Adobe Fixes 7 CVSS 10.0 RCE Flaws in ColdFusion and Campaign Classic
Adobe released emergency patches on Tuesday addressing seven maximum-severity vulnerabilities spanning Adobe ColdFusion and Adobe Campaign Classic, six of which carry a CVSS score of 10.0. The flaws enable arbitrary code execution, privilege escalation, arbitrary file system reads, and security feature bypass, prompting Adobe to push simultaneous updates across two major product lines.
The ColdFusion updates resolve a cluster of critical issues affecting versions prior to ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10. These include unrestricted file upload flaws (CVE-2026-48276 and CVE-2026-48283), improper input validation bugs (CVE-2026-48277, CVE-2026-48281, CVE-2026-48316), and a path traversal vulnerability (CVE-2026-48282), all rated 10.0. Two additional path traversal and input validation issues (CVE-2026-48313 and CVE-2026-48315) scored 9.3. Security researchers Anirudh Anand, Matan Sandori, and 2Bsecure were credited for reporting CVE-2026-48283, CVE-2026-48313, and CVE-2026-48307. Organizations running exposed ColdFusion instances should immediately verify exposure using a port scanner and ensure TLS configurations are hardened with an SSL/TLS checker, since ColdFusion deployments are frequent targets for unauthenticated remote attacks.
Separately, Adobe patched CVE-2026-48286, a CVSS 10.0 incorrect authorization vulnerability in Adobe Campaign Classic affecting ACC v7 7.4.3 build 9396 and earlier on Windows and Linux, fixed in build 9397. Adobe noted the flaw only impacts on-premise and hybrid deployments, while Adobe-hosted instances require no action. Adobe stated it has not observed any of these flaws being exploited in the wild.
The disclosure coincides with Adobe's announcement that it will shift from monthly to twice-monthly security bulletins, beginning July 14, 2026, citing accelerated vulnerability discovery driven by AI models. Chief Security Officer Aanchal Gupta warned that attackers now have access to the same frontier AI capabilities defenders use, compressing the window between disclosure and active exploitation. Admins should apply patches immediately, rotate any credentials used on affected systems, and verify administrator accounts against known leaks using an email breach checker to prevent follow-on intrusions.