Adobe on Tuesday issued security updates for ColdFusion and Campaign Classic, resolving a total of 12 vulnerabilities. Seven of those carry a maximum CVSS score of 10.0, making this one of the more significant Adobe patch releases in recent memory.

ColdFusion: Six Maximum-Severity Flaws

Updates for ColdFusion versions 2025 and 2023 address 11 security defects in total. Six are rated at maximum severity (CVSS 10.0): CVE-2026-48276, CVE-2026-48277, CVE-2026-48281, CVE-2026-48316, CVE-2026-48282, and CVE-2026-48283. According to Adobe, these vulnerabilities stem from unrestricted upload of files with dangerous types, improper input validation, and path traversal weaknesses, all of which could enable arbitrary code execution.

Two additional critical-severity bugs, CVE-2026-48313 and CVE-2026-48315 (CVSS 9.3), involve path traversal and improper input validation and could lead to arbitrary file system read and privilege escalation.

The remaining ColdFusion fixes include:

  • CVE-2026-48307 (CVSS 8.8): A cross-site scripting flaw that could result in arbitrary code execution.
  • CVE-2026-48285 (CVSS 8.6): A server-side request forgery issue that could lead to security feature bypass.
  • CVE-2026-48314 (medium severity): A path traversal vulnerability leading to privilege escalation.

Fixes are included in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21.

Campaign Classic: One Maximum-Severity Bug

The Campaign Classic update addresses CVE-2026-48286 (CVSS 10.0), described as an incorrect authorization vulnerability that could allow an attacker to execute arbitrary code. The fix is bundled in Adobe Campaign Classic version 7.4.3 build 9397, now rolling out to both Windows and Linux users.

Exploitation Status and Recommended Action

Adobe states it is not aware of any public exploits targeting these vulnerabilities at this time. However, the company has assigned a Priority 1 rating to both updates, its highest designation, indicating a meaningful risk that exploitation could emerge. Security teams running affected ColdFusion or Campaign Classic deployments should apply the patches as soon as operationally feasible.