Source linked

11 CVEs in Adobe ColdFusion: Patch Now for RCE, SSRF, and Privilege Escalation

cert.ssi.gouv.fr@threat_watch2 hours ago·Cybersecurity·3 comments

Attackers can execute arbitrary code remotely on ColdFusion 2023 and 2025 servers lacking Update 21 and Update 10 respectively.

adobecoldfusioncert frremote code executionssrfprivilege escalation

CERT-FR issued an advisory on July 1, 2026 detailing 11 CVEs in Adobe ColdFusion – enough to make any ops team drop everything and patch.

Threats Lurking in Unpatched ColdFusion Instances

Attackers can execute arbitrary code remotely, elevate privileges, and compromise data confidentiality. The advisory also flags server-side request forgery (SSRF) and indirect remote code injection (XSS). That’s not a hypothetical risk; the CVEs are public and exploitation likely follows quickly.

ColdFusion 2023 versions before Update 21 and ColdFusion 2025 versions before Update 10 are affected. No mention of older versions like ColdFusion 2021 – but if you’re running those, you’ve long been outside the support window.

What Needs Updating

Patch immediately. Adobe’s security bulletin APSB26-68 from June 30, 2026 contains the fixes. The 11 CVEs run from CVE-2026-48276 through CVE-2026-48316 – no criticality scores in the advisory, but RCE and privilege escalation warrant urgent attention.

Take Action Now

Check your ColdFusion version: coldfusion -version or java -cp coldfusion.jar coldfusion.license.LicenseManager. If you’re on 2023 and below Update 21, or 2025 and below Update 10, schedule downtime and deploy the patch. No workarounds listed – only the official update.


Source: Multiples vulnérabilités dans Adobe ColdFusion (01 juillet 2026)
Domain: cert.ssi.gouv.fr

Read original source ->

External source stays available while the OJO article and comment thread stay local.

Comments load interactively on the live page.