Adobe patches critical flaws in ColdFusion and Campaign Classic

Adobe has rushed out security patches for ColdFusion and Campaign Classic after researchers uncovered seven maximum-severity vulnerabilities—each scoring a perfect 10.0 on the CVSS scale—that could let attackers execute arbitrary code, escalate privileges, read sensitive files, or bypass security protections.
A crowded patch cycle for enterprise tools
The fixes cover ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10, addressing input-validation gaps, path-traversal issues, and upload flaws that could be weaponized without authentication. Campaign Classic also received an update for a critical authorization weakness tracked as CVE-2026-48286. Adobe states that its hosted instances are not affected, limiting exposure to on-premises deployments running version 7.4.3 build 9396 or earlier.
Researchers credited as Adobe stresses proactive stance
Security teams at Anirudh Anand, Matan Sandori, and 2Bsecure contributed findings that Adobe has now resolved. The company thanked the researchers and emphasized it has seen no evidence of active exploitation in the wild. “Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates,” the advisory states.
Source: Security Affairs. AI-assisted editorial synthesis — TechnoExpress.

