Adobe patches seven maximum-severity ColdFusion and Campaign flaws and shifts to twice-monthly bulletins
Nine fixes, seven of them CVSS 10.0, and one already being probed within two days of disclosure as Adobe blames an AI-shortened window between advisory and attack.

Janet Torvalds
July 4, 2026Adobe shipped fixes on July 1 for nine vulnerabilities across ColdFusion and Campaign Classic, seven of them rated CVSS 10.0. Every one of the top seven leads to arbitrary code execution, and all were tagged priority 1, Adobe's label for the flaws it expects to be attacked first. Two days later, one of them was already being probed in the wild.
What got patched
The ColdFusion advisory (APSB26-68) covers eight of the nine issues. Five are straight arbitrary-code-execution bugs at CVSS 10.0: two unrestricted-file-upload flaws (CVE-2026-48276, CVE-2026-48283), three improper-input-validation flaws (CVE-2026-48277, CVE-2026-48281, CVE-2026-48316), and one path traversal (CVE-2026-48282). Two more, an arbitrary file read (CVE-2026-48313) and a privilege escalation (CVE-2026-48315), sit at 9.3. The fixes are in ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10.
The ninth issue is in Campaign Classic. CVE-2026-48286 (CVSS 10.0) is an incorrect-authorization bug that lets an attacker run code on the server. It hits on-premise Campaign deployments, including the on-premise pieces of hybrid setups. Adobe-hosted instances were already patched and need no action. The fix for everyone else is ACC v7 build 9397.
The mechanism, not the score
A 10.0 tells you the worst case, not how you get there. For the ColdFusion file-upload path, the worst case is real but gated. Both the vulnerable and patched builds disable file uploads by default, so the dangerous endpoint only exists once an administrator turns the feature on. Once it is on, though, security researcher Sina Kheirkhah found the upload endpoint is reachable without authentication, and a path-traversal payload in the request writes a file to disk as NT AUTHORITY\SYSTEM. That is the whole exploit: enable a feature, send one request, land a file with SYSTEM privileges. The patch adds newly disallowed extensions (jspf, cfmail, war among them) and a check to block traversal during upload.
watchTowr Labs, digging through the same fixes, described CVE-2026-48282 as an arbitrary file write and CVE-2026-48313 as an arbitrary file read, and noted the patches quietly close several related file-move, delete, and directory bugs that never got their own CVE.
Adobe said no exploits, then there were
When the bulletin went out, Adobe said it had found no exploits in the wild for any of the nine. That held for about two days. On July 3, KEVIntel founder Ryan Dewhurst told The Hacker News that CVE-2026-48282 was being actively probed, a single attempt from an IP geolocated to India trying to read C:\Windows\win.ini with a traversal payload. One IP reading a harmless system file is not a breach, and it is worth keeping that in proportion. But it is a working proof that the gap between a public advisory and the first probe is now measured in hours.
That timeline is Adobe's own argument for the other half of this week's news.
Adobe doubles its bulletin cadence
Starting July 14, Adobe moves from monthly security bulletins to twice-monthly, publishing on the second and fourth Tuesday of each month. Chief Security Officer Aanchal Gupta tied the change directly to AI-accelerated vulnerability discovery.
The frontier AI capabilities we are using are also available to attackers, and the window between public vulnerability disclosure and active exploitation is compressing from days to hours.
We are applying AI to find and fix vulnerabilities first, and getting those fixes to customers faster is the natural next step.
Read skeptically, that is a vendor explaining why it is about to ship more patches more often, which is not a hard sell. Read against the CVE-2026-48282 timeline, it is harder to dismiss. Adobe is not the only large vendor restructuring its release schedule around this. Apple pulled its iPhone security fixes out of the feature-update cycle last week citing the same pressure, and the industry's own forecasters at FIRST raised the 2026 CVE projection to roughly 66,000 as AI takes over bug hunting. A faster patch clock only helps if defenders can absorb it. Twice-monthly bulletins mean twice as many emergency change windows for the teams running these servers, and the ColdFusion set landed on a holiday week in the United States.
If you run this
Patch ColdFusion to 2023 Update 21 or 2025 Update 10, and Campaign Classic on-premise to build 9397. If you have ColdFusion file uploads enabled, that is the one to treat as urgent given the active probing. If you never turned uploads on, the file-upload flaws are not reachable, though the input-validation and traversal bugs still warrant the update. Adobe-hosted Campaign customers are already covered.
Sources (5)
- Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classicthehackernews.com
- Adobe patches seven max severity ColdFusion, Campaign flawswww.bleepingcomputer.com
- Adobe Patches Critical ColdFusion, Campaign Classic Vulnerabilitieswww.securityweek.com
- Adobe Security Bulletin APSB26-68 (ColdFusion)helpx.adobe.com
- Adobe Security Bulletin APSB26-69 (Campaign Classic)helpx.adobe.com