# Adobe releases emergency ColdFusion patch APSB26-68 fixing 11 critical vulnerabilities, 6 carrying maximum CVSS 10.0 score and enabling unauthenticated remote code execution

_Thursday, July 2, 2026 at 10:44 AM EDT · Cybersecurity · Latest · Tier 2 — Notable_

![Adobe releases emergency ColdFusion patch APSB26-68 fixing 11 critical vulnerabilities, 6 carrying maximum CVSS 10.0 score and enabling unauthenticated remote code execution — Primary](https://cyberpress.org/wp-content/uploads/2026/07/anthropic-buffa-library-flaw-lets-attackers-trigger-oom-kill-via-protobuf-decoder-1-6a44e51d72b25.webp)

Adobe on June 30 released an emergency security bulletin, APSB26-68, patching 11 vulnerabilities in ColdFusion 2025 and ColdFusion 2023, six of which carry the maximum CVSS severity score of 10.0. The bulletin carries Adobe's top Priority Rating of 1, reserved for flaws that attackers are either already exploiting or are extremely likely to target soon. Adobe said it has no current evidence of in-the-wild abuse but is pressing all customers to patch without delay. The vulnerabilities enable arbitrary code execution, privilege escalation, unauthorized file system reads, and bypass of security protections. A remote attacker needing no credentials could seize full control of an exposed ColdFusion instance. Affected builds include ColdFusion 2025 Update 9 and earlier, and ColdFusion 2023 Update 20 and earlier, across all supported operating systems. Fixes are in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21. The six CVSS 10.0 flaws include two unrestricted file upload bugs allowing unauthenticated attackers to drop and run malicious files on the server (CVE-2026-48276, CVE-2026-48283), three improper input validation flaws achieving the same outcome through malformed request handling (CVE-2026-48277, CVE-2026-48281, CVE-2026-48316), and a path traversal flaw leading to code execution (CVE-2026-48282).

## Sources

- [CyberPress](https://cyberpress.org/adobe-coldfusion-critical-flaws/)

---
Canonical: https://techandbusiness.org/newswire/LQk5eaqcrnD6ierE4R8GIj
Retrieved: 2026-07-02T18:08:34.230Z
Publisher: Tech & Business (techandbusiness.org)
