CVE: CVE-2026-48282 | CVSS 3.1: 10.0 (Critical) | Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | CWE: CWE-22 (Path Traversal) | Vendor: Adobe | Product: ColdFusion | Affected versions: 2025.9, 2023.20 and earlier
What Is the Vulnerability
CVE-2026-48282 is an Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Adobe ColdFusion versions 2025.9, 2023.20 and earlier. Exploitation does not require user interaction (UI:N) and the scope is changed (S:C), meaning the impact extends beyond the vulnerable component. Successful exploitation can lead to arbitrary code execution in the context of the current user. Vulnerability intelligence firm KEVIntel has confirmed active exploitation in the wild. This is the latest in a series of severe ColdFusion vulnerabilities — the previous six CVSS 10.0 vulnerabilities were disclosed in late June 2026.
Versions Affected
- Adobe ColdFusion 2025.9
- Adobe ColdFusion 2023.20 and earlier
Exploited?
Yes — actively exploited in the wild. KEVIntel has confirmed that attackers are now exploiting this vulnerability. The path traversal exploitation pattern suggests attackers are using directory traversal to write malicious files to ColdFusion web-accessible directories, leading to remote code execution. BleepingComputer reports that exploitation is ongoing.
Fix
Adobe has released security updates for ColdFusion addressing CVE-2026-48282.
- Primary fix: Update ColdFusion to the latest patched version per Adobe security advisory.
- Workaround: If immediate patching is not possible, isolate ColdFusion from the internet and restrict access to trusted networks only.
Recommendations
- Patch immediately: This is a CVSS 10.0 vulnerability with confirmed active exploitation. Apply the Adobe security update without delay.
- Audit for compromise: Check ColdFusion web-accessible directories for unauthorised files. Review access logs for path traversal patterns (../ sequences in URL paths).
- Consider decommissioning: ColdFusion has a history of critical vulnerabilities. If it is not business-critical, consider decommissioning or isolating it from the network.
References
- BleepingComputer: ColdFusion actively exploited
- NVD Entry for CVE-2026-48282
- Adobe Security Advisory (ColdFusion)
- KEVIntel
Part of the Vulnerability Intelligence series on threat-modeling.com. July 7, 2026 Report.
