Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic

Adobe fixed multiple critical flaws, including max severity bugs in ColdFusion and Campaign Classic that could lead to remote code execution

Adobe has released security updates for ColdFusion and Campaign Classic, fixing multiple critical vulnerabilities, including seven maximum-severity issues (CVSS score of 10.0). If exploited, the flaws could allow attackers to execute arbitrary code, escalate privileges, read sensitive files, or bypass security protections.

Adobe strongly recommends that customers apply the updates as soon as possible to reduce the risk of compromise.

The vulnerabilities include:

  • CVE-2026-48276, CVE-2026-48283 (CVSS score of 10.0) – Allow attackers to upload malicious files and execute arbitrary code.
  • CVE-2026-48277, CVE-2026-48281, CVE-2026-48316 (CVSS score of 10.0) – Input validation flaws that could let attackers execute arbitrary code.
  • CVE-2026-48282 (CVSS score of 10.0) – A path traversal flaw that could result in arbitrary code execution.
  • CVE-2026-48313 (CVSS score of 9.3) – A path traversal flaw that could let attackers read sensitive files.
  • CVE-2026-48315 (CVSS score of 9.3) – An input validation flaw that could allow privilege escalation.

Adobe addressed these vulnerabilities in ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10. Security researchers Anirudh Anand, Matan Sandori, and 2Bsecure reported several of the vulnerabilities.

The firm thanked researchers for reporting the issues and helping improve security: Anirudh Anand reported CVE-2026-48283 and CVE-2026-48313, while Matan Sandori and 2Bsecure reported CVE-2026-48307.

The company also fixed a critical flaw, tracked as CVE-2026-48286 (CVSS score of 10.0) in Adobe Campaign Classic that could let attackers execute arbitrary code due to an authorization weakness.

The issue affects on-premises deployments running version 7.4.3 build 9396 and earlier and is fixed in build 9397. Adobe-hosted instances are not affected.

The software giant said it has seen no evidence of active exploitation.

“Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates.” reads the advisory.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Coldfusion)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter