Particle.news

Adobe Issues Emergency Patches for Maximum‑Severity ColdFusion and Campaign Classic Flaws

The fixes close multiple remote‑code execution flaws that can be exploited without user interaction, signaling a faster security bulletin cadence at Adobe.

Overview

  • Adobe released patches Wednesday that fix seven maximum‑severity vulnerabilities across ColdFusion and Campaign Classic and told administrators to install updates as soon as possible, for example within 72 hours.
  • ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21 address 11 defects, including six rated CVSS 10/10 tied to unrestricted file uploads, improper input validation, and path traversal that can lead to arbitrary remote code execution.
  • Adobe shipped Campaign Classic fixes in build 7.4.3/9397 to close CVE‑2026‑48286 (CVSS 10.0), a faulty authorization bug that affects on‑premises deployments while Adobe‑hosted instances have already been updated.
  • The company assigned both updates Priority 1 to signal high targeting risk and said it is not aware of public exploits for these specific issues, which nonetheless can be exploited without privileges or user interaction.
  • Adobe said it will publish security bulletins twice monthly starting July 14, 2026, a faster cadence the company ties to accelerated vulnerability discovery and a history of Adobe flaws appearing in CISA’s exploited‑vulnerabilities catalog that raises urgency for administrators to patch promptly.