Adobe ColdFusion path traversal
Path-traversal vulnerability in Adobe ColdFusion that could result in arbitrary code execution. The highest-scored CVE in Adobe's July 2026 ColdFusion cluster. Fixed in ColdFusion 2025 Update 11 and ColdFusion 2023 Update 22.
- Vendor
- Adobe
- Product
- ColdFusion 2025 (pre-Update 11), ColdFusion 2023 (pre-Update 22)
- CVSS
- 9.9
- EPSS (exploit probability)
- N/A
- Status
- patched
- Published
CVE-2026-48318 is a path-traversal vulnerability in Adobe ColdFusion. NVD scores it 9.9 (critical) — the highest-severity item in Adobe’s July 2026 ColdFusion release, one of eight CVEs at CVSS 9.0 or higher patched simultaneously.
The fix ships in ColdFusion 2025 Update 11 and ColdFusion 2023 Update 22. Adobe has not marked the bug as exploited in the wild at press time. Internet-exposed ColdFusion has a long track record of KEV appearances (CVE-2023-26360, CVE-2024-20767, CVE-2024-53961) — the historical gap from public advisory to observed exploitation on ColdFusion criticals has been short.
See Adobe’s ColdFusion security bulletin index for the authoritative advisory. Sibling ColdFusion criticals in the same release: CVE-2026-48322, CVE-2026-48284, CVE-2026-48321, CVE-2026-48325, CVE-2026-48319, CVE-2026-48324, CVE-2026-48327.
Full coverage: Firefox exploit code public; Chrome, Adobe patch same day.
