Adobe Rushes ColdFusion Fixes for Seven CVSS 10.0 Flaws
Adobe published emergency bulletin APSB26-68 patching 11 ColdFusion vulnerabilities, including seven with CVSS 10.0 that allow unauthenticated remote code execution.
Key Takeaways
Adobe released emergency out-of-band bulletin APSB26-68 on June 30, patching 11 vulnerabilities in ColdFusion 2025 and 2023 with its highest Priority Rating of 1.
Seven flaws carry the maximum CVSS 10.0 score and allow unauthenticated remote code execution with no user interaction, spanning unrestricted file upload, improper input validation and path traversal.
The critical CVEs include CVE-2026-48276, -48277, -48281, -48282, -48283 and -48316 in ColdFusion, plus CVE-2026-48286 in Campaign Classic.
Adobe urges updating ColdFusion 2025 to Update 10, ColdFusion 2023 to Update 21 and Campaign Classic to ACC v7 7.4.3 build 9397 within 72 hours; researchers warn exploitation is likely within days given ColdFusion's history as a ransomware target.
Kaan Tınmaz
Adobe on June 30 shipped an emergency out-of-band security bulletin, APSB26-68, addressing 11 vulnerabilities in ColdFusion 2025 and ColdFusion 2023. Seven of the flaws carry the maximum CVSS 10.0 score and enable unauthenticated remote code execution, and Adobe assigned the bulletin its highest Priority Rating of 1.
Seven CVSS 10.0 flaws in ColdFusion and Campaign Classic
The critical set — CVE-2026-48276, CVE-2026-48277, CVE-2026-48281, CVE-2026-48282, CVE-2026-48283, CVE-2026-48316 in ColdFusion and CVE-2026-48286 in Campaign Classic — spans unrestricted file upload, improper input validation and path traversal. Every one allows an unauthenticated attacker to run arbitrary code on the ColdFusion or Campaign server without user interaction, according to Adobe’s security advisory.
High-severity bonus flaws
Adobe also patched a chain of high-severity issues: CVE-2026-48313 (CVSS 9.3) for privilege escalation, CVE-2026-48315 (CVSS 8.8) for XSS-driven code execution, CVE-2026-48307 (CVSS 8.6) for SSRF, and CVE-2026-48314 (CVSS 6.5) for directory-traversal privilege escalation. Adobe recommends admins push ColdFusion 2025 to Update 10, ColdFusion 2023 to Update 21, and Campaign Classic to ACC v7 7.4.3 build 9397 within 72 hours.
ColdFusion’s ransomware target on its back
ColdFusion has been a recurring target for ransomware crews and state-linked actors: CISA added multiple ColdFusion CVEs to its Known Exploited Vulnerabilities catalogue in 2023 and 2024. The July 2026 batch lands in the middle of a heavy patch cycle that also included the RoguePlanet Microsoft Defender zero-day and last month’s Cisco SD-WAN Manager zero-day. Because ColdFusion instances are often internet-exposed, watchtowr and other researchers warned exploitation attempts are likely within days.
Reporting based on coverage from Adobe, The Hacker News, BleepingComputer and watchtowr Labs.
What versions and updates fix the Adobe ColdFusion vulnerabilities in APSB26-68?
Adobe recommends updating ColdFusion 2025 to Update 10, ColdFusion 2023 to Update 21, and Campaign Classic to ACC v7 7.4.3 build 9397, ideally within 72 hours.
How severe are the flaws patched in APSB26-68?
Seven of the 11 vulnerabilities carry the maximum CVSS 10.0 score and enable unauthenticated remote code execution without user interaction. Adobe assigned the bulletin its highest Priority Rating of 1.
Which types of vulnerabilities are involved?
The critical flaws span unrestricted file upload, improper input validation and path traversal. Adobe also patched privilege escalation, XSS-driven code execution, SSRF and directory-traversal issues rated between CVSS 6.5 and 9.3.
Is ColdFusion actively targeted by attackers?
ColdFusion has been a recurring target for ransomware crews and state-linked actors, with multiple ColdFusion CVEs added to CISA's Known Exploited Vulnerabilities catalogue in 2023 and 2024. Researchers including watchtowr warn exploitation attempts on the new flaws are likely within days because instances are often internet-exposed.