CVE-2026-48276, -48277, -48281, -48282, -48283, -48316 — Adobe ColdFusion: six CVSS 10.0 unauthenticated RCE paths
From CTI Daily Brief — 2026-07-02 · published 2026-07-02 · view item permalink →
Adobe's 2026-06-30 bulletin APSB26-68 fixes six maximum-severity (CVSS 10.0) remote-code-execution flaws in ColdFusion 2025 (≤ Update 9) and 2023 (≤ Update 20): two CWE-434 unrestricted-file-upload paths (CVE-2026-48276, CVE-2026-48283), three CWE-20 improper-input-validation paths (CVE-2026-48277, CVE-2026-48281, CVE-2026-48316) and one CWE-22 path-traversal path (CVE-2026-48282). All are network-exploitable with no authentication and no user interaction (AV:N/AC:L), and every fix is rated Adobe Priority 1 ("high risk of being targeted"); Adobe states it is "not aware of any exploits in the wild for any of the issues addressed in these updates" (Adobe PSIRT APSB26-68, 2026-06-30). A parallel same-day bulletin, APSB26-69, fixes a CVSS 10.0 CWE-863 incorrect-authorization code-execution flaw (CVE-2026-48286) in on-prem Campaign Classic 7.4.3 build 9396 and earlier, resolved in build 9397; Adobe-hosted instances were remediated server-side (Adobe PSIRT APSB26-69, 2026-06-30). ColdFusion's history of rapid weaponisation of unauth file-upload / path-traversal primitives makes this a same-week patch priority for any internet-facing instance even absent confirmed exploitation. Fixed in ColdFusion 2025 Update 10 and 2023 Update 21; given the unauthenticated file-upload class, review upload directories (cf_scripts, CFIDE, admin upload paths) for newly written .jsp/.cfm/.cfc files outside deployment windows (Adobe PSIRT APSB26-68, 2026-06-30).