ctipilot.ch

Adobe ColdFusion/Campaign Classic — seven CVSS 10.0 RCE flaws (APSB26-68/69)

vulnerability-trend · vuln:adobe-coldfusion-campaign-apsb26-68-69

Coverage timeline
1
first 2026-07-02 → last 2026-07-02
Briefs
1
1 distinct
Sources cited
16
12 hosts
Sections touched
1
trending_vulns
Co-occurring entities
7
see Related entities below

Story timeline

  1. 2026-07-02CTI Daily Brief — 2026-07-02
    trending_vulnsFirst coverage: 6× CVSS 10.0 unauth RCE in ColdFusion + 1× CVSS 10.0 authz-bypass ACE in Campaign Classic; no ITW

Where this entity is cited

  • trending_vulns1

Source distribution

  • helpx.adobe.com3 (19%)
  • bleepingcomputer.com2 (12%)
  • sansec.io2 (12%)
  • imperva.com1 (6%)
  • cyberscoop.com1 (6%)
  • esentire.com1 (6%)
  • helpnetsecurity.com1 (6%)
  • msrc.microsoft.com1 (6%)
  • other4 (25%)

Related entities

All cited sources (16)

Items in briefs about Adobe ColdFusion/Campaign Classic — seven CVSS 10.0 RCE flaws (APSB26-68/69) (2)

CVE-2026-48276, -48277, -48281, -48282, -48283, -48316 — Adobe ColdFusion: six CVSS 10.0 unauthenticated RCE paths

From CTI Daily Brief — 2026-07-02 · published 2026-07-02 · view item permalink →

Adobe's 2026-06-30 bulletin APSB26-68 fixes six maximum-severity (CVSS 10.0) remote-code-execution flaws in ColdFusion 2025 (≤ Update 9) and 2023 (≤ Update 20): two CWE-434 unrestricted-file-upload paths (CVE-2026-48276, CVE-2026-48283), three CWE-20 improper-input-validation paths (CVE-2026-48277, CVE-2026-48281, CVE-2026-48316) and one CWE-22 path-traversal path (CVE-2026-48282). All are network-exploitable with no authentication and no user interaction (AV:N/AC:L), and every fix is rated Adobe Priority 1 ("high risk of being targeted"); Adobe states it is "not aware of any exploits in the wild for any of the issues addressed in these updates" (Adobe PSIRT APSB26-68, 2026-06-30). A parallel same-day bulletin, APSB26-69, fixes a CVSS 10.0 CWE-863 incorrect-authorization code-execution flaw (CVE-2026-48286) in on-prem Campaign Classic 7.4.3 build 9396 and earlier, resolved in build 9397; Adobe-hosted instances were remediated server-side (Adobe PSIRT APSB26-69, 2026-06-30). ColdFusion's history of rapid weaponisation of unauth file-upload / path-traversal primitives makes this a same-week patch priority for any internet-facing instance even absent confirmed exploitation. Fixed in ColdFusion 2025 Update 10 and 2023 Update 21; given the unauthenticated file-upload class, review upload directories (cf_scripts, CFIDE, admin upload paths) for newly written .jsp/.cfm/.cfc files outside deployment windows (Adobe PSIRT APSB26-68, 2026-06-30).

CVE-2026-45247 — Mirasvit Full Page Cache Warmer (Magento 2 / Adobe Commerce): unauthenticated PHP object-injection RCE, now in CISA KEV

From CTI Daily Brief — 2026-06-04 · published 2026-06-04 · view item permalink →

Versions below 1.11.12 pass the attacker-controlled CacheWarmer cookie to PHP's native unserialize() without restricting instantiable classes, letting an unauthenticated attacker trigger gadget chains in Magento's Laminas/Zend dependency tree for remote code execution from any storefront page — "no authentication, no admin session and no config toggle required" (Sansec, 2026-05-26). Sansec discovered the flaw and shipped a detection rule on 24 April under coordinated disclosure (patch 25 May); Imperva has since observed active exploitation campaigns delivering base64-encoded serialized objects (Imperva, 2026-05-29). CISA added it to KEV on 2026-06-03. Successful exploitation yields web-root access for webshell persistence (T1505.003) and .env / config/env.php credential theft. Fix: upgrade to ≥1.11.12; interim, block or sanitise the CacheWarmer cookie at the WAF/reverse proxy.