Software maker Adobe on Tuesday issued an urgent warning about “very limited attacks” exploiting a zero-day vulnerability in its Adobe ColdFusion web app development platform.
Adobe’s warning was embedded in a critical-severity level advisory that contains patches for ColdFusion versions 2021 and 2018.
“Adobe is aware that CVE-2023-26360 has been exploited in-the-wild in very limited attacks targeting Adobe ColdFusion,” the company said. No other details on the in-the-wild compromises were provided.
Adobe’s PSIRT said the patches cover software defects that “could lead to arbitrary code execution, arbitrary file system read and memory leak.”
The company described the exploited vulnerability as a critical arbitrary file system read vulnerability with a CVSS base score of 8.6/10. The ColdFusion update also features a second critical bug (CVSS 9.8) that could lead to code execution attacks.
In all, Adobe released patches for a whopping 106 vulnerabilities in a wide range of products, some serious enough to expose both Windows and macOS users to remote code execution attacks.
These include:
- Four documented vulnerabilities in Adobe Commerce (formerly Magento) that could lead to arbitrary code execution, security feature bypass and arbitrary file system read. Adobe rates this a critical bulletin
- At least 18 security flaws in the Adobe Experience Manager software. “Successful exploitation of these vulnerabilities could result in arbitrary code execution, privilege escalation and security feature bypass.”
- Five critical security defects affecting Adobe Illustrator (Windows and macOS) that could lead to memory leak and arbitrary code execution.
- 58 documented CVEs in Adobe Dimension. “Successful exploitation could lead to memory leak and arbitrary code execution in the context of the current user.”
The company also fixed a critical-level vulnerability in the popular Adobe Photoshop (Windows and macOS), a separate code execution flaw in the Adobe Creative Cloud desktop application, and 16 new issues in the Adobe Substance 3D Stager.
Related: Adobe Plugs Critical Security Holes in Illustrator, After Effects Software
Related: Adobe Warns of ‘Critical’ Security Flaws in Enterprise Products
Related: Adobe Patches Gaping Security Holes in Acrobat, Reader, Photoshop

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Microsoft Catches Chinese .Gov Hackers Targeting US Critical Infrastructure
- Researchers Spot APTs Targeting Small Business MSPs
- Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own
- Red Hat Pushes New Tools to Secure Software Supply Chain
- Investors Make $6M Bet on Manifest for SBOM Management Technology
- Entro Raises $6M to Tackle Secrets Sprawl
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
