
ADOBE has released security updates for ColdFusion and Campaign Classic that address multiple critical vulnerabilities, several of which carry the maximum CVSS score of 10.0 and could allow remote code execution or unauthorised file access. The patches were made available on 30 June 2026 and apply to recent releases of both products.
The updates resolve a group of flaws tracked as CVE‑2026‑48276, CVE‑2026‑48277, CVE‑2026‑48281, CVE‑2026‑48282, CVE‑2026‑48283, CVE‑2026‑48286 and CVE‑2026‑48313. These issues stem from unrestricted file uploads, improper input validation, path traversal and cross‑site scripting weaknesses that affect ColdFusion 2025 Update 9 and earlier, ColdFusion 2023 Update 20 and earlier, and on‑premises installations of Campaign Classic.
According to the advisory, CVE‑2026‑48282 and CVE‑2026‑48313 now have patches available, while the remaining flaws are corrected in the same release cycle. Adobe notes that none of the vulnerabilities have been observed in the wild to date, and no specific threat actors have been linked to them.
The company has assigned a priority rating of one to the ColdFusion issues, signalling a high likelihood of exploitation if left unpatched. SecurityAffairs and SecurityWeek both highlighted that the fixes form part of Adobe’s routine monthly patch schedule, though the severity of the flaws prompted an urgent call for immediate deployment.
Defenders should prioritise applying ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21, depending on the version in use, and install the Campaign Classic patch referenced in advisory apsb26-69. After updating, administrators are advised to verify build numbers, review configuration settings for file upload restrictions, and monitor logs for any unexpected script execution or file system changes.
Maintaining an accurate inventory of Adobe workloads, subscribing to Adobe security notifications, and considering the deployment of a web application firewall can help mitigate risk while updates are rolled out. Regularly reviewing access controls and disabling unused features further reduces the attack surface for these products.