Adobe has released critical security updates for ColdFusion and Campaign Classic. CVE-2026-47928 (ColdFusion, CVSS 9.6) allows arbitrary code execution with no user interaction required. CVE-2026-48303 (Campaign Classic, CVSS 10.0 — maximum severity) enables arbitrary code execution through incorrect authorization.

What Are the Vulnerabilities?

CVE-2026-47928 — ColdFusion RCE (CVSS 9.6, CWE-20): An improper input validation vulnerability in Adobe ColdFusion versions 2023.19 and 2025.8 and earlier. Exploitation requires no user interaction and scope is changed — meaning the vulnerable component can impact resources beyond its security scope. ColdFusion is widely deployed in government, education, and enterprise environments for web application hosting.

CVE-2026-48303 — Campaign Classic RCE (CVSS 10.0, CWE-863): An incorrect authorization vulnerability in Adobe Campaign Classic versions 7.4.3 build 9394 and earlier. CVSS 10.0 — the maximum possible severity — with scope changed. Campaign Classic is Adobe’s enterprise marketing automation platform deployed in large organisations for customer communication management.

• CVE-2026-47928: CVSS 9.6 — ColdFusion
• CVE-2026-48303: CVSS 10.0 — Campaign Classic (maximum severity)

Which Versions Are Affected?

• Adobe ColdFusion: 2023.19, 2025.8, and earlier
• Adobe Campaign Classic: 7.4.3 build 9394 and earlier

What Is the Fix?

Apply the Adobe security updates immediately. ColdFusion: APSB26-64. Campaign Classic: APSB26-66.

Recommendations

Patch ColdFusion today. Internet-facing ColdFusion servers are trivially exploitable at CVSS 9.6 with no user interaction. Campaign Classic at CVSS 10.0 demands the same urgency. Adobe ColdFusion vulnerabilities have a well-documented history of rapid mass exploitation — do not defer these patches.

References

• APSB26-64 (ColdFusion)
• APSB26-66 (Campaign Classic)
• Vulnerability Intelligence Report — June 10, 2026

This advisory was first covered in the broader Vulnerability Intelligence Report — June 10, 2026.