SYS::ONLINE
Wasteland.
Briefs1122
Issues18
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-48282 2026-07-07

CVE-2026-48282: Critical ColdFusion Path Traversal Under Active Exploitation

"Adobe ColdFusion contains a critical (CVSS 10.0) path traversal flaw that can lead to arbitrary code execution and is now confirmed by CISA as actively exploited."

Adobe ColdFusion contains a critical (CVSS 10.0) path traversal flaw that can lead to arbitrary code execution and is now confirmed by CISA as actively exploited.

What Is It

CVE-2026-48282 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability (CWE-22) in Adobe ColdFusion. According to the NVD record, the flaw "could lead to arbitrary code execution in the context of the current user," and exploitation does not require user interaction. The vulnerability carries a maximum CVSS 3.1 base score of 10.0 (CRITICAL) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, network-accessible, low complexity, no privileges or interaction required, with a changed scope and high impact to confidentiality, integrity, and availability.

Why It Matters

CISA added CVE-2026-48282 to its Known Exploited Vulnerabilities (KEV) catalog on 2026-07-07, confirming active exploitation in the wild. CISA's SSVC assessment marks the vulnerability as having active exploitation, "automatable: yes," and a "total" technical impact. Combined with the perfect 10.0 severity score and no need for user interaction, this represents an immediate, high-priority risk for internet-exposed ColdFusion servers. The KEV entry lists known ransomware campaign use as "Unknown."

What's Vulnerable

Per the NVD description, ColdFusion versions 2025.9, 2023.20 and earlier are affected. Affected product configurations span ColdFusion 2023 (base release through Update 20) and ColdFusion 2025 (base release and subsequent updates).

Patch Status

CISA's required action, due 2026-07-10, is to apply mitigations in accordance with vendor instructions, ensuring compliance with CISA's BOD 26-04 guidance and Forensics Triage Requirements. Follow applicable BOD 26-04 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Adobe's security bulletin (APSB26-68) provides vendor remediation details.

Sources