"The frontier AI capabilities we are using are also available to attackers, and the window between public vulnerability disclosure and active exploitation is compressing from days to hours," Chief Security Officer Aanchal Gupta said.
Adobe issues emergency updates for ColdFusion and Campaign Classic
Adobe on Tuesday released patches addressing multiple maximum-severity vulnerabilities in Adobe ColdFusion and Adobe Campaign Classic. The ColdFusion updates, Adobe said, "resolve critical and important vulnerabilities that could lead to arbitrary code execution, privilege escalation, arbitrary file system read, and security feature bypass." Separately, Adobe shipped a fix for a critical authorization flaw in Adobe Campaign Classic that could enable arbitrary code execution on affected on-premise instances.
Seven CVEs pegged at maximum severity — specifics and scores
Adobe listed multiple Common Vulnerabilities and Exposures (CVE) identifiers and their CVSS scores. The ColdFusion-related issues include:
- CVE-2026-48276, CVE-2026-48283 — Unrestricted upload of file with dangerous type vulnerabilities; CVSS 10.0; could lead to arbitrary code execution.
- CVE-2026-48277, CVE-2026-48281, CVE-2026-48316 — Improper input validation vulnerabilities; CVSS 10.0; could lead to arbitrary code execution.
- CVE-2026-48282 — A path traversal vulnerability; CVSS 10.0; could lead to arbitrary code execution.
- CVE-2026-48313 — A path traversal vulnerability; CVSS 9.3; could lead to arbitrary file system read.
- CVE-2026-48315 — An improper input validation vulnerability; CVSS 9.3; could lead to privilege escalation.
Adobe said these ColdFusion issues are addressed in ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10.
For Adobe Campaign Classic, Adobe patched CVE-2026-48286 — a CVSS 10.0 vulnerability described as incorrect authorization that "could enable an attacker to execute arbitrary code on affected systems." The Campaign fix is included in ACC v7: 7.4.3 build 9397; Adobe identified ACC v7: 7.4.3 build 9396 and earlier for Windows and Linux as affected.
Who found the flaws and what Adobe says about exploitation
Adobe credited security researchers Anirudh Anand, Matan Sandori, and 2Bsecure with discovering and reporting CVE-2026-48283, CVE-2026-48313, and CVE-2026-48307. Adobe also emphasized that it has not found any exploits in the wild for any of the issues addressed as part of the two updates.
On-premise Campaign customers, Adobe-hosted instances, and patch action
Adobe noted that CVE-2026-48286 impacts only on-premise Adobe Campaign instances — both fully on-premise deployments and on-premise components in hybrid deployments. Adobe-hosted instances have already been updated and "require no action." For customers running ColdFusion, Adobe indicates the fixes are available in ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10; for Campaign Classic on-premise installations the fixed build is ACC v7: 7.4.3 build 9397.
What this means for technologists, procurement leaders, and defenders
- Technologists and security teams: apply the ColdFusion updates (ColdFusion 2023 Update 21 or ColdFusion 2025 Update 10) and upgrade on-premise Campaign Classic instances to ACC v7: 7.4.3 build 9397 where appropriate, and note Adobe's statement that hosted Campaign instances require no action.
- Procurement and enterprise IT leaders: track which installations are on-premise versus Adobe-hosted to confirm whether the Campaign Classic update is necessary, and plan update windows for ColdFusion instances to close multiple CVSS 9.3–10.0 flaws.
- Defenders and incident response teams: monitor for attempts that exploit unrestricted uploads, improper input validation, and path traversal — the specific techniques Adobe links to the listed CVEs — while noting Adobe's public statement that no in-the-wild exploitation has been observed to date.
Adobe said the move to a faster disclosure cadence is in direct response to accelerating vulnerability discovery driven by artificial intelligence. Beginning July 14, 2026, Adobe will publish security bulletins and advisories twice monthly, on the second and fourth Tuesday, a schedule the company framed as necessary because "the frontier AI capabilities we are using are also available to attackers."
The company has shipped targeted patches and emphasized no observed active exploitation; the next concrete milestone is the new twice-monthly advisory cadence starting July 14, 2026, and for affected organizations the immediate milestone is deployment of ColdFusion Update 21 or Update 10 and Campaign Classic build 9397 for on-premise systems.




