Adobe has released patches for multiple maximum-severity security flaws impacting Adobe ColdFusion and Adobe Campaign Classic.

The ColdFusion updates "resolves critical and important vulnerabilities that could lead to arbitrary code execution, privilege escalation, arbitrary file system read, and security feature bypass," Adobe said in an alert released Tuesday.

The vulnerabilities are listed below -

  • CVE-2026-48276, CVE-2026-48283 (CVSS scores: 10.0) - Unrestricted upload of file with dangerous type vulnerabilities that could lead to arbitrary code execution
  • CVE-2026-48277, CVE-2026-48281, CVE-2026-48316 (CVSS scores: 10.0) - Improper input validation vulnerabilities that could lead to arbitrary code execution
  • CVE-2026-48282 (CVSS score: 10.0) - A path traversal vulnerability that could lead to arbitrary code execution
  • CVE-2026-48313 (CVSS score: 9.3) - A path traversal vulnerability that could lead to arbitrary file system read
  • CVE-2026-48315 (CVSs score: 9.3) - An improper input validation vulnerability that could lead to privilege escalation

The issues have been addressed in ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10. Security researchers Anirudh Anand, Matan Sandori, and 2Bsecure have been credited with discovering and reporting CVE-2026-48283, CVE-2026-48313, and CVE-2026-48307.

Separately, Adobe has also shipped fixes to close out a critical flaw in Adobe Campaign Classic impacting versions ACC v7: 7.4.3 build 9396 and earlier for Windows and Linux that could result in arbitrary code execution.

The vulnerability, tracked as CVE-2026-48286 (CVSS score: 10.0), is a case of incorrect authorization that could enable an attacker to execute arbitrary code on affected systems. It has been patched in version ACC v7: 7.4.3 build 9397.

Adobe noted that CVE-2026-48286 only impacts on-premise Adobe Campaign instances, including fully on-premise deployments and on-premise components in hybrid deployments. Adobe-hosted instances have already been updated and require no action.

The company also emphasized that it has not found any exploits in the wild for any of the issues addressed as part of the two updates.

The disclosure comes as Adobe said it's moving from monthly to twice-monthly publication of security bulletins and advisories on the second and fourth Tuesday of each month starting July 14, 2026, as a direct result of accelerated vulnerability discovery using artificial intelligence (AI) models.

"The frontier AI capabilities we are using are also available to attackers, and the window between public vulnerability disclosure and active exploitation is compressing from days to hours," Adobe's Chief Security Officer Aanchal Gupta said. "We are applying AI to find and fix vulnerabilities first, and getting those fixes to customers faster is the natural next step."

Update

In a follow-up analysis, watchTowr Labs described CVE-2026-48282 as a case of arbitrary file write and CVE-2026-48313 as an instance of arbitrary file read, with the same fixes also "quietly eliminating" a number of issues involving arbitrary file move, file delete, directory creation, and directory listing.

The patch for CVE-2026-48276, a file upload path traversal flaw, introduces a couple of newly disallowed file extensions, such as jspf, cfmail, and war. "It also adds a new <cfscript> block to prevent path traversal during file uploads," security researcher Sina Kheirkhah said.

It's worth noting that both the vulnerable and patched versions contain a configuration that disables file uploads by default, meaning the vulnerable functionality has to be first explicitly enabled.

"However, once enabled, the upload endpoint appears to be reachable without authentication. Triggering the vulnerability is then as simple as sending a file upload request containing a path traversal payload in the path parameter. The uploaded file is written to disk as NT AUTHORITY\SYSTEM, making the impact fairly obvious."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.