
ADOBE has issued emergency updates for seven vulnerabilities, each rated CVSS 10.0, affecting ColdFusion and Campaign Classic products. The fixes were released on 9 June and are described in the Adobe security advisory. Systems running unpatched versions are exposed to remote code execution and unauthorised access.
The flaws tracked as CVE‑2026‑48276, CVE‑2026‑48283 and CVE‑2026‑48286 all carry the maximum CVSS score. CVE‑2026‑48276 and CVE‑2026‑48283 reside in ColdFusion and stem from unrestricted file upload mechanisms and improper input validation that let an attacker place malicious files on the server. CVE‑2026‑48286 affects Campaign Classic and allows arbitrary code execution through a path traversal flaw in the web interface.
Adobe’s bulletin notes that the ColdFusion update resolves six additional defects, including cross‑site scripting issues that could be chained with the upload bugs to achieve full system compromise. All affected products have been assigned a priority rating of 1, indicating a high likelihood of exploitation if left unpatched.
To date no threat actor has been linked to active exploitation of these vulnerabilities, and no instances have been observed in the wild. Nevertheless the priority rating and the nature of the flaws suggest that attackers could quickly develop reliable exploits, making immediate mitigation essential for defenders.
Administrators should apply the patches supplied by Adobe without delay, verifying the installed version against the patched releases listed in the advisory. Where immediate updating is not possible, temporary measures such as disabling unused ColdFusion services, restricting file upload extensions to a safe list, and blocking direct access to the Campaign Classic admin interface can reduce risk.
Beyond patching, organisations should review authentication controls, enforce least‑privilege accounts for application pools, and ensure network segmentation separates vulnerable servers from critical assets. Monitoring web‑server logs for unexpected file writes or anomalous POST requests will help detect any attempted exploitation.
Staying subscribed to Adobe security notifications and testing updates in a staging environment before broad rollout will help maintain protection against future threats. Proactive vigilance remains the most effective defence against the current set of critical flaws.