Adobe ColdFusion security bulletin APSB26-68 patches 11 CVEs across ColdFusion 2025 and 2023, including critical arbitrary file read/write vulnerabilities in the RDS module and a path traversal in the CKEditor file manager upload endpoint. When RDS is enabled with authentication disabled, attackers can use the simple length-prefixed RDS RPC protocol to read or write arbitrary files, achieving remote code execution as SYSTEM by deploying a CFML webshell. A separate unauthenticated path traversal in the CKEditor file manager allows file uploads to arbitrary directories, also executing as SYSTEM.