SYS::ONLINE
Wasteland.
Briefs1204
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-48319 2026-07-14

Adobe ColdFusion Path Traversal Flaw Enables Remote Code Execution (CVE-2026-48319)

"A critical path traversal vulnerability in Adobe ColdFusion can lead to arbitrary code execution without user interaction, carrying a CVSS score of 9.1."

A critical path traversal vulnerability in Adobe ColdFusion can lead to arbitrary code execution without user interaction, carrying a CVSS score of 9.1.

What Is It

CVE-2026-48319 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability (CWE-22) affecting Adobe ColdFusion. According to Adobe's advisory, the flaw could result in arbitrary code execution in the context of the current user. Exploitation does not require user interaction, and the vulnerability changes scope; meaning an exploit can impact resources beyond the initially compromised component.

Why It Matters

The vulnerability is rated CRITICAL with a CVSS 3.1 base score of 9.1 (vector: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). It is network-exploitable with low attack complexity and no user interaction required, though it does require high privileges. Successful exploitation yields high impact to confidentiality, integrity, and availability. Because the outcome is arbitrary code execution with a changed scope, an attacker who leverages this flaw could gain significant control over an affected server.

What's Vulnerable

The following Adobe ColdFusion products and versions are affected:

Patch Status

Adobe has published security bulletin APSB26-82 addressing this issue. Based on the version data, remediation is available by updating to the fixed releases: ColdFusion 2025 update 11 or ColdFusion 2023 update 22. Administrators should apply the corresponding update to affected installations. This CVE does not appear in the supplied CISA KEV data, so there is no confirmation of active exploitation at this time.

Sources