Adobe has released important security patches targeting significant vulnerabilities in its ColdFusion and Campaign Classic applications. The updates, announced Tuesday, address six critical flaws that pose substantial security risks.
Critical Issues in Campaign Classic
The update for Adobe Campaign Classic specifically tackles CVE-2026-48286, a severe authorization vulnerability that allows attackers to execute arbitrary code. This flaw, boasting a CVSS score of 10 out of 10, is addressed in the newly released version 7.4.3 build 9397, now available for both Windows and Linux users.
ColdFusion Security Enhancements
For ColdFusion, Adobe has released updates for versions 2025 and 2023, which resolve 11 security defects. Among these are six critical vulnerabilities, each carrying the highest severity score of 10. Identified as CVE-2026-48276, CVE-2026-48277, CVE-2026-48281, CVE-2026-48316, CVE-2026-48282, and CVE-2026-48283, these flaws could facilitate arbitrary code execution. The security gaps stem from issues like unrestricted upload of dangerous files, improper input validation, and path traversal weaknesses.
Additional Vulnerabilities Resolved
Moreover, the update addresses two other critical vulnerabilities, CVE-2026-48313 and CVE-2026-48315, identified as path traversal and input validation issues that could lead to unauthorized file access and privilege escalation. An XSS defect, CVE-2026-48307, with a CVSS score of 8.8, and a SSRF flaw, CVE-2026-48285, carrying a score of 8.6, were also fixed. These updates are included in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21.
Adobe has emphasized the urgency of these updates despite the absence of known exploits in the wild. The company has given these patches a priority rating of 1, indicating a high likelihood of potential exploitation. Users are strongly encouraged to apply these updates promptly to safeguard their systems.
Related articles highlight similar vulnerabilities patched by other tech giants, stressing the importance of timely software updates in maintaining cybersecurity.
