Adobe Discloses 25 Vulnerabilities Across Multiple Products, Including Critical Flaws
Adobe Inc. has released security advisories for 25 vulnerabilities affecting Adobe Campaign Classic, Acrobat Reader, ColdFusion, and Format Plugins, with two critical and multiple high-severity flaws.
Key findings
- Adobe disclosed 25 vulnerabilities on June 9, 2026, affecting multiple products.
- Critical vulnerabilities include Incorrect Authorization in ACC and Improper Input Validation in ColdFusion.
- Acrobat Reader has numerous High severity flaws, including buffer overflows and use-after-free bugs.
- ColdFusion is impacted by multiple High severity vulnerabilities, including XXE and path traversal.
- Format Plugins are affected by Heap-based Buffer Overflow vulnerabilities.
- Patches and updates are available; users should apply them promptly.
Adobe Inc. has addressed a significant batch of 25 vulnerabilities disclosed on June 9, 2026, impacting several of its key products. The disclosures include two critical vulnerabilities, one in Adobe Campaign Classic (ACC) and another in ColdFusion, alongside numerous high-severity flaws across Acrobat Reader, ColdFusion, and Format Plugins. This coordinated disclosure event highlights potential risks for users of these widely deployed Adobe applications.
The most severe issues include a Critical (CVSSv3 10.0) Incorrect Authorization vulnerability in Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier (CVE-2026-48303). This flaw could allow for arbitrary code execution without user interaction. Additionally, a Critical (CVSSv3 9.6) Improper Input Validation vulnerability was found in ColdFusion versions 2023.19, 2025.8 and earlier (CVE-2026-47928), also potentially leading to arbitrary code execution without user interaction.
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are particularly affected, with a cluster of high-severity vulnerabilities. These include a Stack-based Buffer Overflow (CVE-2026-47959), Use After Free (CVE-2026-47955, CVE-2026-47921, CVE-2026-47920, CVE-2026-47919, CVE-2026-47918, CVE-2026-47917), and Heap-based Buffer Overflow (CVE-2026-47952) vulnerabilities, all rated High (CVSSv3 7.8) and potentially leading to arbitrary code execution. These vulnerabilities typically require user interaction, such as opening a malicious file.
ColdFusion also faces a substantial number of high-severity issues. These include an Improper Restriction of XML External Entity Reference ('XXE') vulnerability (CVE-2026-47960, CVSSv3 7.4), a Path Traversal vulnerability (CVE-2026-47932, CVSSv3 8.8), an Improper Input Validation vulnerability (CVE-2026-47931, CVSSv3 8.4; CVE-2026-47930, CVSSv3 8.1), and an Incorrect Authorization vulnerability (CVE-2026-47929, CVSSv3 8.4). These flaws could lead to arbitrary file system reads, security feature bypasses, and arbitrary code execution.
Format Plugins versions 1.1.2 and earlier are affected by two High (CVSSv3 7.8) Heap-based Buffer Overflow vulnerabilities (CVE-2026-48292 and CVE-2026-48291). Exploitation of these requires user interaction through opening a malicious file, and could result in arbitrary code execution.
Several medium-severity vulnerabilities were also disclosed. Acrobat Reader has multiple out-of-bounds read vulnerabilities (CVE-2026-47961, CVE-2026-47926, CVE-2026-47923, CVSSv3 5.5) that could lead to sensitive memory disclosure, an Integer Overflow or Wraparound vulnerability causing denial-of-service (CVE-2026-47925, CVSSv3 5.5), and a Use After Free vulnerability leading to sensitive memory disclosure (CVE-2026-47924, CVSSv3 5.5). ColdFusion has a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-47933, CVSSv3 4.8) allowing script injection.
Adobe has provided patches and updates for all affected products. Users are strongly advised to consult Adobe's security advisories for specific version information and apply the necessary updates to mitigate these risks. The wide range of affected products and the severity of some flaws underscore the importance of prompt patching for Adobe customers.