Adobe June 2026 Patch Tuesday: The Rare 'Unicorn' CVSS 10 Bugs and How the 123-Fix Release Compares to Microsoft's Record-Breaker

Despite the severity, Adobe stated it was not aware of any active attacks exploiting these Campaign Classic flaws at the time of release. However, security researchers urged immediate patching, expecting heavy research into creating proof-of-concept exploits . The fix applies to Campaign Classic ACC v7 build 9394 and earlier on both Windows and Linux platforms .

Priority 1 Deployments: ColdFusion and Campaign Classic

Alongside Campaign Classic, Adobe's ColdFusion updates (APSB26-64) were assigned a deployment priority rating of 1, the company's highest level, reserved for vulnerabilities that have a high risk of being targeted . Adobe patched critical and important vulnerabilities in ColdFusion 2025 and 2023 that could result in arbitrary code execution, privilege escalation, and security feature bypass .

Only the Campaign Classic and ColdFusion bulletins received this Priority 1 designation. All other products in the June release, including Experience Manager and InDesign, were assigned Priority 3, indicating Adobe currently considers them less likely to be exploited in real-world attacks .

Scope of Fixes Across All Affected Products

The 123 unique CVEs were released across 11 security advisories. According to Qualys, 47 of the patched vulnerabilities were rated critical, with exploitation potentially leading to arbitrary code execution, privilege escalation, and security feature bypass . The full list of affected products included:

• Adobe Experience Manager and Experience Manager Forms: A significant portion of the vulnerabilities were concentrated here, including numerous cross-site scripting (XSS) flaws that could lead to arbitrary code execution .
• Adobe ColdFusion (APSb26-64): Critical and important vulnerabilities in versions 2025 and 2023 leading to code execution and privilege escalation .
• Adobe Campaign Classic (APSB26-66): The two rare CVSS 10 vulnerabilities allowing arbitrary code execution .
• Adobe Acrobat and Reader, InDesign, InCopy, Substance 3D Sampler, Content Credentials SDK, Dreamweaver, and Format Plugins: All received patches for critical and important flaws involving code execution, memory leaks, and denial-of-service .

For several products, including Content Credentials SDK and InDesign, Adobe explicitly confirmed it was not aware of any exploits in the wild for the addressed issues .

Adobe vs. Microsoft: A Tale of Two Patch Tuesdays

Adobe's 123-vulnerability release, while massive, was dramatically overshadowed by Microsoft's record-setting June 2026 Patch Tuesday, which was reported by various security firms as patching between 198 and 211 vulnerabilities .

Microsoft's release was a historic outlier, smashing its previous record of 175 CVEs set in October 2025 . When factoring in Chromium-based browser patches for Edge, the total number of vulnerabilities addressed by Microsoft in June soared to over 570, sparking industry discussion about a "Patch Apocalypse" . Adobe's release, though substantial, was more in line with its trend of large, quarterly-aligned updates .

What IT Teams Should Prioritize Now

For system administrators, the deployment priority is clear. The Adobe Campaign Classic and ColdFusion updates should be at the top of the patch list due to their Priority 1 rating and the severe nature of the vulnerabilities, particularly the two CVSS 10 bugs. While no exploits have been detected in the wild, the potential impact and the historical pattern of ColdFusion being a popular target for attackers make rapid patching essential .