CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

Adobe security advisory (AV26-647) – Update 2

criticalknown exploitedpublic exploitCVE-2026-48282
Actively exploited. At least one CVE in this advisory is listed in the CISA Known Exploited Vulnerabilities catalog — exploitation has been observed in the wild. Treat remediation as urgent.
Serial number: AV26–647 Date: July 2, 2026 Updated: July 7, 2026 On June 30, 2026, Adobe published security advisories to address critical vulnerabilities in the following products: Adobe ColdFusion 2025 – Update 9 and prior Adobe ColdFusion 2023 – Update 20 and prior Adobe Campaign Classic – version ACC v7: 7.4.3 build 9396 and prior Update 1 Open-source reporting indicates that CVE-2026-48282 is being exploited. Update 2 On July 7, 2026, Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-48282 to their Known Exploited Vulnerabilities (KEV) Database. The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates. Security update available for Adobe ColdFusion | APSB26-68 Security updates available for Adobe Campaign Classic | APSB26-69 Adobe Security Advisories CISA KEV: CVE-2026-48282

CSIRTS triage

vendor: Adobeproduct: ColdFusionOtheraffected: 2025 – Update 9 and prior, 2023 – Update 20 and prior
What
Critical vulnerabilities have been identified in Adobe ColdFusion.
Who is affected
Users and administrators of Adobe ColdFusion 2025 and 2023.
Urgency
Remediation is urgent due to the critical nature of the vulnerabilities and reports of exploitation.
Action
Apply the necessary updates as per the security advisories.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch ColdFusion

Get an email when a new ColdFusion advisory drops — max one per day, one-click unsubscribe.

Details

Source
Canadian Centre for Cyber Security (CA · national-cert · site)
Severity
critical
Published
2026-07-07
Exploitation
Observed in the wild (CISA KEV)

Original advisory: https://cyber.gc.ca/en/alerts-advisories/adobe-security-advisory-av26-647

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-48282coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

More from Canadian Centre for Cyber Security