Adobe Rolls Out Fixes for Critical ColdFusion and Campaign Classic Vulnerabilities
Adobe has released security updates for a set of high-risk flaws in ColdFusion and Campaign Classic, including several issues rated CVSS 10.0 that could allow remote code execution on vulnerable syste...
Adobe has released security updates for a set of high-risk flaws in ColdFusion and Campaign Classic, including several issues rated CVSS 10.0 that could allow remote code execution on vulnerable systems.
ColdFusion updates address multiple severe bugs
The ColdFusion patches cover problems that Adobe says could lead to arbitrary code execution, privilege escalation, security feature bypass, and unauthorized file-system access. The company has addressed the issues in ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10.
- CVE-2026-48276 and CVE-2026-48283: dangerous file upload issues
- CVE-2026-48277, CVE-2026-48281, and CVE-2026-48316: input-validation flaws tied to code execution
- CVE-2026-48282: a path traversal flaw that could permit code execution
- CVE-2026-48313: a path traversal issue that could expose files
- CVE-2026-48315: an input-validation bug that could enable privilege escalation
Adobe credited outside researchers, including Anirudh Anand, Matan Sandori, and 2Bsecure, for reporting some of the flaws.
Campaign Classic also receives an urgent fix
In a separate advisory, Adobe patched a critical authorization flaw in Adobe Campaign Classic, tracked as CVE-2026-48286. The issue affects ACC v7 7.4.3 build 9396 and earlier on Windows and Linux, and could allow arbitrary code execution. Adobe says the fix is included in ACC v7 7.4.3 build 9397.
The company said the Campaign Classic bug affects only on-premises deployments, including hybrid environments with on-prem components. Adobe-hosted customers do not need to take action because those systems have already been updated.
Active exploitation reported for one ColdFusion flaw
Adobe said it had not seen public exploitation of the issues at the time of disclosure. However, later reporting indicated that CVE-2026-48282 was targeted within hours of the patch release, with one attempted attack observed from an IP address geolocated to India.
Security analysts also noted that the vulnerable ColdFusion upload feature is disabled by default, but systems that enable it may still be exposed without authentication.
Adobe changes its patch cadence
The disclosures arrive as Adobe prepares to move from monthly to twice-monthly security bulletins starting July 14, 2026. The company says faster vulnerability discovery using AI tools is shortening the time attackers have to act once flaws become public.
Adobe Security Chief Aanchal Gupta said the company is using the same AI-driven approach to identify and remediate flaws more quickly before attackers can exploit them.
