Adobe Patches Seven Critical Flaws in ColdFusion and Campaign Classic
Adobe has released urgent patches for seven maximum-severity vulnerabilities affecting its ColdFusion and Campaign Classic platforms, with some flaws already being targeted by exploits.

Adobe has issued critical security updates to address seven high-severity vulnerabilities impacting its ColdFusion web application development platform and the Adobe Campaign Classic marketing automation software. These flaws, all rated with maximum severity, pose a significant risk to organizations running these products.
The vulnerabilities are described as low-complexity attacks that do not require any user interaction, making them prime targets for exploitation. Adobe has classified these issues with a Priority 1 rating, indicating a high likelihood of them being actively targeted by malicious actors. The company strongly advises administrators to apply the patches as soon as possible, ideally within 72 hours, to mitigate potential risks.
While Adobe stated it was not aware of any exploits in the wild for these specific issues at the time of the advisory, the "higher risk of being targeted" designation underscores the urgency. Six of the critical vulnerabilities (CVE-2026-48276, CVE-2026-48277, CVE-2026-48281, CVE-2026-48316, and CVE-2026-48282) affect ColdFusion versions 2025.9, 2023.20, and earlier. Successful exploitation of these flaws could allow unauthenticated attackers to achieve remote code execution on vulnerable systems.
The seventh critical vulnerability, CVE-2026-48286, affects Adobe Campaign Classic versions 7.4.3 build 9396 and earlier. This flaw could lead to arbitrary code execution within the context of the current user. Importantly, this vulnerability specifically impacts on-premises Adobe Campaign instances, including those in hybrid deployments. Adobe has already addressed this issue in its hosted instances.
In a broader move to enhance its security response, Adobe's Chief Security Officer, Aanchal Gupta, announced that the company will transition to a twice-monthly schedule for its security bulletins. Starting July 14, 2026, Adobe Security Bulletins and Advisories will be published on the second and fourth Tuesday of each month. This change aims to expedite the delivery of security updates, though the company's out-of-band response process for actively exploited or zero-day vulnerabilities will remain in effect.
This batch of patches comes after a period of heightened vulnerability disclosures for Adobe products. Earlier in the year, Adobe released emergency patches for a critical Acrobat Reader vulnerability (CVE-2026-34621) that had been exploited as a zero-day since December. The company's products have historically been frequent targets for attackers.
Over the past five years, the Cybersecurity and Infrastructure Security Agency (CISA) has added 79 security flaws in Adobe products to its Known Exploited Vulnerabilities (KEV) catalog. A significant portion of these, 10 in total, have been observed being abused by ransomware gangs, highlighting the severe impact of unpatched Adobe software.
Organizations utilizing Adobe ColdFusion or Adobe Campaign Classic are strongly urged to review the latest security advisories and apply the provided patches immediately. The potential for unauthenticated remote code execution and arbitrary code execution makes these vulnerabilities a critical priority for patching to prevent widespread compromise.