Adobe Closes Seven CVSS 10.0 Vulnerabilities in ColdFusion and Campaign Classic with High Priority and No Exploitation on the Radar

Bulletin APSB26-68 fixes 11 CVEs, seven with a maximum rating, in ColdFusion 2025, ColdFusion 2023, and Campaign Classic 7.4.3. Adobe has given it a Priority Rating 1, a category in which the company estimates imminent exploitation.
Adobe published security bulletin APSB26-68 on Tuesday, June 30, correcting 11 vulnerabilities in ColdFusion 2025, ColdFusion 2023, and Campaign Classic 7.4.3. Seven of the vulnerabilities were rated CVSS 10.0, the highest rating, and received Priority Rating 1 from Adobe, a category reserved for bugs that the company believes attackers will target soon. Adobe claims that there is no evidence of exploitation in the wild at this time, but the combination of CVSS 10 and Priority 1 follows the same pattern that preceded the addition of two ColdFusion RCEs to the CISA's Known Exploited Vulnerabilities catalog in July 2023.
Six of the CVSS 10 vulnerabilities are in ColdFusion and fall under three categories: unrestricted upload (CWE-434) in CVE-2026-48276 and CVE-2026-48283, improper input validation (CWE-20) in CVE-2026-48277, CVE-2026-48281, and CVE-2026-48316, and path traversal (CWE-22) in CVE-2026-48282. All allow for arbitrary code execution without user interaction and, in the case of the two upload vulnerabilities, without prior authentication. A remote attacker who can reach an exposed instance gains complete control of the host.
The seventh CVSS 10 vulnerability, CVE-2026-48286, affects Campaign Classic and is an improper authorization issue that also leads to arbitrary code execution. Aside from the seven, the bulletin includes CVE-2026-48313 (CVSS 9.3, arbitrary file read), CVE-2026-48315 (9.3, privilege escalation via malicious file), CVE-2026-48307 (8.8, reflected XSS that escalates to RCE), CVE-2026-48285 (8.6, SSRF that breaks security protection), and CVE-2026-48314 (6.5, path traversal).
Affected Landscape and Exposure Window
The vulnerable versions are ColdFusion 2025 up to Update 9 and ColdFusion 2023 up to Update 20. The fixes are packaged in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21. Adobe recommends installation within 72 hours, the standard timeframe for class 1 bulletins. Campaign Classic receives an update post-7.4.3.
ColdFusion remains under commercial support for both versions, but the public tracker from Foundeo, a consulting firm specialized in the platform, shows a constant flow of critical bulletins since 2023. While administrators test the patch in staging, servers exposed to the internet remain vulnerable to these attacks, which is a sensitive point for government and banking applications that have retained ColdFusion interfaces for legacy internal modules.
Code Legacy and Regulatory Reading
ColdFusion is one of the platforms that most CIOs assume has died, yet continues to support internal applications in regulated segments. Portals for U.S. federal agencies, compliance systems in mid-sized banks in Brazil and Mexico, and business line apps in Australian and British insurance companies continue running on ColdFusion runtimes that have been intentionally hidden behind load balancers and CDNs.
Foundeo lists dozens of bulletins published since 2023, and CISA has already used ColdFusion as a case study in training for auditing legacy applications for civil agencies. The pattern described by CISA is consistent across different jurisdictions: applications continue to operate due to functional dependency, even after migrations to modern platforms have been prioritized in roadmaps.
For security teams in banks and consulting firms still operating these applications, APSB26-68 forces a reading that combines two recent regulatory vectors. In the United States, CISA's BOD 25-02 directive, published in February, requires an inventory of legacy applications with third-party components in the federal environment, and ColdFusion appears on the list of cited examples. In the European Union, DORA mandates financial institutions to report critical exposures in ICT vendors within 24 hours to their national regulator, and ColdFusion, when supporting an accounting or treasury application, falls within this scope.
A 72-hour window to apply the patch is acceptable from a technical perspective. The question that often stalls the operational response is: if a regulator reaches out before the deadline, can the team prove in which instance the update was applied, when, and by whom?