"This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for example, within 72 hours)," Adobe said in its advisories.
What Adobe patched: seven maximum‑severity flaws in ColdFusion and Campaign Classic
Adobe released security updates that address seven maximum‑severity vulnerabilities in two products: the ColdFusion web application development platform and the Campaign Classic marketing automation platform. Six critical flaws affecting ColdFusion are tracked as CVE-2026-48276, CVE-2026-48277, CVE-2026-48281, CVE-2026-48316, and CVE-2026-48282; they affect ColdFusion versions 2025.9, 2023.20 and earlier. According to Adobe, attackers “without privileges” can exploit those ColdFusion flaws to gain remote code execution on unpatched systems.
The single Campaign Classic maximum‑severity flaw is tracked as CVE-2026-48286 and affects Campaign Classic versions 7.4.3 build 9396 and earlier. Successful exploitation “could lead to arbitrary code execution in the current user's context,” Adobe states. The advisory specifies that CVE-2026-48286 “only affects on-premises Adobe Campaign instances (including fully on-premises deployments and on‑premises components in hybrid deployments),” because Adobe‑hosted instances have already been patched.
Severity, exploitability, and Adobe's guidance to administrators
All seven vulnerabilities were described by Adobe as exploitable in “low‑complexity attacks that don't require user interaction” and were assigned priority 1 — Adobe's label indicating “a high risk of being targeted.” Adobe advised administrators to install the updates “as soon as possible,” and gave an example window of 72 hours.
Despite the urgency of the fixes, Adobe also stated plainly that “Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates.” That combination — high priority and no currently known public exploitation — is the posture that typically prompts rapid patching across affected installations.
Related context: recent zero‑days and CISA's cataloging of Adobe flaws
The ColdFusion and Campaign Classic advisories arrive against a backdrop of other Adobe fixes earlier this year. In early April, Adobe issued emergency patches for an Acrobat Reader vulnerability tracked as CVE-2026-34621, which Adobe said had been “exploited in zero‑day attacks since at least December.”
Adobe products have also been a recurring focus for U.S. federal tracking: over the last five years the Cybersecurity and Infrastructure Security Agency (CISA) “has added 79 security flaws in Adobe products to its catalog of actively exploited vulnerabilities,” the source material reports, and 10 of those have “also been abused by ransomware gangs.”
Aanchal Gupta and the move to twice‑monthly security bulletins
Adobe Chief Security Officer Aanchal Gupta announced a change to how Adobe publishes security advisories. “Effective July 14, 2026, Adobe is moving from monthly to twice‑monthly publication of Adobe Security Bulletins and Advisories on the second and fourth Tuesday of each month,” Gupta said on Thursday. She added that “For actively exploited vulnerabilities or externally discovered zero‑day vulnerabilities, our out‑of‑band response process remains in effect.”
The scheduling change is presented by Adobe as a measure to “deploy security updates faster,” and it takes effect shortly after the patches discussed here were published.
What this means for technologists, procurement leaders, and enterprise defenders
- Technologists and security teams: Adobe's advisory recommends installing updates “as soon as possible,” with a 72‑hour example window. Teams running ColdFusion versions 2025.9, 2023.20 or earlier should prioritize those patches because the five ColdFusion CVEs enable remote code execution without privileges.
- Procurement and platform owners: Owners of on‑premises Adobe Campaign instances must note that CVE-2026-48286 affects only on‑premises and hybrid on‑premises components; Adobe‑hosted instances have already been patched. That distinction changes the locus of action from vendor‑side updates to customer patching.
- Enterprise defenders and risk managers: The combination of low‑complexity, no‑user‑interaction exploitability and Adobe's priority‑1 designation argues for rapid, coordinated patching and verification — particularly given the broader history of Adobe flaws tracked by CISA and the recent Acrobat Reader zero‑day emergency patch.
Adobe's published guidance and the move to more frequent security bulletins tighten the cadence for responding to vulnerabilities. The practical test now is whether administrators and platform owners will meet the shortened clock: install the ColdFusion updates, patch on‑premises Campaign components, and verify remediation within the windows Adobe has put forward.
Source: BleepingComputer — Adobe patches seven max severity ColdFusion, Campaign flaws




