Adobe fixes critical flaws across Acrobat, ColdFusion, Experience Manager, and Campaign
Adobe released a broad set of security updates covering Adobe Experience Manager, Acrobat/Reader, ColdFusion, Dreamweaver, InDesign, InCopy, Substance 3D Sampler, Format Plugins, Campaign Classic, and Content Credentials SDK components, prompting alerts from national and regional CERTs including Canada’s Cyber Centre and HKCERT. The advisories span multiple high-severity issues, with affected versions including ColdFusion 2023.19 and 2025.8 and earlier, Dreamweaver 21.7 and earlier, Campaign Classic 7.4.3 build 9394 and earlier, and AEM Forms JEE LTS SP1 / 6.5.24.0 and earlier.
The most serious disclosures include multiple remote code execution bugs in Acrobat/Reader such as CVE-2026-47911, CVE-2026-47912, CVE-2026-47913, CVE-2026-47914, CVE-2026-47915, CVE-2026-47918, and CVE-2026-47919, largely tied to use-after-free conditions and malicious file handling; several ColdFusion flaws including CVE-2026-47928, CVE-2026-47929, CVE-2026-47930, CVE-2026-47931, and CVE-2026-47932 that can enable code execution, security feature bypass, or unauthorized read/write access; AEM Forms JEE stored and reflected XSS issues CVE-2026-34691 and CVE-2026-34693; Campaign Classic issues CVE-2026-47938 and CVE-2026-48303 involving SSRF, privilege escalation, and possible code execution; Dreamweaver arbitrary file read via CVE-2026-47907; and USD Fileformat Plugins heap-based buffer overflows CVE-2026-48291 and CVE-2026-48292. Adobe has issued patches for the affected products, and defenders are being urged to review the vendor bulletins and deploy updates quickly.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
15 events from the most recent confirmed update back to the earliest known activity.
Adobe revises Campaign Classic CVE-2026-47938 impact
Adobe modified the CVE-2026-47938 description on this date to change the stated impact from arbitrary code execution to privilege escalation. The CVE remained associated with an SSRF flaw in Adobe Campaign Classic.
Adobe discloses Campaign Classic vulnerabilities
Adobe disclosed CVE-2026-47938 and CVE-2026-48303 affecting Adobe Campaign Classic 7.4.3 build 9394 and earlier. The issues included SSRF and incorrect authorization flaws with severe impact and no user interaction required.
Adobe discloses and patches USD-Fileformat-plugins RCE flaws
Adobe publicly disclosed CVE-2026-48291 and CVE-2026-48292 affecting Adobe USD-Fileformat-plugins and issued updates to remediate them. Both heap-based buffer overflow flaws were in the usdGltf plugin and could lead to arbitrary code execution.
Adobe updates Acrobat and Reader for coordinated vulnerability release
Adobe released updates and publicly disclosed multiple Acrobat and Reader vulnerabilities in a coordinated release, including CVE-2026-47911 through CVE-2026-47915, CVE-2026-47918, CVE-2026-47919, CVE-2026-47923, and CVE-2026-47924. The issues included remote code execution and information disclosure flaws documented by ZDI advisories.
Adobe discloses Dreamweaver arbitrary file read flaw
Adobe disclosed CVE-2026-47907 affecting Dreamweaver Desktop 21.7 and earlier. The improper access control issue could allow arbitrary file system read if a victim opens a malicious file.
Adobe discloses multiple ColdFusion vulnerabilities
Adobe disclosed several ColdFusion flaws on this date, including CVE-2026-47928, CVE-2026-47929, CVE-2026-47930, CVE-2026-47931, and CVE-2026-47932. The issues affected ColdFusion 2023.19, 2025.8, and earlier, with impacts including code execution, security feature bypass, incorrect authorization, and path traversal.
Adobe discloses AEM Forms JEE XSS vulnerabilities
Adobe disclosed CVE-2026-34691 and CVE-2026-34693 affecting Adobe Experience Manager Forms JEE, covering stored and reflected cross-site scripting issues. The flaws affected LTS SP1, version 6.5.24.0, and earlier releases.
Adobe publishes broad June 2026 security advisories
Adobe published security advisories addressing critical vulnerabilities across products including Experience Manager, InDesign, InCopy, Substance 3D Sampler, Dreamweaver, Acrobat, Reader, ColdFusion, Format Plugins, Campaign Classic, and Content Credentials SDK components. The Canadian Centre for Cyber Security urged administrators and users to review the advisories and apply updates.
Additional Acrobat Reader flaws reported to Adobe
Two Acrobat Reader DC vulnerabilities later tracked as CVE-2026-47918 and CVE-2026-47919 were reported to Adobe on this date. Both were use-after-free issues involving Annotation object handling that could lead to remote code execution.
ZeroPath documents Acrobat Reader CVE-2026-34621 RCE flaw
A ZeroPath report described CVE-2026-34621 as a prototype pollution vulnerability in Adobe Acrobat Reader that can lead to arbitrary code execution when a user opens a crafted PDF. The report cited Adobe advisory APSB26-43 as the remediation reference and said affected versions included 24.001.30356 and earlier and 26.001.21367 and earlier.
Adobe USD-Fileformat-plugins flaw reported to Adobe
The heap-based buffer overflow later tracked as CVE-2026-48292 and ZDI-26-351 was reported to Adobe on this date. The issue affected the usdGltf plugin and could enable arbitrary code execution.
Adobe Acrobat Pro DC flaw reported to Adobe
The vulnerability later tracked as CVE-2026-47915 and ZDI-26-349 was reported to Adobe on this date. The bug was a use-after-free issue in Annots.api that could lead to remote code execution.
