Skip to content
feed: live
>_ 0dayNews
mozilla

Firefox exploit code public; Chrome, Adobe patch same day

Mozilla says exploit code is public for two Firefox flaws fixed in 152.0.6. Chrome shipped Ozone use-after-free fixes; Adobe pushed 8 ColdFusion criticals.

Firefox exploit code public; Chrome, Adobe patch same day
Photo: Software: Wikimedia Foundation, Mozilla Foundation, and contributors Screenshot: VulcanSphere / Wikimedia Commons · CC BY-SA 4.0
fuse Marisol "Fuse" Delgado · Published · 3 min read

Four vendors shipped critical patches in the same 24-hour window, and the priority order is not the CVSS ranking — it’s whose bug already has exploit code in the wild. That’s Mozilla today. Everything else is second.

Firefox first: exploit code is public

Mozilla shipped Firefox 152.0.6 with two flaws where — in Mozilla’s own words on both advisories — “exploit code for this is public.” Neither is confirmed exploited in the wild yet, but “public PoC, no observed attacks” is a window that closes in hours, not weeks. Update Firefox before you do anything else on this list.

  • CVE-2026-15718 — invalid pointer in the JavaScript / WebAssembly component. NVD scores it CVSS 4.3 (medium); Mozilla’s language and the public-exploit status are what warrant the urgency, not the base score.
  • CVE-2026-15719 — site-isolation flaw in the DOM Navigation component. NVD scores it CVSS 5.4 (medium). Same public-exploit note from Mozilla.

The scores are lower than what The Hacker News’ multi-vendor roundup implies. Don’t argue with the number — argue with the exploit status. Public code in the field beats a critical rating on a bug nobody’s written a PoC for.

Chrome: Ozone use-after-free, patch on next launch

Google shipped Chrome 150.0.7871.124/.125 with two Ozone use-after-free fixes. Chromium’s internal rating for both is Critical; NVD scores them CVSS 7.5 High.

  • CVE-2026-15764 — Ozone use-after-free on Linux, fixed in 150.0.7871.125. Requires the attacker to convince the user to perform specific UI gestures.
  • CVE-2026-15765 — Ozone use-after-free (not Linux-limited in the NVD entry), same UI-gesture precondition, fixed in 150.0.7871.125.

Chrome auto-updates on relaunch. The honest ask here is verifying that fleet-managed Chrome installs actually did relaunch — the browser will happily run the vulnerable build until the user quits it, and “I clicked update” from the omnibox does not restart the process for you. Push a managed relaunch if you can.

Adobe: eight ColdFusion criticals, plus Commerce and AEM

Adobe’s July release patched 88 vulnerabilities, and the ColdFusion cluster is where the attention belongs. Eight CVEs at CVSS 9.0 or higher, all in one server-side product with a long history of KEV appearances. Nothing is marked exploited in the wild yet — that’s a “yet,” not a “no.”

Update ColdFusion 2025 to Update 11 and ColdFusion 2023 to Update 22:

If ColdFusion is Internet-exposed on your estate at all, treat this as the highest-priority server-side patch on your list today. The 2024 KEV additions for ColdFusion (CVE-2024-20767 among them) went from “public advisory” to “in-the-wild exploitation” faster than a lot of teams expected, and this stack of eight criticals is the kind of thing that gets weaponized inside a week.

Adobe also patched two Commerce/Magento criticals — CVE-2026-48356 (file-upload flaw, CVSS 9.6) and CVE-2026-48358 (output-encoding flaw, CVSS 9.1) — and two Experience Manager criticals: CVE-2026-48259 (SSRF, CVSS 9.6) and CVE-2026-48359 (XXE, CVSS 9.6). Merchants running unpatched Magento are already on the MageCart attention list; the file-upload flaw is the one card-skimmer operators will lead with.

Broadcom / VMware: Avi Load Balancer authentication bypass

The Hacker News reports Broadcom patched an authentication-bypass flaw in Avi Load Balancer, credited to Filip Waeytens at NATO NCSC. The CVE ID as reported (CVE-2026-47865) did not resolve on NVD or MITRE at press time — take the Broadcom advisory as authoritative on ID, affected versions, and severity when it publishes on the Broadcom security advisory portal. If you’re running Avi in front of production, subscribe to that feed and patch on the vendor’s confirmed ID rather than waiting for a syndicated writeup.

Priority call

  1. Firefox 152.0.6, right now. Exploit code is public. Even at NVD-medium scores, “public PoC” changes the risk model. If you manage Firefox with a policy, force-relaunch it.
  2. ColdFusion Updates 11 (2025) / 22 (2023). Eight criticals in one server-side product, and history says the window from advisory to KEV on ColdFusion is short. Do this before any workstation-side patch on your list.
  3. Chrome managed-relaunch verification. The bits are on the box already for most users; the question is whether the process actually restarted. Auto-update does not equal patched.
  4. Adobe Commerce / AEM criticals. Card-skimmer crews watch Magento releases the way ransomware crews watch Fortinet. Don’t leave file-upload and SSRF flaws open past this maintenance window.
  5. Watch Broadcom for the Avi Load Balancer advisory. Don’t try to backfill a CVE ID from press coverage — patch when Broadcom publishes.

Everything on this list ships in one afternoon if your patch pipeline is honest. The excuse for still running vulnerable Firefox this weekend is going to be that nobody noticed the advisory, and that’s a process problem, not a Mozilla problem.

Related CVEs

Found this useful? Share it.