Critical Flaws Patched Across Browsers and Enterprise Software: Mozilla, Google, Adobe, and Broadcom Issue Urgent Updates
Major software vendors have released a flurry of security updates to address critical vulnerabilities, urging IT security professionals and users to patch their systems immediately. **Mozilla** and **Google** have fixed browser flaws, some with publicly available exploit code, while **Adobe** and **Broadcom** have tackled high-severity issues in their enterprise products, including arbitrary code execution and authentication bypass vulnerabilities.
A wave of urgent security updates has been released by leading software vendors, addressing critical vulnerabilities that could lead to arbitrary code execution, privilege escalation, and authentication bypass.
### Mozilla Firefox Addresses Critical Browser Flaws
**Mozilla** has issued updates for **Firefox** to mitigate two critical vulnerabilities, **CVE-2026-15718** and **CVE-2026-15719**, for which exploit code is publicly available. While no active attacks have been reported, the public availability of exploit code significantly increases the risk.
* **CVE-2026-15718**: An invalid pointer issue within the JavaScript: WebAssembly component.
* **CVE-2026-15719**: A site isolation flaw in the DOM: Navigation component.
Both vulnerabilities have been remediated in **Firefox version 152.0.6**.
### Google Chrome Patches Use-After-Free Bugs
Concurrently, **Google** has deployed fixes for 15 security vulnerabilities in **Chrome**, including two critical use-after-free bugs in **Ozone** (**CVE-2026-15764** and **CVE-2026-15765**).
**Ozone** is a cross-platform abstraction layer that facilitates native interaction between the browser and various display servers and windowing systems, supporting Linux, ChromeOS, and Fuchsia.
**CVE-2026-15764**, for example, describes a scenario where a remote attacker could exploit heap corruption via a crafted HTML page by convincing a user to perform specific UI gestures. These issues have been resolved in **Chrome version 150.0.7871.124/.125** for Windows and Mac, and **150.0.7871.124** for Linux.
### Adobe Addresses 88 Vulnerabilities Across Enterprise Products
**Adobe** has released comprehensive security updates addressing 88 vulnerabilities across its product line, with a focus on critical-severity bugs in **ColdFusion**, **Commerce**, **Experience Manager**, and **Illustrator**.
Notably, eight critical flaws were found in **Adobe ColdFusion**:
* **CVE-2026-48318** (CVSS: 9.9): Path traversal leading to arbitrary code execution.
* **CVE-2026-48322** (CVSS: 9.6): Code injection leading to arbitrary code execution.
* **CVE-2026-48284** (CVSS: 9.6): Improper input validation leading to arbitrary code execution.
* **CVE-2026-48321** (CVSS: 9.3): Incorrect authorization leading to privilege escalation.
* **CVE-2026-48325** (CVSS: 9.3): Missing authentication for critical function leading to arbitrary code execution.
* **CVE-2026-48319** (CVSS: 9.1): Path traversal leading to arbitrary code execution.
* **CVE-2026-48324** (CVSS: 9.1): SQL injection leading to arbitrary code execution.
* **CVE-2026-48327** (CVSS: 9.0): Incorrect authorization leading to arbitrary code execution.
These **ColdFusion** vulnerabilities have been remediated in **ColdFusion 2025 Update 11** and **ColdFusion 2023 Update 22**.
Additionally, **Adobe** fixed critical flaws in **Adobe Commerce and Magento Open Source** and **Adobe Experience Manager**:
* **CVE-2026-48356** (CVSS: 9.6): File upload vulnerability in **Adobe Commerce and Magento Open Source** leading to privilege escalation.
* **CVE-2026-48358** (CVSS: 9.1): Improper encoding/escaping in **Adobe Commerce and Magento Open Source** leading to arbitrary code execution.
* **CVE-2026-48259** (CVSS: 9.6): Server-side request forgery in **Adobe Experience Manager** leading to arbitrary code execution.
* **CVE-2026-48359** (CVSS: 9.6): Improper restriction of XML external entity reference in **Adobe Experience Manager** leading to arbitrary code execution.
### Broadcom Patches VMware Avi Load Balancer
In a separate development, **Broadcom** has released a fix for a critical authentication bypass vulnerability, **CVE-2026-47865** (CVSS: 9.8), in **VMware Avi Load Balancer**. This flaw could allow a malicious user with network access to compromise the Avi Control plane. The discovery and reporting of this vulnerability are credited to Filip Waeytens of the **NATO Cyber Security Centre (NCSC)**.
### Call to Action
While none of these vulnerabilities are currently reported as actively exploited in the wild, the public availability of exploit code for some, and the critical nature of others, necessitates immediate action. Organizations and individual users are strongly advised to apply the latest updates to mitigate potential risks, as threat actors are known to quickly weaponize newly disclosed flaws.