Adobe has issued critical security updates for its ColdFusion and Campaign Classic products, addressing multiple vulnerabilities that could lead to severe security breaches.
ColdFusion Vulnerabilities
The latest updates for ColdFusion resolve several critical and important vulnerabilities, including:
- CVE-2026-48276 and CVE-2026-48283: Unrestricted file upload vulnerabilities allowing arbitrary code execution.
- CVE-2026-48277, CVE-2026-48281, and CVE-2026-48316: Improper input validation issues that could lead to arbitrary code execution.
- CVE-2026-48282: A path traversal vulnerability enabling arbitrary code execution.
- CVE-2026-48313: A path traversal flaw that could result in arbitrary file system read.
- CVE-2026-48315: An improper input validation vulnerability leading to privilege escalation.
These vulnerabilities have been addressed in ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10. Security researchers Anirudh Anand, Matan Sandori, and 2Bsecure have been credited with discovering and reporting CVE-2026-48283, CVE-2026-48313, and CVE-2026-48307.
Campaign Classic Vulnerability
Adobe has also patched a critical flaw in Adobe Campaign Classic, identified as CVE-2026-48286. This incorrect authorization vulnerability could allow attackers to execute arbitrary code on affected systems. The issue affects versions ACC v7: 7.4.3 build 9396 and earlier for Windows and Linux and has been resolved in version ACC v7: 7.4.3 build 9397.
Notably, this vulnerability impacts only on-premise Adobe Campaign instances, including fully on-premise deployments and on-premise components in hybrid deployments. Adobe-hosted instances have already been updated and require no action from users.
Adobe has stated that there are no known exploits in the wild for any of the issues addressed in these updates.
Shift to Bi-Monthly Security Updates
In response to the accelerated discovery of vulnerabilities through artificial intelligence (AI) models, Adobe is transitioning from monthly to twice-monthly security bulletins and advisories. Starting July 14, 2026, updates will be published on the second and fourth Tuesday of each month. This change aims to reduce the window between public vulnerability disclosure and potential exploitation, which has been shrinking from days to hours due to advanced AI capabilities.
Adobe’s proactive approach in addressing these critical vulnerabilities underscores the importance of timely software updates. Users are strongly encouraged to apply these patches promptly to safeguard their systems against potential threats.