321 (CVSS 9.3): Vulnerability within inadequate authorization leading to privilege escalation
- CVE-2026-48325 (CVSS 9.3): Vulnerability in lack of authentication causing arbitrary code execution
- CVE-2026-48319 (CVSS 9.1): Path traversal leading to arbitrary code execution
- CVE-2026-48324 (CVSS 9.1): SQL injection leading to arbitrary code execution
- CVE-2026-48327 (CVSS 9.0): Incorrect authorization leading to arbitrary code execution
The ColdFusion flaws have been remediated in ColdFusion 2025 Update 11 and ColdFusion 2023 Update 22.
Adobe has also patched two critical flaws each in Commerce and Magento Open Source, and Experience Manager:
- CVE-2026-48356 (CVSS 9.6): File upload vulnerability in Commerce and Magento leading to privilege escalation
- CVE-2026-48358 (CVSS 9.1): Improper encoding or escaping of output leading to arbitrary code execution
- CVE-2026-48259 (CVSS 9.6): Server-side request forgery in Experience Manager leading to arbitrary code execution
- CVE-2026-48359 (CVSS 9.6): Improper restriction of XML external entity reference leading to arbitrary code execution
VMware Avi Load Balancer Authentication Bypass
Broadcom has released a fix for a critical authentication bypass vulnerability in VMware Avi Load Balancer. CVE-2026-47865 carries a CVSS score of 9.8. A malicious user with network access can exploit this flaw to access the Avi Control plane.
The vulnerability was discovered and reported by Filip Waeytens of the NATO Cyber Security Centre.
The Bottom Line
Mozilla, Google, and Adobe have all released critical security updates. Firefox users should update to version 152.0.6. Chrome users should update to version 150.0.7871.124 or later. Adobe ColdFusion users should apply the latest updates immediately.
No active exploitation has been reported for any of these flaws. However, the public availability of exploit code for the Firefox vulnerabilities makes updating urgent.
FAQ Section
What Firefox vulnerabilities were patched?
CVE-2026-15718 (invalid pointer in WebAssembly) and CVE-2026-15719 (site isolation in DOM Navigation). Both have public exploit code.
Which Chrome vulnerabilities were fixed?
Google patched 15 flaws, including CVE-2026-15764 and CVE-2026-15765, use-after-free bugs in Ozone on Linux, ChromeOS, and Fuchsia.
What Adobe ColdFusion flaws were patched?
Eight critical vulnerabilities were patched, including path traversal, code injection, SQL injection, and missing authentication flaws.
What is the VMware Avi Load Balancer vulnerability?
CVE-2026-47865 is an authentication bypass with a CVSS score of 9.8. It allows network access to the Avi Control plane.
Are these vulnerabilities being exploited?
Mozilla confirmed exploit code is public for Firefox flaws but no attacks have been observed. No active exploitation has been reported for the other flaws.
What should I do?
Update Firefox to 152.0.6, Chrome to 150.0.7871.124, and apply Adobe ColdFusion updates immediately.