Adobe Rushes Out Fixes for 88 Security Flaws, Eight of Them Critical in ColdFusion
Two weeks after hackers exploited a separate ColdFusion flaw within hours of its disclosure, Adobe is back with another urgent patch batch covering a dozen products.

Key points
- Adobe released security updates for 12 products on Tuesday, fixing a total of 88 vulnerabilities.
- Eight critical flaws in ColdFusion, Adobe's web-application server software, could let attackers run malicious code or seize elevated control of a system.
- Adobe rated the ColdFusion update Priority 1, its highest urgency level, meaning customers should apply it immediately.
- None of the 88 vulnerabilities are known to be actively exploited yet, but a separate ColdFusion flaw patched two weeks ago was attacked within hours of going public.
- ColdFusion 2025 Update 11 and ColdFusion 2023 Update 22 close all 13 ColdFusion bugs addressed in this round.
Adobe pushed out security fixes Tuesday covering 12 of its products and patching 88 separate weaknesses. The most urgent are in ColdFusion, the company's software that businesses use to build and run websites and web-based tools.
Eight of the 13 ColdFusion flaws carry a critical rating. Critical, in security terms, means an attacker who finds and uses the flaw can cause serious harm without much effort. In this case, the bugs could allow someone to execute arbitrary code, meaning run whatever software commands they choose on a company's server, or escalate privileges, meaning gain administrator-level control they should not have. The relevant CVE identifiers (the standard numbering system security researchers use to track individual flaws) are CVE-2026-48318, CVE-2026-48322, CVE-2026-48284, CVE-2026-48321, CVE-2026-48325, CVE-2026-48319, CVE-2026-48324, and CVE-2026-48327.
The fix categories read like a who's who of classic server weaknesses: SQL injection (where an attacker sneaks database commands into a form field), missing authentication (where a system simply forgets to check who is asking), and path traversal (where an attacker tricks software into opening files it was never meant to touch).
Why does the timing matter here?
Two weeks ago Adobe patched six maximum-severity ColdFusion flaws. One of them was attacked in the wild within hours of disclosure. That history is exactly why Adobe assigned its highest urgency rating, Priority 1, to this week's ColdFusion update. The company is effectively saying: do not wait.
The Tuesday update also touched Adobe Commerce, the shopping-cart platform, fixing two critical bugs (CVE-2026-48356 and CVE-2026-48358) that could allow privilege escalation or code execution. Experience Manager, used to manage website content, received patches for two critical flaws (CVE-2026-48259 and CVE-2026-48359). Illustrator, the graphic-design tool, had one critical flaw (CVE-2026-48334) that could grant an attacker elevated system access.
Adobe says none of the 88 flaws are being actively exploited right now. That window can close fast, as recent history shows.
If your organisation runs any Adobe server software, ask your IT team today whether Tuesday's patches are applied. For consumers using Illustrator, Animate, or Premiere Pro, turn on automatic updates or check for updates manually this week.