Multiple Acrobat Reader flaws reported to Adobe
Several vulnerabilities later tracked as CVE-2026-47911, CVE-2026-47912, CVE-2026-47913, CVE-2026-47914, CVE-2026-47923, and CVE-2026-47924 were reported to Adobe on this date, according to ZDI disclosure timelines. These issues affected Adobe Acrobat Reader DC and included remote code execution and information disclosure flaws.
Adobe Acrobat Reader CVE-2026-27220 reported to Adobe
The use-after-free vulnerability later tracked as CVE-2026-27220 and ZDI-26-355 was reported to Adobe on this date. The flaw affected Adobe Acrobat Reader DC's Annotation object handling and could allow remote code execution if a user opened a malicious file or visited a malicious page.
ZeroPath documents Acrobat Reader CVE-2025-54257 use-after-free flaw
A ZeroPath report described CVE-2025-54257 as a use-after-free vulnerability in Adobe Acrobat Reader that can enable arbitrary code execution when a user opens a specially crafted malicious PDF. The report said the flaw affects vulnerable Reader versions on Windows and macOS and noted that no public exploit code or detailed exploit chain had been released as of publication.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
27 references tracked. Mallory keeps watching after this page renders.
Adobe Monthly Security Update (June 2026)
hkcert.org
Open sourceAdobe AcrobatおよびReaderの脆弱性(APSB26-63)に関する注意喚起
jpcert.or.jp
Open sourceAdobe security advisory (AV26-570) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceCVE-2026-34693 - Adobe Experience Manager Forms JEE | Cross-site Scripting (Reflected XSS) (CWE-79)
cvefeed.io
Open sourceZDI-26-348 | Zero Day Initiative
zerodayinitiative.com
Open sourceZDI-26-345 | Zero Day Initiative
zerodayinitiative.com
Open sourceZDI-26-355 | Zero Day Initiative
zerodayinitiative.com
Open sourceAdobe Acrobat Reader CVE-2025-54257 Use After Free Vulnerability: Brief Summary and Technical Review - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Critical Vulnerabilities in Adobe Products Allowing Arbitrary Code Execution
Adobe released security advisories addressing multiple vulnerabilities across a range of its products, including ColdFusion, Adobe Experience Manager (AEM), DNG Software Development Kit (SDK), Acrobat, Acrobat Reader, and the Creative Cloud Desktop Application. The most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user, potentially enabling attackers to install programs, modify or delete data, or create new accounts with full user rights. Affected versions span ColdFusion 2025, 2023, and 2021, AEM Cloud Service and 6.5 LTS, DNG SDK 1.7.0 and prior, Acrobat and Acrobat Reader 2020 and 2024 for both Windows and Mac, and Creative Cloud Desktop Application 6.4.0.361 and earlier. Users and administrators are strongly encouraged to review the official advisories and apply the necessary updates to mitigate risk. Threat intelligence at the time of disclosure indicated no reports of these vulnerabilities being exploited in the wild. The advisories emphasize that users with administrative privileges are at greater risk if exploited, and recommend prompt patching to reduce exposure. Organizations relying on Adobe products for document management, web application development, or digital asset workflows should prioritize these updates to prevent potential compromise through remote code execution vulnerabilities.
Mar 21, 2026
Adobe Patches Critical RCE Flaws in FrameMaker Publishing, Commerce, and Magento
Adobe released security updates for multiple critical vulnerabilities affecting **Adobe FrameMaker Publishing Server**, **Adobe Commerce**, **Magento Open Source**, and the **Adobe Commerce Webhooks** extension. The most serious issues include `CVE-2024-30299` and `CVE-2024-30300` in FrameMaker Publishing Server and `CVE-2024-34102` in Adobe Commerce and Magento, with severity reaching **CVSS 10.0**. Successful exploitation could allow **arbitrary code execution**, **security feature bypass**, and **privilege escalation**. Adobe also issued critical fixes for **Adobe Experience Manager**, **Creative Cloud Desktop**, **Photoshop**, and **Substance 3D Stager** to address vulnerabilities that could enable code execution, unauthorized system access, and exposure of sensitive data. National cybersecurity authorities highlighted the breadth and severity of the flaws and urged organizations using affected Adobe products to apply vendor patches immediately in line with Adobe guidance.
Apr 27, 2026
Adobe March 2026 Security Updates Across Multiple Products
Adobe published its March 2026 security advisories covering **multiple vulnerabilities** across a broad set of products, with impacts including **remote code execution (RCE)**, **elevation of privilege**, **cross-site scripting (XSS)**, **information disclosure**, **denial of service**, and **security restriction bypass**. Products called out include **Adobe Commerce** (including *Adobe Commerce B2B* and *Magento Open Source*), **Illustrator**, **Acrobat/Reader**, **Premiere Pro**, **Experience Manager (AEM)**, **Substance 3D Painter**, **Substance 3D Stager**, and the **Adobe DNG SDK**. The Hong Kong CERT bulletin characterized the overall risk level of the March release as **Medium**, listing eight medium-risk product advisories (e.g., `APSB26-05`, `APSB26-18`, `APSB26-24`, `APSB26-26`). Canada’s Cyber Centre alert (**AV26-215**) echoed the same advisory set and provided affected version ranges (e.g., *Illustrator 2025* prior to 29.8.4/30.1, *Acrobat/Reader DC* prior to 25.001.21265, *Premiere Pro* prior to 25.5, *AEM* Cloud Service and 6.5 LTS/6.5 SP23 and prior, and *DNG SDK* prior to 1.7.1 build 2471), urging organizations to review Adobe’s advisories and apply the required updates.
Mar 21, 2026