Adobe ColdFusion contains a critical (CVSS 10.0) path traversal flaw that can lead to arbitrary code execution and is now confirmed by CISA as actively exploited.
What Is It
CVE-2026-48282 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability (CWE-22) in Adobe ColdFusion. According to the NVD record, the flaw "could lead to arbitrary code execution in the context of the current user," and exploitation does not require user interaction. The vulnerability carries a maximum CVSS 3.1 base score of 10.0 (CRITICAL) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, network-accessible, low complexity, no privileges or interaction required, with a changed scope and high impact to confidentiality, integrity, and availability.
Why It Matters
CISA added CVE-2026-48282 to its Known Exploited Vulnerabilities (KEV) catalog on 2026-07-07, confirming active exploitation in the wild. CISA's SSVC assessment marks the vulnerability as having active exploitation, "automatable: yes," and a "total" technical impact. Combined with the perfect 10.0 severity score and no need for user interaction, this represents an immediate, high-priority risk for internet-exposed ColdFusion servers. The KEV entry lists known ransomware campaign use as "Unknown."
What's Vulnerable
Per the NVD description, ColdFusion versions 2025.9, 2023.20 and earlier are affected. Affected product configurations span ColdFusion 2023 (base release through Update 20) and ColdFusion 2025 (base release and subsequent updates).
Patch Status
CISA's required action, due 2026-07-10, is to apply mitigations in accordance with vendor instructions, ensuring compliance with CISA's BOD 26-04 guidance and Forensics Triage Requirements. Follow applicable BOD 26-04 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Adobe's security bulletin (APSB26-68) provides vendor remediation details.