Mozilla has issued critical security updates for its Firefox browser to address two vulnerabilities, CVE-2026-15718 and CVE-2026-15719. The company has warned that exploit code for these flaws is publicly available, raising concerns about potential targeted attacks. While Mozilla stated it is not currently aware of any active exploitation in the wild, users are strongly advised to update to Firefox version 152.0.6 immediately to safeguard against emerging threats.
The first vulnerability, CVE-2026-15718, is an invalid pointer issue within the JavaScript WebAssembly component of Firefox. The second, CVE-2026-15719, concerns a site isolation flaw within the DOM Navigation component. Both issues have been patched by Mozilla, emphasizing the ongoing cat-and-mouse game between software vendors and malicious actors seeking to exploit browser security weaknesses.
Browser Security Updates Amidst Broader Patching Efforts
This urgent Firefox update arrives amidst a flurry of security fixes from major technology companies. Google, for instance, recently released patches for 15 security flaws affecting its Chrome browser. Among these were two critical use-after-free vulnerabilities, CVE-2026-15764 and CVE-2026-15765, found in Ozone, a cross-platform abstraction layer integral to the browser’s interaction with display servers and windowing systems on Linux, ChromeOS, and Fuchsia. According to the NIST National Vulnerability Database, CVE-2026-15764 could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page, provided a user engages in specific UI gestures. These Chrome vulnerabilities have been addressed in versions 150.0.7871.125 for Windows and Mac, and 150.0.7871.124 for Linux.
In a related development, Adobe has addressed a significant number of vulnerabilities across its product suite, releasing security updates for 88 flaws. Several critical-severity bugs were patched in ColdFusion, Commerce, Experience Manager, and Illustrator. Notably, eight vulnerabilities impacting Adobe ColdFusion were resolved. These include a high-severity path traversal vulnerability (CVE-2026-48318, CVSS score 9.9) and a code injection vulnerability (CVE-2026-48322, CVSS score 9.6), both with the potential for arbitrary code execution. Other critical ColdFusion flaws patched involve improper input validation, incorrect authorization, missing authentication, and SQL injection, with CVSS scores ranging from 9.0 to 9.3, many also leading to arbitrary code execution or privilege escalation.
Adobe’s Extensive Security Patching
The ColdFusion issues have been remediated in ColdFusion 2025 Update 11 and ColdFusion 2023 Update 22. Adobe also resolved critical vulnerabilities in Adobe Commerce and Magento Open Source, as well as Adobe Experience Manager. These include a file upload vulnerability in Adobe Commerce and Magento Open Source (CVE-2026-48356, CVSS score 9.6) that could lead to privilege escalation, and an improper encoding or escaping of output vulnerability (CVE-2026-48358, CVSS score 9.1) that could result in arbitrary code execution. For Adobe Experience Manager, critical flaws patched include a server-side request forgery vulnerability (CVE-2026-48259, CVSS score 9.6) and an improper restriction of XML external entity reference vulnerability (CVE-2026-48359, CVSS score 9.6), both of which could enable arbitrary code execution.
Meanwhile, Broadcom has issued a patch for a critical authentication bypass vulnerability in VMware Avi Load Balancer (CVE-2026-47865, CVSS score 9.8). This flaw, discovered by Filip Waeytens of the NATO Cyber Security Centre, could allow a malicious user with network access to bypass authentication and access the Avi Control plane. While none of these newly disclosed vulnerabilities have been confirmed as actively exploited, the proactive patching by these vendors underscores their awareness of the threat landscape. Organizations are urged to prioritize the installation of these latest updates, as past trends show threat actors frequently weaponize such flaws for malicious campaigns.
The continuous release of security updates across various software products highlights the dynamic nature of cybersecurity. Users and organizations must remain vigilant in applying patches promptly to mitigate the risks associated with newly discovered vulnerabilities and protect their systems from potential exploitation.

