Adobe has released security updates to address multiple critical vulnerabilities affecting Adobe ColdFusion and Adobe Campaign Classic, including seven flaws carrying the maximum CVSS severity score of 10.0. The updates resolve security weaknesses that could allow attackers to execute arbitrary code, escalate privileges, read sensitive files from affected systems and bypass security protections. According to Adobe, the ColdFusion fixes are included in ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10, while the Campaign Classic vulnerability has been addressed in Adobe Campaign Classic version 7.4.3 build 9397. The company also confirmed that it is not aware of any active exploitation targeting the vulnerabilities addressed in these updates and has urged customers using affected versions to install the latest security patches.
The ColdFusion security update resolves several high impact vulnerabilities that could significantly affect organizations running vulnerable deployments. Among the most critical are CVE 2026 48276 and CVE 2026 48283, both rated with a CVSS score of 10.0, which involve unrestricted upload of dangerous file types that could enable arbitrary code execution. Adobe also patched CVE 2026 48277, CVE 2026 48281 and CVE 2026 48316, each carrying a CVSS score of 10.0, which stem from improper input validation issues that may also result in arbitrary code execution. Another maximum severity flaw, tracked as CVE 2026 48282, is a path traversal vulnerability that could similarly allow attackers to execute arbitrary code on compromised systems. In addition, Adobe resolved CVE 2026 48313, rated 9.3, which could permit arbitrary file system reads through a path traversal weakness, as well as CVE 2026 48315, another vulnerability rated 9.3 that could lead to privilege escalation because of improper input validation. Adobe credited security researchers Anirudh Anand, Matan Sandori and 2Bsecure for responsibly reporting CVE 2026 48283, CVE 2026 48313 and CVE 2026 48307. The company stated that the vulnerabilities have been fully addressed through the latest ColdFusion updates and recommended that organizations deploy the patches as soon as possible to reduce security risks.
Alongside the ColdFusion updates, Adobe also released a security patch for Adobe Campaign Classic to address a separate critical vulnerability identified as CVE 2026 48286. The flaw has received a CVSS score of 10.0 and is caused by incorrect authorization, which could allow attackers to execute arbitrary code on affected systems. The vulnerability impacts Adobe Campaign Classic version 7.4.3 build 9396 and earlier releases running on both Windows and Linux platforms. Adobe confirmed that the issue has been fixed in version 7.4.3 build 9397. The company clarified that the vulnerability only affects on premise Adobe Campaign deployments, including fully on premise installations and hybrid environments that include on premise components. Adobe hosted Campaign Classic instances have already been updated by the company, meaning customers using those managed environments do not need to take any additional action. Adobe also stated that it has not identified any evidence indicating that this vulnerability has been exploited in real world attacks.
The latest security updates come as Adobe announced changes to the way it publishes security bulletins and advisories. Beginning July 14, 2026, the company will move from a monthly release schedule to publishing security advisories twice each month on the second and fourth Tuesday. Adobe explained that the decision reflects the increasing pace of vulnerability discovery driven by advances in artificial intelligence. According to Adobe Chief Security Officer Aanchal Gupta, the same advanced AI capabilities used by security teams to identify software weaknesses are also becoming available to threat actors, significantly reducing the time between public disclosure and attempted exploitation. She stated that the company is using artificial intelligence to discover and remediate vulnerabilities more quickly and believes that delivering security fixes to customers at a faster pace is a necessary response to the evolving threat landscape. The revised advisory schedule is intended to help organizations receive important security updates more frequently as software vendors continue adapting to accelerated vulnerability research enabled by AI technologies.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.





