Skip to content
feed: live
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2026-48282

Adobe ColdFusion path-traversal to arbitrary code execution

Unauthenticated path-traversal (CWE-22) in Adobe ColdFusion 2023 (through update 20) and 2025 (through update 9) permitting arbitrary code execution without user interaction. CVSS 10.0. Patched by Adobe on 2026-07-01 in APSB26-68 (ColdFusion 2023 update 21, 2025 update 10). Active in-the-wild exploitation confirmed by the Canadian Centre for Cyber Security on 2026-07-02; Shadowserver counts ~800 exposed instances.

cat cve-2026-48282.json
Vendor
Adobe
Product
ColdFusion (2023 through update 20; 2025 through update 9)
CVSS
10.0
EPSS (exploit probability)
1.0%
Status
kev
Published

CVE-2026-48282 is a path-traversal flaw (CWE-22) in Adobe ColdFusion that permits arbitrary code execution against an internet-reachable server with no authentication and no user interaction. NVD assigns a CVSS 3.1 base score of 10.0 with vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Affected

  • Adobe ColdFusion 2023 — update 20 and earlier
  • Adobe ColdFusion 2025 — update 9 and earlier

Patched

Adobe released fixes on 2026-07-01 in advisory APSB26-68ColdFusion 2023 update 21 and ColdFusion 2025 update 10. Adobe rated the update Priority 1 and asked customers to apply within 72 hours.

Timeline

  • 2026-06-30 — NVD publishes CVE-2026-48282. Adobe posts APSB26-68.
  • 2026-07-01 — Adobe releases patched builds (2023 update 21, 2025 update 10) and asks customers to apply within 72 hours.
  • 2026-07-02 — Canadian Centre for Cyber Security warns of active in-the-wild exploitation (per BleepingComputer).
  • 2026-07-06 — Shadowserver telemetry counts ~800 ColdFusion instances still exposed to the internet on vulnerable builds.
  • 2026-07-07 — CISA adds CVE-2026-48282 to the KEV catalog under BOD 26-04 with a federal civilian due date of 2026-07-10.

KEV status

Listed on CISA’s Known Exploited Vulnerabilities catalog as of 2026-07-07. Federal civilian due date: 2026-07-10 under BOD 26-04. Covered separately in CISA: Patch ColdFusion CVE-2026-48282 by Friday.

Sourcing