Adobe Patches Critical ColdFusion Vulnerabilities, Including Eight High-Severity Flaws
Adobe has released urgent security updates for its ColdFusion platform, addressing eight critical vulnerabilities that could lead to arbitrary code execution and privilege escalation.

Adobe has issued a significant security update to address a total of 88 vulnerabilities across 12 of its products, with a particular focus on critical flaws within its ColdFusion, Commerce, Experience Manager, and Illustrator software. The update for ColdFusion is especially noteworthy, patching 13 security defects, eight of which are classified as critical.
These critical vulnerabilities in ColdFusion, identified by CVE IDs including CVE-2026-48318, CVE-2026-48322, CVE-2026-48284, CVE-2026-48321, CVE-2026-48325, CVE-2026-48319, CVE-2026-48324, and CVE-2026-48327, pose a severe risk to affected systems. The nature of these flaws includes path traversal, code injection, improper input validation, missing authentication, SQL injection, and incorrect authorization, all of which can be leveraged by attackers to execute arbitrary code or escalate privileges.
Adobe has assigned a Priority 1 rating to this advisory, underscoring the urgency for customers to apply the patches. The vulnerabilities are resolved in ColdFusion 2025 update 11 and ColdFusion 2023 update 22. This latest patch release follows closely on the heels of another update just two weeks prior, which addressed six maximum-severity weaknesses in ColdFusion, including one that was already being actively exploited in the wild.
Beyond ColdFusion, the update also tackles critical issues in other Adobe products. Adobe Commerce has 13 vulnerabilities patched, including two critical flaws (CVE-2026-48356 and CVE-2026-48358) that could allow for privilege escalation and arbitrary code execution. Experience Manager also receives patches for 13 security defects, with two critical bugs (CVE-2026-48259 and CVE-2026-48359) capable of being exploited for arbitrary code execution.
Illustrator is not spared, with one critical vulnerability (CVE-2026-48334) patched, described as improper input validation, which could lead to privilege escalation. Additionally, Adobe has released updates for Content Credentials SDK, Animate, Audition, Bridge, Media Encoder, Premiere Pro, After Effects, and the Creative Cloud Desktop Application, addressing a range of other security flaws.
While Adobe states it is not aware of any of these newly disclosed vulnerabilities being exploited in the wild, the company strongly advises users to apply the patches as soon as possible to mitigate potential risks. Further details and specific patch information can be found on Adobe's official security bulletins page.
The sheer volume and severity of vulnerabilities patched across Adobe's product suite highlight the ongoing challenges in securing complex software ecosystems. Organizations relying on these products must maintain a vigilant patching schedule and prioritize updates for critical vulnerabilities to protect against potential exploitation.