Particle.news
Download on the App Store

Adobe Issues Emergency Patches for Maximum‑Severity ColdFusion and Campaign Classic Flaws

The fixes close multiple remote‑code execution flaws that can be exploited without user interaction, signaling a faster security bulletin cadence at Adobe.

Overview

  • Adobe released patches Wednesday that fix seven maximum‑severity vulnerabilities across ColdFusion and Campaign Classic and told administrators to install updates as soon as possible, for example within 72 hours.
  • ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21 address 11 defects, including six rated CVSS 10/10 tied to unrestricted file uploads, improper input validation, and path traversal that can lead to arbitrary remote code execution.
  • Adobe shipped Campaign Classic fixes in build 7.4.3/9397 to close CVE‑2026‑48286 (CVSS 10.0), a faulty authorization bug that affects on‑premises deployments while Adobe‑hosted instances have already been updated.
  • The company assigned both updates Priority 1 to signal high targeting risk and said it is not aware of public exploits for these specific issues, which nonetheless can be exploited without privileges or user interaction.
  • Adobe said it will publish security bulletins twice monthly starting July 14, 2026, a faster cadence the company ties to accelerated vulnerability discovery and a history of Adobe flaws appearing in CISA’s exploited‑vulnerabilities catalog that raises urgency for administrators to patch promptly.