Adobe has released critical security updates addressing multiple maximum-severity vulnerabilities in Adobe ColdFusion and Adobe Campaign Classic. The patches fix seven CVSS 10.0 flaws in ColdFusion and one critical flaw in Campaign Classic, all of which could lead to arbitrary code execution. Adobe has not observed any active exploitation of these vulnerabilities in the wild.
The ColdFusion updates resolve vulnerabilities including unrestricted file upload, improper input validation, and path traversal issues that could allow arbitrary code execution, privilege escalation, and arbitrary file system reads. The affected versions are ColdFusion 2023 and 2025, with fixes available in Update 21 and Update 10 respectively. Security researchers Anirudh Anand, Matan Sandori, and 2Bsecure are credited for discovering several of these flaws.
In addition, Adobe patched CVE-2026-48286 (CVSS 10.0) in Adobe Campaign Classic, an incorrect authorization vulnerability that could enable arbitrary code execution on on-premise instances. Adobe-hosted instances are already updated and require no action.
Adobe also announced a shift from monthly to twice-monthly security bulletin releases starting July 14, 2026, citing accelerated vulnerability discovery using AI models. Chief Security Officer Aanchal Gupta emphasized that AI capabilities are available to both defenders and attackers, compressing the window between disclosure and exploitation.
CVEs: CVE-2026-48276, CVE-2026-48283, CVE-2026-48277, CVE-2026-48281, CVE-2026-48316, CVE-2026-48282, CVE-2026-48313, CVE-2026-48315, CVE-2026-48286, CVE-2026-48307, CVE-2026-20245
Companies: Adobe
Products: Adobe ColdFusion, Adobe Campaign Classic
Original source: thehackernews.com