Skip to content

Adobe ships APSB26-68 out of band: 11 ColdFusion CVEs, six at CVSS 10

APSB26-68 fixes 11 ColdFusion CVEs on June 30 — six at CVSS 10, all pre-auth RCE. Priority 1. Patch to 2025.10 or 2023.21 today.

Published 4 min read

Adobe shipped emergency bulletin APSB26-68 on June 30, 2026, fixing 11 CVEs in Adobe ColdFusion 2025 and ColdFusion 2023. Six carry a CVSS base score of 10.0, all pre-auth remote code execution paths reachable over HTTP. Adobe rates the bulletin Priority 1 — the tier reserved for either active exploitation or an "elevated risk of being targeted." The company says it is not currently aware of any in-the-wild exploitation of these specific CVEs at the time of publication.

What's affected

The bulletin lists the same version window for every CVE:

  • ColdFusion 2025 Update 9 and earlier
  • ColdFusion 2023 Update 20 and earlier

Fixed releases are ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21. ColdFusion 2021 is out of core support and receives no fix — the runway for that branch closed with the previous cycle.

The six CVSS 10s

Each is unauthenticated, network-reachable, and yields code execution or arbitrary write:

  • CVE-2026-48276 — Unrestricted file upload (CWE-434). Upload a .jsp / .cfm, request it, get code execution.
  • CVE-2026-48283 — Second unrestricted file upload (CWE-434). Different endpoint, same outcome.
  • CVE-2026-48277 — Improper input validation (CWE-20) leading to arbitrary code execution.
  • CVE-2026-48281 — Second improper input validation (CWE-20) leading to arbitrary code execution.
  • CVE-2026-48316 — Third improper input validation (CWE-20) leading to arbitrary code execution.
  • CVE-2026-48282 — Path traversal (CWE-22) leading to arbitrary code execution.

The other five in the bulletin are still worth the patch cycle:

  • CVE-2026-48313 — Improper input validation, CVSS 9.3 — arbitrary file read for privilege escalation.
  • CVE-2026-48315 — Reflected XSS (CWE-79), CVSS 8.8 — arbitrary code execution via adjacent-network delivery.
  • CVE-2026-48307 — SSRF (CWE-918), CVSS 8.6 — security feature bypass.
  • CVE-2026-48285 — Second SSRF, security feature bypass.
  • CVE-2026-48314 — Path traversal (CWE-22), CVSS 6.5, rated Important — privilege escalation.

Adobe's bulletin does not currently list a researcher credit against the six CVSS-10 findings; the bulletin cites external submissions and CVEs are reserved through the standard Adobe PSIRT channel.

Exploitation status

Adobe's language is that it is "currently unaware of any exploits" for the CVEs in this bulletin. That's the standard PSIRT phrasing and does not preclude near-term weaponization once the diff between Update 9 and Update 10 is public — six pre-auth RCEs in a single release ship an enormous hint about where to look. Historical precedent is not kind: CVE-2023-26360, the March 2023 ColdFusion access-control-bypass → deserialization RCE, was under exploitation against US federal servers before CISA published advisory AA23-339A, and CVE-2024-20767 followed a near-identical curve.

Priority 1 is the operational signal. Adobe reserves it for bulletins where they expect targeting to begin quickly.

Action checklist

  1. Patch today. Move ColdFusion 2025 → Update 10; ColdFusion 2023 → Update 21. Both are on the ColdFusion download portal and via the auto-updater. The bulletin is dated June 30 and the CVE diff will be reverse-engineered within days.
  2. If you can't patch today, remove the server from the internet. Six pre-auth CVSS 10 RCEs is the profile of an emergency yank, not a maintenance-window decision. A ColdFusion admin console or /CFIDE/ path reachable from the public internet on Update 9 or Update 20 is currently one working exploit away from remote code execution.
  3. Apply the security-lockdown baseline as defense-in-depth. Follow the ColdFusion 2025 lockdown guide — least-privilege service accounts, restricted /CFIDE/administrator/, disabled RDS, disabled unused datasources. It won't kill a pre-auth file-upload RCE, but it will meaningfully bound the blast radius.
  4. Hunt for post-exploitation artifacts on any historically internet-facing instance. Look for freshly-created .jsp, .cfm, .cfml, .cfc files under the webroot, the cfusion install tree, and /CFIDE/. Compare against a known-good tree from Update 9 or Update 20. Note the previous ColdFusion campaign chains routinely dropped a JSP webshell first and pivoted to persistence via new services or scheduled tasks.
  5. Audit administrator credentials. Rotate any credential that lived on a ColdFusion instance predating the patch. If admin console was reachable externally, treat every account with an active session in the last 30 days as suspect until proven otherwise.

Context

ColdFusion has a heavy tail of KEV entries — CVE-2023-26360, CVE-2023-38203, CVE-2023-38204, CVE-2024-20767, and CVE-2024-53961 among them — each disclosed as "not currently exploited" and each promoted to actively-exploited within weeks of patch. The pattern is repeated enough that the market has priced it in: Adobe's Priority 1 designation on APSB26-68 reads less as "we detect targeting" and more as "this is a KEV-shaped bulletin, act accordingly." A 24- to 72-hour patch window is the practical floor.

The other data point: an unrestricted-file-upload CWE-434 landing at CVSS 10 tells you the endpoint is unauthenticated and the runtime accepts direct execution of the uploaded file type — the two conditions that turn "upload" into "shell." When two of the eleven CVEs match that profile, the reasonable prior is that at least one is a pre-auth webshell drop reachable from a scanner.

Related stories