Back to Feed
VulnerabilitiesJul 1, 2026

Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classic

Adobe patches 7 CVSS 10.0 flaws in ColdFusion and Campaign Classic enabling code execution.

Summary

Adobe released security updates addressing multiple maximum-severity vulnerabilities in ColdFusion and Adobe Campaign Classic, including 7 flaws with CVSS 10.0 scores that could lead to arbitrary code execution, privilege escalation, and file system access. The vulnerabilities span unrestricted file uploads, improper input validation, and path traversal issues across multiple versions. Adobe noted it has not found active exploitation in the wild and is shifting to twice-monthly security bulletins due to accelerated vulnerability discovery via AI models.

Full text

Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classic Ravie LakshmananJul 01, 2026Artificial Intelligence / Vulnerability Adobe has released patches for multiple maximum-severity security flaws impacting Adobe ColdFusion and Adobe Campaign Classic. The ColdFusion updates "resolves critical and important vulnerabilities that could lead to arbitrary code execution, privilege escalation, arbitrary file system read, and security feature bypass," Adobe said in an alert released Tuesday. The vulnerabilities are listed below - CVE-2026-48276, CVE-2026-48283 (CVSS scores: 10.0) - Unrestricted upload of file with dangerous type vulnerabilities that could lead to arbitrary code execution CVE-2026-48277, CVE-2026-48281, CVE-2026-48316 (CVSS scores: 10.0) - Improper input validation vulnerabilities that could lead to arbitrary code execution CVE-2026-48282 (CVSS score: 10.0) - A path traversal vulnerability that could lead to arbitrary code execution CVE-2026-48313 (CVSS score: 9.3) - A path traversal vulnerability that could lead to arbitrary file system read CVE-2026-48315 (CVSs score: 9.3) - An improper input validation vulnerability that could lead to privilege escalation The issues have been addressed in ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10. Security researchers Anirudh Anand, Matan Sandori, and 2Bsecure have been credited with discovering and reporting CVE-2026-48283, CVE-2026-48313, and CVE-2026-48307. Separately, Adobe has also shipped fixes to close out a critical flaw in Adobe Campaign Classic impacting versions ACC v7: 7.4.3 build 9396 and earlier for Windows and Linux that could result in arbitrary code execution. The vulnerability, tracked as CVE-2026-48286 (CVSS score: 10.0), is a case of incorrect authorization that could enable an attacker to execute arbitrary code on affected systems. It has been patched in version ACC v7: 7.4.3 build 9397. Adobe noted that CVE-2026-48286 only impacts on-premise Adobe Campaign instances, including fully on-premise deployments and on-premise components in hybrid deployments. Adobe-hosted instances have already been updated and require no action. The company also emphasized that it has not found any exploits in the wild for any of the issues addressed as part of the two updates. The disclosure comes as Adobe said it's moving from monthly to twice-monthly publication of security bulletins and advisories on the second and fourth Tuesday of each month starting July 14, 2026, as a direct result of accelerated vulnerability discovery using artificial intelligence (AI) models. "The frontier AI capabilities we are using are also available to attackers, and the window between public vulnerability disclosure and active exploitation is compressing from days to hours," Adobe's Chief Security Officer Aanchal Gupta said. "We are applying AI to find and fix vulnerabilities first, and getting those fixes to customers faster is the natural next step." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Adobe, artificial intelligence, Code Execution, ColdFusion, Path Traversal, Vulnerability ⚡ Top Stories This Week Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check

Indicators of Compromise

  • cve — CVE-2026-48276
  • cve — CVE-2026-48283
  • cve — CVE-2026-48277
  • cve — CVE-2026-48281
  • cve — CVE-2026-48316
  • cve — CVE-2026-48282
  • cve — CVE-2026-48313
  • cve — CVE-2026-48315
  • cve — CVE-2026-48286
  • cve — CVE-2026-48307

Entities

Adobe (vendor)ColdFusion (product)Adobe Campaign Classic (product)Artificial Intelligence (technology)