Adobe ColdFusion path-traversal to arbitrary code execution
Unauthenticated path-traversal (CWE-22) in Adobe ColdFusion 2023 (through update 20) and 2025 (through update 9) permitting arbitrary code execution without user interaction. CVSS 10.0. Patched by Adobe on 2026-07-01 in APSB26-68 (ColdFusion 2023 update 21, 2025 update 10). Active in-the-wild exploitation confirmed by the Canadian Centre for Cyber Security on 2026-07-02; Shadowserver counts ~800 exposed instances.
- Vendor
- Adobe
- Product
- ColdFusion (2023 through update 20; 2025 through update 9)
- CVSS
- 10.0
- EPSS (exploit probability)
- 1.0%
- Status
- kev
- Published
CVE-2026-48282 is a path-traversal flaw (CWE-22) in Adobe ColdFusion that permits arbitrary code execution against an internet-reachable server with no authentication and no user interaction. NVD assigns a CVSS 3.1 base score of 10.0 with vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
Affected
- Adobe ColdFusion 2023 — update 20 and earlier
- Adobe ColdFusion 2025 — update 9 and earlier
Patched
Adobe released fixes on 2026-07-01 in advisory APSB26-68 — ColdFusion 2023 update 21 and ColdFusion 2025 update 10. Adobe rated the update Priority 1 and asked customers to apply within 72 hours.
Timeline
- 2026-06-30 — NVD publishes CVE-2026-48282. Adobe posts APSB26-68.
- 2026-07-01 — Adobe releases patched builds (2023 update 21, 2025 update 10) and asks customers to apply within 72 hours.
- 2026-07-02 — Canadian Centre for Cyber Security warns of active in-the-wild exploitation (per BleepingComputer).
- 2026-07-06 — Shadowserver telemetry counts ~800 ColdFusion instances still exposed to the internet on vulnerable builds.
- 2026-07-07 — CISA adds CVE-2026-48282 to the KEV catalog under BOD 26-04 with a federal civilian due date of 2026-07-10.
KEV status
Listed on CISA’s Known Exploited Vulnerabilities catalog as of 2026-07-07. Federal civilian due date: 2026-07-10 under BOD 26-04. Covered separately in CISA: Patch ColdFusion CVE-2026-48282 by Friday.
Sourcing
- NVD: CVE-2026-48282
- Adobe advisory: APSB26-68
- BleepingComputer: Max severity Adobe ColdFusion flaw now exploited in attacks (2026-07-06)
- CISA KEV: known-exploited-vulnerabilities-catalog
