Adobe Patches Critical ColdFusion Vulnerabilities
Adobe patches 88 vulnerabilities, including critical ColdFusion, Commerce, and Experience Manager flaws.
Summary
Adobe has released security updates addressing 88 vulnerabilities across 12 products. Critical flaws in ColdFusion, Commerce, and Experience Manager could allow for arbitrary code execution and privilege escalation. While Adobe is not aware of any exploitation in the wild for these specific patches, users are strongly advised to apply updates promptly.
Full text
Adobe on Tuesday rolled out security updates for 12 products to address 88 vulnerabilities, including critical-severity bugs in ColdFusion, Commerce, Experience Manager, and Illustrator. Out of 13 security defects resolved in ColdFusion, eight – CVE-2026-48318, CVE-2026-48322, CVE-2026-48284, CVE-2026-48321, CVE-2026-48325, CVE-2026-48319, CVE-2026-48324, and CVE-2026-48327 – are critical issues that could lead to arbitrary code execution and privilege escalation. The critical vulnerabilities include path traversal, code injection, improper input validation, missing authentication, SQL injection, and incorrect authorization. Adobe’s fresh advisory has a priority 1 rating, meaning that customers should apply the patches as soon as possible. ColdFusion 2025 update 11 and ColdFusion 2023 update 22 resolve all the bugs. The fresh patches come only two weeks after Adobe patched six maximum-severity weaknesses in ColdFusion, including one that hackers started exploiting in attacks within hours of public disclosure. On Tuesday, Adobe also resolved 13 vulnerabilities in Commerce, including two critical-severity bugs. Tracked as CVE-2026-48356 and CVE-2026-48358, they could lead to privilege escalation and arbitrary code execution.Advertisement. Scroll to continue reading. The fresh update for Experience Manager also patches 13 security defects, including two critical bugs, tracked as CVE-2026-48259 and CVE-2026-48359. Both can be exploited for arbitrary code execution. Another critical issue was resolved in Illustrator, along with four other weaknesses. Tracked as CVE-2026-48334 and described as improper input validation, the critical flaw could be exploited for privilege escalation. On Tuesday, Adobe also announced updates for Content Credentials SDK (12 vulnerabilities), Animate (6 flaws), Audition (6), Bridge (6), Media Encoder (5), Premiere Pro (4), After Effects (3), and Creative Cloud Desktop Application (2). Adobe says it is not aware of any of these vulnerabilities being exploited in the wild. Users are advised to apply the patches as soon as possible. Additional information can be found on Adobe’s security bulletins page. Related: 7 Severe Vulnerabilities Patched in VMware Avi Load Balancer Related: SAP Patches Critical Vulnerabilities in NetWeaver, Approuter, Commerce Cloud Related: RabbitMQ Vulnerability Threatens Enterprise Systems Related: Organizations Warned of Exploited Joomla Extension Vulnerabilities Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire RabbitMQ Vulnerability Threatens Enterprise SystemsZimbra Patches Critical Code Execution VulnerabilityOrganizations Warned of Exploited Joomla Extension VulnerabilitiesProgress Prompts ShareFile Storage Zone Controller Shutdown Amid Security ConcernsGhost Accounts Abuse GitHub API in Mass Recon CampaignOkta Warns of Vishing Attacks Targeting Microsoft 365 CustomersGigaWiper Combines Multiple Malware for System-Level SabotageNetwork of 200 GitHub Repositories Used for Malware Infection Latest News 7 Severe Vulnerabilities Patched in VMware Avi Load BalancerUnpatched Claude for Chrome Flaw Lets Extensions Read Gmail, CalendarSAP Patches Critical Vulnerabilities in NetWeaver, Approuter, Commerce CloudUS, Allies Warn of Russian Cyberattacks Targeting Critical Infrastructure RoutersValarian Raises $50 Million for Sovereign Infrastructure Control LayerMultiple Jscrambler Packages Impacted by Supply Chain AttackPentagon Suspends CMMC Phase 2 as It Rethinks Contractor Cybersecurity RulesHacker Conversations: Jesse McGraw (GhostExodus), From Blackhat Hacker to Redemption Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 15, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveF5 has appointed Cathy Peterman as Chief People Officer.Sean Murphy has joined F5 as a Field Chief Information Security Officer - North America.CodeHunter has appointed Stephen McCarney as Chief Strategy Officer.More People On The MoveExpert Insights The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email
Indicators of Compromise
- cve — CVE-2026-48318
- cve — CVE-2026-48322
- cve — CVE-2026-48284
- cve — CVE-2026-48321
- cve — CVE-2026-48325
- cve — CVE-2026-48319
- cve — CVE-2026-48324
- cve — CVE-2026-48327
- cve — CVE-2026-48356
- cve — CVE-2026-48358
- cve — CVE-2026-48259
- cve — CVE-2026-48359
- cve — CVE-2026-48334