Adobe has released Priority 1 security updates for ColdFusion and Adobe Campaign Classic to fix multiple high-severity vulnerabilities, including seven flaws rated CVSS 10.0. In ColdFusion, the patched issues affect versions 2025.9, 2023.20, and earlier, and include improper input validation (CVE-2026-48281, CVE-2026-48277), unrestricted file upload (CVE-2026-48276, CVE-2026-48283), and path traversal (CVE-2026-48282) bugs that could allow unauthenticated remote code execution without user interaction. Additional ColdFusion flaws include a path traversal issue with arbitrary file read and limited write access (CVE-2026-48313), an SSRF bug (CVE-2026-48285), and user-interaction issues such as reflected XSS (CVE-2026-48307) and improper input validation tied to malicious files (CVE-2026-48315).
Adobe also patched CVE-2026-48286 in Adobe Campaign Classic, an incorrect authorization flaw affecting version 7.4.3 and earlier that can lead to arbitrary code execution on on-premises instances. Adobe said it is not aware of in-the-wild exploitation of the specific vulnerabilities, but assigned the updates a Priority 1 rating, indicating they are being targeted or are at high risk of being targeted, and urged administrators to patch within 72 hours. Recommended versions include ColdFusion 2025 Update 10, ColdFusion 2023 Update 21, and Campaign Classic 7.4.4 / build 9397 or later.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Adobe announced it will move to a twice-monthly security bulletin schedule to speed delivery of security updates. The new cadence is set to begin on July 14, 2026.
Adobe directed users to update to ColdFusion 2025 Update 10, ColdFusion 2023 Update 21, and the latest Campaign Classic build, with Campaign Classic fixes available in version 7.4.3 build 9397 for Windows and Linux and remediation guidance to move to 7.4.4 or later. These versions were identified as containing fixes for the newly disclosed vulnerabilities.
Adobe released security updates addressing multiple vulnerabilities in ColdFusion and Campaign Classic, including seven CVSS 10.0 flaws. The company said it was not aware of active exploitation of the issues, but assigned the updates Priority 1 and urged rapid patching.
Multiple Adobe vulnerabilities were published, including critical ColdFusion flaws CVE-2026-48315, CVE-2026-48281, CVE-2026-48277, CVE-2026-48313, CVE-2026-48276, CVE-2026-48282, CVE-2026-48283, high-severity CVE-2026-48285, and Campaign Classic flaw CVE-2026-48286. The disclosures described impacts including remote code execution, path traversal, SSRF, and file upload issues affecting supported product versions and earlier releases.
Adobe ColdFusion reflected XSS vulnerability CVE-2026-48307 was published as affecting ColdFusion 2025.9, 2023.20, and earlier. The flaw requires user interaction and could enable malicious script injection leading to code execution in the current user's context.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
17 references tracked. Mallory keeps watching after this page renders.
cyber.gc.ca
Open sourcesecurityaffairs.com
Open sourcethehackernews.com
Open sourcesocradar.io
Open sourcecvefeed.io
Open sourcecvefeed.io
Open sourcecvefeed.io
Open sourcecvefeed.io
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.