Adobe Rushes Out Fixes for a Dozen Flaws in ColdFusion and Campaign Classic — Six Are as Bad as It Gets

Twelve security holes, six of them rated the highest possible severity, were quietly sitting in two widely used Adobe products. Patches are out. The clock is ticking.

ThreatVectr Newsdesk· 3 min read
Extreme close-up of a glowing server rack in a dark data centre, amber and blue indicator lights reflecting off brushed metal chassis, shallow depth of field dr
Share

Key points

  • Adobe released security updates on Tuesday for ColdFusion and Campaign Classic, fixing a combined 12 vulnerabilities across both products.
  • Six ColdFusion flaws carry a CVSS score of 10 out of 10 — the maximum possible severity rating — and could let attackers run any code they choose on an affected server.
  • Adobe Campaign Classic version 7.4.3 build 9397 fixes CVE-2026-48286, a single maximum-severity flaw that could also allow remote code execution.
  • Fixes are available now in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21.
  • Adobe says no one is actively exploiting these flaws yet, but has flagged both updates as its highest internal priority.

Adobe makes software that runs quietly in the background of a lot of businesses you interact with every day. ColdFusion is a web application server — think of it as the engine that powers certain company websites and internal tools. Campaign Classic is an email marketing platform used by large organisations to manage customer communications. Neither is a consumer app, but the servers running them often hold customer data.

On Tuesday, Adobe pushed patches — software fixes that seal up security holes — for both products. First reported by SecurityWeek, the update covers 12 flaws in total.

How bad is a score of 10 out of 10?

Pretty bad. Security researchers score vulnerabilities, meaning software weaknesses, on a scale from 0 to 10. A 10 means an attacker can exploit the flaw remotely, without any login credentials, and do essentially whatever they want on the affected machine. Six of the ColdFusion flaws hit that ceiling.

Those six — CVE-2026-48276, CVE-2026-48277, CVE-2026-48281, CVE-2026-48282, CVE-2026-48283, and CVE-2026-48316 — share a common thread. The server either accepts dangerous file uploads without checking what they actually are, fails to properly check user-supplied input, or allows path traversal attacks, where a criminal tricks the server into accessing files it should never touch.

The failure mode here is familiar: trust the wrong input, and someone else owns your server.

Four more ColdFusion bugs round out the update. Two path traversal and input-validation issues score 9.3 and could let an attacker read files off the server's filesystem or gain elevated privileges — administrator-level access, in plain terms. An XSS flaw, where malicious code gets injected into a web page and runs in a victim's browser, scores 8.8. A server-side request forgery bug — where the server is tricked into making network requests on an attacker's behalf — scores 8.6.

Over in Campaign Classic, CVE-2026-48286 is a single flaw scored 10 out of 10, rooted in incorrect authorization, meaning the software fails to properly check whether a user is actually allowed to do what they are asking to do.

Adobe says it knows of no active exploitation. In practice, a priority-1 rating from Adobe means their own teams consider exploitation plausible in the near term. History with ColdFusion supports that worry — it has been a target before.

If your organisation runs either product, update it today, not this sprint.

Operational takeaway: ColdFusion servers exposed to the internet without a web application firewall in front of them are the ones that will headline the next postmortem.

© 2026 Threat Vectr