Adobe patches 11 ColdFusion flaws, six rated CVSS 10.0
Bulletin APSB26-68 fixes 11 flaws in ColdFusion 2025/2023, including six unauthenticated RCEs rated CVSS 10.0; Adobe marks it Priority 1 — update immediately.
Adobe released security bulletin APSB26-68 (June 30) fixing 11 vulnerabilities in ColdFusion 2025 (Update 9 and earlier) and ColdFusion 2023 (Update 20 and earlier), rated Priority 1 — Adobe's highest urgency. Fixes ship in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21.
Key points
- Six flaws hit CVSS 10.0, all enabling arbitrary code execution without authentication: unrestricted upload of dangerous file types (CVE-2026-48276, CVE-2026-48283), improper input validation (CVE-2026-48277, CVE-2026-48281, CVE-2026-48316) and path traversal (CVE-2026-48282).
- Also fixed: arbitrary file system read CVE-2026-48313 (CVSS 9.3), privilege escalation CVE-2026-48315 (9.3), reflected XSS CVE-2026-48307 (8.8) and SSRF CVE-2026-48285 (8.6).
- Adobe says it is not aware of in-the-wild exploitation at publication time, but Priority 1 signals a very high risk of targeting.
- Additional guidance: update to the latest LTS JDK/JRE, set the
jdk.serialFilterflag against deserialization attacks on JEE installs, and apply the Lockdown Guide.
ColdFusion still runs in many long-lived enterprise and government systems — ops teams should patch promptly.
Source
Adobe PSIRT
#Adobe#ColdFusion#CVE#RCE#patch
This summary was written by the ORA·tech AI assistant. Read the original for full context.