Adobe Patches Critical RCE Flaws in ColdFusion and Campaign Classic, Boosts Security Bulletin Cadence
Adobe has released urgent security patches addressing seven maximum-severity vulnerabilities in its **ColdFusion** web application development platform and **Campaign Classic** marketing automation platform. These critical flaws, some leading to remote code execution, are deemed high-risk due to their potential for active exploitation. In response to an evolving threat landscape, Adobe is also shifting to a twice-monthly security bulletin schedule.

**Adobe** has issued critical security updates for its **ColdFusion** and **Campaign Classic** platforms, addressing seven maximum-severity vulnerabilities. These flaws are categorized with Priority 1, indicating a high likelihood of being targeted by attackers in the wild.
"This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for example, within 72 hours)," **Adobe** stated in its advisories.
Despite the high priority, **Adobe** confirmed, "Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates."
### Critical Flaws in ColdFusion
Six of the vulnerabilities, identified as **CVE-2026-48276**, **CVE-2026-48277**, **CVE-2026-48281**, **CVE-2026-48316**, and **CVE-2026-48282**, impact **ColdFusion** versions 2025.9, 2023.20, and earlier. These flaws could allow unprivileged attackers to achieve remote code execution on vulnerable systems.
### Campaign Classic Vulnerability
**Campaign Classic** is affected by a single maximum-severity vulnerability, **CVE-2026-48286**, in versions 7.4.3 build 9396 and earlier. Successful exploitation could lead to arbitrary code execution within the context of the current user. Notably, this particular vulnerability only affects on-premises **Adobe Campaign** instances, including fully on-premises and hybrid deployments, as **Adobe**-hosted instances have already been patched.
### Accelerated Security Bulletin Cadence
In a strategic move to enhance customer protection, **Aanchal Gupta**, **Adobe**'s Chief Security Officer (CSO), announced a shift to a twice-monthly security bulletin publication schedule. Starting July 14, 2026, bulletins and advisories will be released on the second and fourth Tuesdays of each month.
Gupta explained, "For actively exploited vulnerabilities or externally discovered zero-day vulnerabilities, our out-of-band response process remains in effect." This change aims to deploy security updates more rapidly in an era of accelerated vulnerability discovery, partly driven by AI.
### Recent Exploits and CISA's Catalog
This update follows an emergency patch in early April for an **Acrobat Reader** vulnerability, **CVE-2026-34621**, which was actively exploited in zero-day attacks since at least December. The **Cybersecurity and Infrastructure Security Agency (CISA)** has previously added 79 **Adobe** product security flaws to its catalog of known exploited vulnerabilities, with 10 of these having been leveraged by ransomware gangs.