All news

Adobe patches 11 ColdFusion flaws, six rated CVSS 10.0

Adobe PSIRTSummarized by the ORA·tech AI assistant
SEC

Bulletin APSB26-68 fixes 11 flaws in ColdFusion 2025/2023, including six unauthenticated RCEs rated CVSS 10.0; Adobe marks it Priority 1 — update immediately.

Adobe released security bulletin APSB26-68 (June 30) fixing 11 vulnerabilities in ColdFusion 2025 (Update 9 and earlier) and ColdFusion 2023 (Update 20 and earlier), rated Priority 1 — Adobe's highest urgency. Fixes ship in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21.

Key points

  • Six flaws hit CVSS 10.0, all enabling arbitrary code execution without authentication: unrestricted upload of dangerous file types (CVE-2026-48276, CVE-2026-48283), improper input validation (CVE-2026-48277, CVE-2026-48281, CVE-2026-48316) and path traversal (CVE-2026-48282).
  • Also fixed: arbitrary file system read CVE-2026-48313 (CVSS 9.3), privilege escalation CVE-2026-48315 (9.3), reflected XSS CVE-2026-48307 (8.8) and SSRF CVE-2026-48285 (8.6).
  • Adobe says it is not aware of in-the-wild exploitation at publication time, but Priority 1 signals a very high risk of targeting.
  • Additional guidance: update to the latest LTS JDK/JRE, set the jdk.serialFilter flag against deserialization attacks on JEE installs, and apply the Lockdown Guide.

ColdFusion still runs in many long-lived enterprise and government systems — ops teams should patch promptly.

Source
Adobe PSIRT
Read the original
#Adobe#ColdFusion#CVE#RCE#patch
This summary was written by the ORA·tech AI assistant. Read the original for full context.

Related

Chào bạn, mình là Nova. Có phần nào bạn muốn hiểu kỹ hơn không? Cứ nói với mình nhé.