SYS::ONLINE
Wasteland.
Briefs1204
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-48318 2026-07-14

Adobe ColdFusion Path Traversal Flaw (CVE-2026-48318) Rated Critical at CVSS 9.9

"A critical path traversal vulnerability in Adobe ColdFusion allows a low-privileged, network-based attacker to read arbitrary files outside the intended access scope without user interaction."

A critical path traversal vulnerability in Adobe ColdFusion allows a low-privileged, network-based attacker to read arbitrary files outside the intended access scope without user interaction.

What Is It

CVE-2026-48318 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability (CWE-22) in Adobe ColdFusion that could lead to arbitrary file system read. An attacker could exploit this flaw to access sensitive files and directories outside the intended access scope. Exploitation does not require user interaction, and the scope is changed—meaning the impact can extend beyond the initially vulnerable component.

Why It Matters

The vulnerability carries a CVSS 3.1 base score of 9.9 (CRITICAL) with vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. It is exploitable over the network with low attack complexity and only low privileges required. Despite being described as an arbitrary file read issue, the record rates confidentiality, integrity, and availability impact all as HIGH, and the changed scope elevates the overall risk. The exploitability score is 3.1 and the impact score is 6.0.

What's Vulnerable

The following Adobe products are affected:

Patch Status

Adobe has published security bulletin APSB26-82 addressing this vulnerability. Remediation is available by updating to a fixed release: ColdFusion 2025 update 11 or ColdFusion 2023 update 22, both of which are listed as unaffected. The supplied source material contains no CISA KEV entry, so there is no confirmation of active exploitation in the data provided.

Sources