Adobe Releases Patches for ColdFusion Critical Vulnerabilities
Adobe released security updates to address 11 vulnerabilities impacting the ColdFusion web app development platform and the Campaign Classic marketing automation platform. Six of these vulnerabilities have a maximum severity that can be exploited in low-complexity attacks without any user interaction.
Adobe has mentioned in the advisory that they are unaware of any active exploits of these vulnerabilities.
Adobe ColdFusion is a commercial rapid web application development platform and server that uses ColdFusion Markup Language (CFML) to build dynamic, data-driven applications. It abstracts complex backend tasks such as PDF generation, database interactions, and secure session management. The application allows developers to ship enterprise-grade applications with significantly less code.
CVE-2026-48276
The vulnerability has a CVSS score of 10. This is an unrestricted file-upload flaw that may allow the upload or transfer of dangerous file types that are automatically processed within its environment. Successful exploitation of the vulnerability may allow an attacker to achieve arbitrary code execution.
CVE-2026-48277, CVE-2026-48281, and CVE-2026-48316
These vulnerabilities have a CVSS score of 10. These are improper input validation flaws in which the product accepts input that is not validated, or that is validated incorrectly, to ensure the input has the properties required to process the data safely and correctly. Successful exploitation of the vulnerability may allow an attacker to achieve arbitrary code execution.
CVE-2026-48282
The vulnerability has a CVSS score of 10. This is a path traversal flaw that may allow an attacker to execute arbitrary code.
CVE-2026-48283
The vulnerability has a CVSS score of 10. This is an unrestricted file upload flaw that may allow an attacker to execute arbitrary code.
CVE-2026-48313
The vulnerability has a CVSS score of 9.3. This is a path traversal flaw that may allow an attacker to read arbitrary files.
CVE-2026-48315
The vulnerability has a CVSS score of 9.3. This is an improper input validation flaw in which the product receives input that may allow an attacker to elevate their privileges.
CVE-2026-48307
The vulnerability has a CVSS score of 8.8. This is a cross-site scripting vulnerability that may allow an attacker to execute arbitrary code.
CVE-2026-48285
The vulnerability has a CVSS score of 8.6. This is a server-side request forgery vulnerability that may allow an attacker to bypass a security feature.
CVE-2026-48314
The vulnerability has a CVSS score of 6.5. This is a path traversal vulnerability that may allow an attacker to elevate their privileges.
Affected versions
| Product | Affected Versions | Patched Versions |
| ColdFusion 2025 | Update 9 and earlier versions | Update 10 |
| ColdFusion 2023 | Update 20 and earlier versions | Update 21 |
For more information, please refer to the Adobe Security Advisory.
Qualys Detection
Qualys customers can scan their devices with QID 387758 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html

Comments are closed.