Adobe has released emergency security updates to fix seven critical vulnerabilities affecting its ColdFusion web application development platform and Campaign Classic marketing automation software.
The company is urging administrators to install the patches as soon as possible because the flaws carry a high risk of future attacks.
According to Adobe, all seven vulnerabilities have received the highest severity rating and can be exploited through low-complexity attacks without requiring any user interaction. The company assigned the updates a Priority 1 rating, recommending that affected organizations apply the patches within 72 hours.
Six of the vulnerabilities impact Adobe ColdFusion 2025.9, 2023.20, and earlier versions. Tracked as CVE-2026-48276, CVE-2026-48277, CVE-2026-48281, CVE-2026-48316, CVE-2026-48282, and another related critical flaw, they could allow attackers without any privileges to execute arbitrary code remotely on unpatched servers.
Adobe also fixed a maximum-severity vulnerability in Campaign Classic, tracked as CVE-2026-48286. The flaw affects Campaign Classic version 7.4.3 build 9396 and earlier and could allow attackers to execute arbitrary code in the context of the current user. Adobe clarified that the issue only impacts on-premises deployments, including hybrid environments with on-premises components, while Adobe-hosted instances have already been secured.
Although Adobe has classified these vulnerabilities as high priority, the company said it is not aware of any active attacks exploiting the flaws at this time.
Alongside the security updates, Adobe announced changes to its security release schedule. Starting July 14, 2026, the company will publish security bulletins and advisories twice each month, on the second and fourth Tuesday, instead of following a monthly schedule. Adobe said the change will allow it to deliver security fixes more quickly, while emergency out-of-band updates will continue for actively exploited or zero-day vulnerabilities.
Earlier this year, Adobe also released emergency patches for Adobe Acrobat Reader to address CVE-2026-34621, a zero-day vulnerability that had been exploited in attacks since at least December.
Adobe products continue to be a frequent target for cybercriminals. Over the past five years, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 79 Adobe vulnerabilities to its catalog of actively exploited security flaws, with 10 of those vulnerabilities also linked to ransomware attacks.
Adobe Urges Immediate Updates After Fixing Critical ColdFusion and Campaign Classic Flaws





