A critical path traversal vulnerability in Adobe ColdFusion allows a low-privileged, network-based attacker to read arbitrary files outside the intended access scope without user interaction.
What Is It
CVE-2026-48318 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability (CWE-22) in Adobe ColdFusion that could lead to arbitrary file system read. An attacker could exploit this flaw to access sensitive files and directories outside the intended access scope. Exploitation does not require user interaction, and the scope is changed—meaning the impact can extend beyond the initially vulnerable component.
Why It Matters
The vulnerability carries a CVSS 3.1 base score of 9.9 (CRITICAL) with vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. It is exploitable over the network with low attack complexity and only low privileges required. Despite being described as an arbitrary file read issue, the record rates confidentiality, integrity, and availability impact all as HIGH, and the changed scope elevates the overall risk. The exploitability score is 3.1 and the impact score is 6.0.
What's Vulnerable
The following Adobe products are affected:
- ColdFusion 2025: versions up to and including update 10 are affected; update 11 is unaffected.
- ColdFusion 2023: versions up to and including update 21 are affected; update 22 is unaffected.
Patch Status
Adobe has published security bulletin APSB26-82 addressing this vulnerability. Remediation is available by updating to a fixed release: ColdFusion 2025 update 11 or ColdFusion 2023 update 22, both of which are listed as unaffected. The supplied source material contains no CISA KEV entry, so there is no confirmation of active exploitation in the data provided.