Back to Feed
VulnerabilitiesJul 15, 2026

Firefox, Chrome, Adobe, and VMware Updates Fix Multiple Critical Security Flaws

Firefox, Chrome, Adobe, and VMware release updates to fix critical security flaws.

Summary

Mozilla, Google, Adobe, and Broadcom have released patches for numerous critical vulnerabilities across their products. Firefox addresses two critical flaws with public exploit code, while Chrome fixes two critical use-after-free bugs. Adobe has patched 88 vulnerabilities, including critical ones in ColdFusion, Commerce, Experience Manager, and Illustrator. Broadcom also released a fix for a critical authentication bypass in VMware Avi Load Balancer. While no active exploitation is reported, users are urged to update immediately.

Full text

Firefox, Chrome, Adobe, and VMware Updates Fix Multiple Critical Security Flaws Ravie LakshmananJul 15, 2026Vulnerability / Browser Security Mozilla has released updates to address two critical flaws in Firefox for which it warned that exploit code has been published. The vulnerabilities are listed below - CVE-2026-15718, an invalid pointer in the JavaScript: WebAssembly component CVE-2026-15719, a site isolation in the DOM: Navigation component "We are aware that exploit code for this is public, however we are not aware of any attacks in the wild abusing this flaw," Mozilla said in an advisory. Both vulnerabilities have been addressed in Firefox version 152.0.6. The release comes as Google shipped fixes for 15 security flaws, including two critical use-after-free bugs in Ozone (CVE-2026-15764 and CVE-2026-15765), a cross-platform abstraction layer that allows the browser to interact natively with various display servers and windowing systems. It supports Linux, ChromeOS, and Fuchsia. "Use after free in Ozone in Google Chrome on Linux prior to 150.0.7871.125 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page," according to a description of CVE-2026-15764 in the NIST National Vulnerability Database (NVD). The shortcomings have been patched in Chrome version 150.0.7871.124/.125 for Windows and Mac and 150.0.7871.124 for Linux. In a related development, Adobe has published security updates for 88 vulnerabilities, including multiple critical-severity bugs in ColdFusion, Commerce, Experience Manager, and Illustrator. Of these, eight impact Adobe ColdFusion - CVE-2026-48318 (CVSS score: 9.9) - A path traversal vulnerability that could lead to arbitrary code execution CVE-2026-48322 (CVSS score: 9.6) - A code injection vulnerability that could lead to arbitrary code execution CVE-2026-48284 (CVSS score: 9.6) - An improper input validation vulnerability that could lead to arbitrary code execution CVE-2026-48321 (CVSS score: 9.3) - An incorrect authorization vulnerability that could lead to privilege escalation CVE-2026-48325 (CVSS score: 9.3) - A missing authentication for a critical function vulnerability that could lead to arbitrary code execution CVE-2026-48319 (CVSS score: 9.1) - A path traversal vulnerability that could lead to arbitrary code execution CVE-2026-48324 (CVSS score: 9.1) - An SQL injection vulnerability that could lead to arbitrary code execution CVE-2026-48327 (CVSS score: 9.0) - An incorrect authorization vulnerability that could lead to arbitrary code execution The CodeFusion flaws have been remediated in versions ColdFusion 2025 Update 11 and ColdFusion 2023 Update 22. Also fixed by Adobe are two critical flaws each in Adobe Commerce and Magento Open Source and Adobe Experience Manager - CVE-2026-48356 (CVSS score: 9.6) - A file upload vulnerability in Adobe Commerce and Magento Open Source that could lead to privilege escalation CVE-2026-48358 (CVSS score: 9.1) - An improper encoding or escaping of output vulnerability in Adobe Commerce and Magento Open Source that could lead to arbitrary code execution CVE-2026-48259 (CVSS score: 9.6) - A server-side request forgery vulnerability in Adobe Experience Manager that could lead to arbitrary code execution CVE-2026-48359 (CVSS score: 9.6) - An improper restriction of XML external entity reference vulnerability in Adobe Experience Manager that could lead to arbitrary code execution Elsewhere, Broadcom has released a fix for a critical authentication bypass vulnerability in VMware Avi Load Balancer (CVE-2026-47865, CVSS score: 9.8) that a malicious user with network access can exploit to access the Avi Control plane. Filip Waeytens of the NATO Cyber Security Centre (NCSC) has been credited with discovering and reporting the flaw. Although none of the vulnerabilities have been marked as actively exploited, it's essential that organizations install the latest updates, given that threat actors are known to weaponize flaws in these products in attacks. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Application Security, browser security, enterprise security, network security, remote code execution, Software Security, Vulnerability, Web Security ⚡ Top Stories This Week 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices European Parliament Member Investigating Spyware Was Hacked With Pegasus ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls

Indicators of Compromise

  • cve — CVE-2026-15718
  • cve — CVE-2026-15719
  • cve — CVE-2026-15764
  • cve — CVE-2026-15765
  • cve — CVE-2026-48318
  • cve — CVE-2026-48322
  • cve — CVE-2026-48284
  • cve — CVE-2026-48321
  • cve — CVE-2026-48325
  • cve — CVE-2026-48319
  • cve — CVE-2026-48324
  • cve — CVE-2026-48327
  • cve — CVE-2026-48356
  • cve — CVE-2026-48358
  • cve — CVE-2026-48259
  • cve — CVE-2026-48359
  • cve — CVE-2026-47865

Entities

Firefox (product)Chrome (product)Adobe ColdFusion (product)Adobe Commerce (product)Adobe Experience Manager (product)Adobe Illustrator (product)