Adobe Releases Patches for ColdFusion Critical Vulnerabilities

Adobe released security updates to address 11 vulnerabilities impacting the ColdFusion web app development platform and the Campaign Classic marketing automation platform. Six of these vulnerabilities have a maximum severity that can be exploited in low-complexity attacks without any user interaction.

Adobe has mentioned in the advisory that they are unaware of any active exploits of these vulnerabilities.

Adobe ColdFusion is a commercial rapid web application development platform and server that uses ColdFusion Markup Language (CFML) to build dynamic, data-driven applications. It abstracts complex backend tasks such as PDF generation, database interactions, and secure session management. The application allows developers to ship enterprise-grade applications with significantly less code.

CVE-2026-48276

The vulnerability has a CVSS score of 10. This is an unrestricted file-upload flaw that may allow the upload or transfer of dangerous file types that are automatically processed within its environment. Successful exploitation of the vulnerability may allow an attacker to achieve arbitrary code execution.

CVE-2026-48277, CVE-2026-48281, and CVE-2026-48316

These vulnerabilities have a CVSS score of 10. These are improper input validation flaws in which the product accepts input that is not validated, or that is validated incorrectly, to ensure the input has the properties required to process the data safely and correctly. Successful exploitation of the vulnerability may allow an attacker to achieve arbitrary code execution.

CVE-2026-48282

The vulnerability has a CVSS score of 10. This is a path traversal flaw that may allow an attacker to execute arbitrary code.

CVE-2026-48283

The vulnerability has a CVSS score of 10. This is an unrestricted file upload flaw that may allow an attacker to execute arbitrary code.

CVE-2026-48313

The vulnerability has a CVSS score of 9.3. This is a path traversal flaw that may allow an attacker to read arbitrary files.

CVE-2026-48315

The vulnerability has a CVSS score of 9.3. This is an improper input validation flaw in which the product receives input that may allow an attacker to elevate their privileges.

CVE-2026-48307

The vulnerability has a CVSS score of 8.8. This is a cross-site scripting vulnerability that may allow an attacker to execute arbitrary code.

CVE-2026-48285

The vulnerability has a CVSS score of 8.6. This is a server-side request forgery vulnerability that may allow an attacker to bypass a security feature.

CVE-2026-48314

The vulnerability has a CVSS score of 6.5. This is a path traversal vulnerability that may allow an attacker to elevate their privileges.

Affected versions

Product Affected Versions Patched Versions
ColdFusion 2025 Update 9 and earlier versions Update 10
ColdFusion 2023  Update 20 and earlier versions    Update 21

For more information, please refer to the Adobe Security Advisory.

Qualys Detection

Qualys customers can scan their devices with QID 387758 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html