Skip to main content
CybersecurityVulnerability Management

Browser, Software Updates Fix Critical Flaws

A laptop with a blank screen sits on a neutral surface, surrounded by development tools in a bright, clean tech lab setting.

Adobe has published security updates for 88 vulnerabilities, while Mozilla, Google and Broadcom shipped fixes for multiple critical bugs across browsers, server products and load‑balancing software — a concentrated burst of patches operators should not delay.

Adobe publishes updates for 88 vulnerabilities, eight hitting ColdFusion

Adobe’s July updates cover 88 distinct vulnerabilities across products including ColdFusion, Commerce, Experience Manager and Illustrator. Adobe lists eight ColdFusion flaws with high CVSS scores that could lead to arbitrary code execution or privilege escalation if exploited:

  • CVE-2026-48318 (CVSS 9.9) — path traversal that could lead to arbitrary code execution
  • CVE-2026-48322 (CVSS 9.6) — code injection that could lead to arbitrary code execution
  • CVE-2026-48284 (CVSS 9.6) — improper input validation that could lead to arbitrary code execution
  • CVE-2026-48321 (CVSS 9.3) — incorrect authorization that could lead to privilege escalation
  • CVE-2026-48325 (CVSS 9.3) — missing authentication for a critical function that could lead to arbitrary code execution
  • CVE-2026-48319 (CVSS 9.1) — path traversal that could lead to arbitrary code execution
  • CVE-2026-48324 (CVSS 9.1) — SQL injection that could lead to arbitrary code execution
  • CVE-2026-48327 (CVSS 9.0) — incorrect authorization that could lead to arbitrary code execution

Adobe says the ColdFusion issues are remediated in ColdFusion 2025 Update 11 and ColdFusion 2023 Update 22. Adobe also fixed multiple high‑severity flaws in Adobe Commerce, Magento Open Source and Adobe Experience Manager, including:

  • CVE-2026-48356 (CVSS 9.6) — file upload vulnerability in Adobe Commerce and Magento Open Source that could lead to privilege escalation
  • CVE-2026-48358 (CVSS 9.1) — improper encoding/escaping of output in Adobe Commerce and Magento Open Source that could lead to arbitrary code execution
  • CVE-2026-48259 (CVSS 9.6) — server‑side request forgery in Adobe Experience Manager that could lead to arbitrary code execution
  • CVE-2026-48359 (CVSS 9.6) — improper restriction of XML external entity reference in Adobe Experience Manager that could lead to arbitrary code execution

Mozilla addresses two critical Firefox flaws; exploit code public

Mozilla released Firefox version 152.0.6 to address two critical vulnerabilities and warned that exploit code is publicly available. The two CVEs are:

  • CVE-2026-15718 — an invalid pointer in the JavaScript: WebAssembly component
  • CVE-2026-15719 — a site isolation flaw in the DOM: Navigation component

In its advisory Mozilla wrote, "We are aware that exploit code for this is public, however we are not aware of any attacks in the wild abusing this flaw." Operators should prioritize upgrading to Firefox 152.0.6 to close these issues.

Google ships Chrome fixes for 15 flaws, including two Ozone use‑after‑free bugs

Google released patches addressing 15 security flaws in Chrome. Among them are two critical use‑after‑free bugs in Ozone — a cross‑platform abstraction layer used on Linux, ChromeOS and Fuchsia — tracked as CVE-2026-15764 and CVE-2026-15765.

The NIST National Vulnerability Database description for CVE-2026-15764 explains: "Use after free in Ozone in Google Chrome on Linux prior to 150.0.7871.125 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page." Google’s patches are included in Chrome 150.0.7871.124/.125 for Windows and Mac and 150.0.7871.124 for Linux.

Broadcom patches critical VMware Avi Load Balancer bypass (CVE-2026-47865)

Broadcom released a fix for a critical authentication bypass in VMware Avi Load Balancer, tracked as CVE-2026-47865 (CVSS 9.8). The advisory states a malicious user with network access could exploit the flaw to access the Avi Control plane. Filip Waeytens of the NATO Cyber Security Centre (NCSC) is credited with discovering and reporting the vulnerability.

What this means for technologists, affected enterprises, and end users

  • Technologists and security teams: prioritize deployment of Firefox 152.0.6 and the Chrome 150.0.7871.124/.125 updates because Mozilla explicitly notes public exploit code exists for the Firefox flaws and the NVD describes a plausible exploit path for the Chrome Ozone bug. Apply Adobe ColdFusion updates (ColdFusion 2025 Update 11 and ColdFusion 2023 Update 22) and assess exposure to the Adobe Commerce, Magento and AEM CVEs listed above.
  • Affected enterprises and procurement leaders: inventory running instances of ColdFusion, Adobe Commerce/Magento and Adobe Experience Manager and schedule urgent patching where feasible; ensure VMware Avi Load Balancer instances are updated to address CVE-2026-47865, noting the high CVSS score and the reported ability for a networked attacker to reach the control plane.
  • End users and the general public: install updated browser releases promptly. Browser updates for Chrome and Firefox close critical memory‑corruption and site‑isolation flaws that, if weaponized, can be triggered by crafted web content.

None of the vulnerabilities listed have been marked as actively exploited in the materials cited, but the mix of high CVSS scores, public exploit code for Firefox, and discovered Ozone UI‑gesture attack paths makes these patches high‑priority. Organizations that delay risk encountering weaponized proofs‑of‑concept or targeted campaigns; the factual record here is clear: updates are available and should be installed.

Original story