Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Threat Actors Uses Agentic AI to Rapidly Compromise Cloud Target

July 8, 2026

Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classic

July 8, 2026

NCSC Touts National Scale, AI-Powered “Cyber Shield” for Defense

July 8, 2026
Facebook X (Twitter) Instagram
Wednesday, July 8
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classic
News

Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classic

Team-CWDBy Team-CWDJuly 8, 2026No Comments4 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


Adobe has released patches for multiple maximum-severity security flaws impacting Adobe ColdFusion and Adobe Campaign Classic.

The ColdFusion updates “resolves critical and important vulnerabilities that could lead to arbitrary code execution, privilege escalation, arbitrary file system read, and security feature bypass,” Adobe said in an alert released Tuesday.

The vulnerabilities are listed below –

  • CVE-2026-48276, CVE-2026-48283 (CVSS scores: 10.0) – Unrestricted upload of file with dangerous type vulnerabilities that could lead to arbitrary code execution
  • CVE-2026-48277, CVE-2026-48281, CVE-2026-48316 (CVSS scores: 10.0) – Improper input validation vulnerabilities that could lead to arbitrary code execution
  • CVE-2026-48282 (CVSS score: 10.0) – A path traversal vulnerability that could lead to arbitrary code execution
  • CVE-2026-48313 (CVSS score: 9.3) – A path traversal vulnerability that could lead to arbitrary file system read
  • CVE-2026-48315 (CVSs score: 9.3) – An improper input validation vulnerability that could lead to privilege escalation

The issues have been addressed in ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10. Security researchers Anirudh Anand, Matan Sandori, and 2Bsecure have been credited with discovering and reporting CVE-2026-48283, CVE-2026-48313, and CVE-2026-48307.

Separately, Adobe has also shipped fixes to close out a critical flaw in Adobe Campaign Classic impacting versions ACC v7: 7.4.3 build 9396 and earlier for Windows and Linux that could result in arbitrary code execution.

The vulnerability, tracked as CVE-2026-48286 (CVSS score: 10.0), is a case of incorrect authorization that could enable an attacker to execute arbitrary code on affected systems. It has been patched in version ACC v7: 7.4.3 build 9397.

Adobe noted that CVE-2026-48286 only impacts on-premise Adobe Campaign instances, including fully on-premise deployments and on-premise components in hybrid deployments. Adobe-hosted instances have already been updated and require no action.

The company also emphasized that it has not found any exploits in the wild for any of the issues addressed as part of the two updates.

The disclosure comes as Adobe said it’s moving from monthly to twice-monthly publication of security bulletins and advisories on the second and fourth Tuesday of each month starting July 14, 2026, as a direct result of accelerated vulnerability discovery using artificial intelligence (AI) models.

“The frontier AI capabilities we are using are also available to attackers, and the window between public vulnerability disclosure and active exploitation is compressing from days to hours,” Adobe’s Chief Security Officer Aanchal Gupta said. “We are applying AI to find and fix vulnerabilities first, and getting those fixes to customers faster is the natural next step.”

Update

In a follow-up analysis, watchTowr Labs described CVE-2026-48282 as a case of arbitrary file write and CVE-2026-48313 as an instance of arbitrary file read, with the same fixes also “quietly eliminating” a number of issues involving arbitrary file move, file delete, directory creation, and directory listing.

The patch for CVE-2026-48276, a file upload path traversal flaw, introduces a couple of newly disallowed file extensions, such as jspf, cfmail, and war. “It also adds a new block to prevent path traversal during file uploads,” security researcher Sina Kheirkhah said.

It’s worth noting that both the vulnerable and patched versions contain a configuration that disables file uploads by default, meaning the vulnerable functionality has to be first explicitly enabled.

“However, once enabled, the upload endpoint appears to be reachable without authentication. Triggering the vulnerability is then as simple as sending a file upload request containing a path traversal payload in the path parameter. The uploaded file is written to disk as NT AUTHORITYSYSTEM, making the impact fairly obvious.”

CVE-2026-48282 Comes Under Exploitation

The Adobe ColdFusion path traversal vulnerability tracked as CVE-2026-48282 has come under active exploitation with hours of public disclosure, with a single exploitation attempt recorded from an IP address geolocated to India (“103.207.14[.]220”).

“The attacker tried to read ‘C:Windowswin.ini’ with the following payload: ‘2:000018:C:Windowswin.ini00004:READ,'” Ryan Dewhurst, security researcher and founder of KEVIntel, told The Hacker News. 

(The story was updated after publication on July 3, 2026, to reflect the latest developments.)



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleNCSC Touts National Scale, AI-Powered “Cyber Shield” for Defense
Next Article Threat Actors Uses Agentic AI to Rapidly Compromise Cloud Target
Team-CWD
  • Website

Related Posts

News

Threat Actors Uses Agentic AI to Rapidly Compromise Cloud Target

July 8, 2026
News

NCSC Touts National Scale, AI-Powered “Cyber Shield” for Defense

July 8, 2026
News

AI-Generated Browser Ransomware Abuses Chromium API on Windows, Linux, macOS, Android

July 8, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Why geopolitical turmoil is a gift for scammers, and how to stay safe

May 15, 2026

Why that next data breach alert could be a trap

April 18, 2026

Chronology of a Skype attack

February 5, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.