Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classic

Ravie LakshmananJul 01, 2026Artificial Intelligence / Vulnerability

Adobe has released patches for multiple maximum-severity security flaws impacting Adobe ColdFusion and Adobe Campaign Classic.

Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classic

Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classic

Ravie LakshmananJul 01, 2026Artificial Intelligence / Vulnerability

Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classic

Adobe has released patches for multiple maximum-severity security flaws impacting Adobe ColdFusion and Adobe Campaign Classic.

The ColdFusion updates “resolves critical and important vulnerabilities that could lead to arbitrary code execution, privilege escalation, arbitrary file system read, and security feature bypass,” Adobe said in an alert released Tuesday.

The vulnerabilities are listed below –

  • CVE-2026-48276, CVE-2026-48283 (CVSS scores: 10.0) – Unrestricted upload of file with dangerous type vulnerabilities that could lead to arbitrary code execution
  • CVE-2026-48277, CVE-2026-48281, CVE-2026-48316 (CVSS scores: 10.0) – Improper input validation vulnerabilities that could lead to arbitrary code execution
  • CVE-2026-48282 (CVSS score: 10.0) – A path traversal vulnerability that could lead to arbitrary code execution
  • CVE-2026-48313 (CVSS score: 9.3) – A path traversal vulnerability that could lead to arbitrary file system read
  • CVE-2026-48315 (CVSs score: 9.3) – An improper input validation vulnerability that could lead to privilege escalation

The issues have been addressed in ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10. Security researchers Anirudh Anand, Matan Sandori, and 2Bsecure have been credited with discovering and reporting CVE-2026-48283, CVE-2026-48313, and CVE-2026-48307.

Separately, Adobe has also shipped fixes to close out a critical flaw in Adobe Campaign Classic impacting versions ACC v7: 7.4.3 build 9396 and earlier for Windows and Linux that could result in arbitrary code execution.

The vulnerability, tracked as CVE-2026-48286 (CVSS score: 10.0), is a case of incorrect authorization that could enable an attacker to execute arbitrary code on affected systems. It has been patched in version ACC v7: 7.4.3 build 9397.

Adobe noted that CVE-2026-48286 only impacts on-premise Adobe Campaign instances, including fully on-premise deployments and on-premise components in hybrid deployments. Adobe-hosted instances have already been updated and require no action.

The company also emphasized that it has not found any exploits in the wild for any of the issues addressed as part of the two updates.

The disclosure comes as Adobe said it’s moving from monthly to twice-monthly publication of security bulletins and advisories on the second and fourth Tuesday of each month starting July 14, 2026, as a direct result of accelerated vulnerability discovery using artificial intelligence (AI) models.

“The frontier AI capabilities we are using are also available to attackers, and the window between public vulnerability disclosure and active exploitation is compressing from days to hours,” Adobe’s Chief Security Officer Aanchal Gupta said. “We are applying AI to find and fix vulnerabilities first, and getting those fixes to customers faster is the natural next step.”

About Author

What do you feel about this?

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.