Overview
- Adobe released patches Wednesday that fix seven maximum‑severity vulnerabilities across ColdFusion and Campaign Classic and told administrators to install updates as soon as possible, for example within 72 hours.
- ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21 address 11 defects, including six rated CVSS 10/10 tied to unrestricted file uploads, improper input validation, and path traversal that can lead to arbitrary remote code execution.
- Adobe shipped Campaign Classic fixes in build 7.4.3/9397 to close CVE‑2026‑48286 (CVSS 10.0), a faulty authorization bug that affects on‑premises deployments while Adobe‑hosted instances have already been updated.
- The company assigned both updates Priority 1 to signal high targeting risk and said it is not aware of public exploits for these specific issues, which nonetheless can be exploited without privileges or user interaction.
- Adobe said it will publish security bulletins twice monthly starting July 14, 2026, a faster cadence the company ties to accelerated vulnerability discovery and a history of Adobe flaws appearing in CISA’s exploited‑vulnerabilities catalog that raises urgency for administrators to patch promptly.