Adobe has released security updates for ColdFusion and Campaign Classic, fixing multiple critical vulnerabilities, including seven maximum-severity issues (CVSS score of 10.0). If exploited, the flaws could allow attackers to execute arbitrary code, escalate privileges, read sensitive files, or bypass security protections.
Adobe strongly recommends that customers apply the updates as soon as possible to reduce the risk of compromise.
The vulnerabilities include:
Adobe addressed these vulnerabilities in ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10. Security researchers Anirudh Anand, Matan Sandori, and 2Bsecure reported several of the vulnerabilities.
The firm thanked researchers for reporting the issues and helping improve security: Anirudh Anand reported CVE-2026-48283 and CVE-2026-48313, while Matan Sandori and 2Bsecure reported CVE-2026-48307.
The company also fixed a critical flaw, tracked as CVE-2026-48286 (CVSS score of 10.0) in Adobe Campaign Classic that could let attackers execute arbitrary code due to an authorization weakness.
The issue affects on-premises deployments running version 7.4.3 build 9396 and earlier and is fixed in build 9397. Adobe-hosted instances are not affected.
The software giant said it has seen no evidence of active exploitation.
“Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates.” reads the advisory.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Coldfusion)