Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classic

Adobe has released patches for multiple maximum-severity security flaws impacting Adobe ColdFusion and Adobe Campaign Classic.

The ColdFusion updates “resolves critical and important vulnerabilities that could lead to arbitrary code execution, privilege escalation, arbitrary file system read, and security feature bypass,” Adobe said in an alert released Tuesday.

The vulnerabilities are listed below –

  • CVE-2026-48276, CVE-2026-48283 (CVSS scores: 10.0) – Unrestricted upload of file with dangerous type vulnerabilities that could lead to arbitrary code execution
  • CVE-2026-48277, CVE-2026-48281, CVE-2026-48316 (CVSS scores: 10.0) – Improper input validation vulnerabilities that could lead to arbitrary code execution
  • CVE-2026-48282 (CVSS score: 10.0) – A path traversal vulnerability that could lead to arbitrary code execution
  • CVE-2026-48313 (CVSS score: 9.3) – A path traversal vulnerability that could lead to arbitrary file system read
  • CVE-2026-48315 (CVSs score: 9.3) – An improper input validation vulnerability that could lead to privilege escalation

The issues have been addressed in ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10. Security researchers Anirudh Anand, Matan Sandori, and 2Bsecure have been credited with discovering and reporting CVE-2026-48283, CVE-2026-48313, and CVE-2026-48307.

Separately, Adobe has also shipped fixes to close out a critical flaw in Adobe Campaign Classic impacting versions ACC v7: 7.4.3 build 9396 and earlier for Windows and Linux that could result in arbitrary code execution.

The vulnerability, tracked as CVE-2026-48286 (CVSS score: 10.0), is a case of incorrect authorization that could enable an attacker to execute arbitrary code on affected systems. It has been patched in version ACC v7: 7.4.3 build 9397.

Adobe noted that CVE-2026-48286 only impacts on-premise Adobe Campaign instances, including fully on-premise deployments and on-premise components in hybrid deployments. Adobe-hosted instances have already been updated and require no action.

The company also emphasized that it has not found any exploits in the wild for any of the issues addressed as part of the two updates.

The disclosure comes as Adobe said it’s moving from monthly to twice-monthly publication of security bulletins and advisories on the second and fourth Tuesday of each month starting July 14, 2026, as a direct result of accelerated vulnerability discovery using artificial intelligence (AI) models.

“The frontier AI capabilities we are using are also available to attackers, and the window between public vulnerability disclosure and active exploitation is compressing from days to hours,” Adobe’s Chief Security Officer Aanchal Gupta said. “We are applying AI to find and fix vulnerabilities first, and getting those fixes to customers faster is the natural next step.”

📰 Original Source:TheHackerNews
✍️ Author: info@thehackernews.com (The Hacker News)

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *