Adobe ColdFusion CVE-2026-48282 is a maximum-severity (CVSS 10.0) path-traversal flaw that lets an unauthenticated attacker reach files on a ColdFusion server over the network and run code on it. Adobe patched it on June 30, 2026; within days attackers were exploiting it in the wild, and CISA added it to its Known Exploited Vulnerabilities catalog on July 7 with a three-day federal patch deadline. If you run an internet-facing ColdFusion 2023 or 2025 server, patching this is an emergency, not a maintenance-window item.
What is CVE-2026-48282?
CVE-2026-48282 is an Improper Limitation of a Pathname to a Restricted Directory — path traversal, CWE-22 — in Adobe ColdFusion. A path traversal bug lets an attacker supply a crafted path (think ../../) to escape the directory an application is supposed to be confined to and reach files elsewhere on the system. In ColdFusion's case, Adobe's own record says the flaw "could lead to arbitrary code execution in the context of the current user" and needs no user interaction. It carries a CVSS 3.1 base score of 10.0 with the vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H: exploitable over the network, low attack complexity, no privileges, no user interaction, and a changed scope. It affects ColdFusion 2025 (Update 9 and earlier) and ColdFusion 2023 (Update 20 and earlier), and is fixed in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21.
Why a path-traversal bug scores a perfect 10
Most path-traversal bugs only let an attacker read files they shouldn't, which is bad but rarely a 10. CVE-2026-48282 scores maximum severity because of the combination the CVSS vector spells out: it is reachable by anyone on the network (PR:N, UI:N), it is easy to trigger (AC:L), and the scope is changed (S:C) — meaning the impact crosses a security boundary rather than staying inside the vulnerable component. The practical result is arbitrary code execution. On a platform like ColdFusion, a traversal that permits writing or planting a file typically becomes remote code execution the moment an attacker drops a malicious CFML template into a web-served directory and requests it. That is why a "file path" bug ends up in the same threat tier as a classic pre-auth RCE like the recent Progress Kemp LoadMaster flaw: no login, one request, code on your server.
Already under attack: the exploitation timeline
This one moved from patch to real-world attacks fast. Adobe shipped the fix on June 30 and initially reported no known exploitation, then updated its advisory to acknowledge exploitation in "limited attacks." The Canadian Centre for Cyber Security flagged attackers using CVE-2026-48282 on July 2, two days after disclosure, and KEVIntel founder Ryan Dewhurst logged exploitation attempts, including one from an IP in India. CISA then added it to the KEV catalog on Tuesday, July 7, ordering federal agencies to patch by July 10. It did not arrive alone: CISA listed it alongside three other actively exploited flaws that day, including two more perfect-10s — a Joomla SP Page Builder unauthenticated file-upload bug (CVE-2026-56290) and a JoomShaper flaw (CVE-2026-48908) — plus a Langflow authorization bypass (CVE-2026-55255). ColdFusion has been a repeat name on that KEV list for years, so treat any exposed instance as a standing target.
Am I affected, and what's fixed?
If you run ColdFusion 2023 or 2025 and have not applied the late-June update, assume you are vulnerable. The fix is a straightforward Adobe update; the urgency is what's unusual.
| ColdFusion version | Status | Action |
|---|---|---|
| 2025, Update 9 or earlier | Vulnerable | Apply Update 10 immediately |
| 2025, Update 10 | Fixed | You're patched — verify the build |
| 2023, Update 20 or earlier | Vulnerable | Apply Update 21 immediately |
| 2023, Update 21 | Fixed | You're patched — verify the build |
| Older / end-of-life releases | No fix coming | Upgrade to a supported version |
Applying the update is only half the job on an internet-exposed box; because attacks predate most patch windows, you should assume compromise is possible and hunt for it, not just close the door.
What to do now
- Patch to ColdFusion 2025 Update 10 or 2023 Update 21 on every instance, then confirm the running build actually reflects the update.
- Get ColdFusion off the open internet. The admin interface and the server itself should sit behind a VPN, an allowlist, or a reverse proxy — not be directly reachable. The general hardening baseline in our secure-first-hour VPS guide applies here: minimize what's exposed before you worry about anything else.
- Hunt for compromise. Because exploitation ran ahead of the KEV deadline, check web-served directories for unexpected
.cfm/.cfmlfiles, review access logs for traversal patterns and requests to odd paths, and inspect for new scheduled tasks or admin accounts. - If you can't patch instantly, put a WAF rule or reverse-proxy filter in front to block traversal sequences and restrict access to the ColdFusion admin endpoints as a stopgap — not a substitute for the update.
Given CISA gave federal agencies until July 10, a private ColdFusion operator should be measuring their response in hours and days, not weeks. This is the same playbook as any other patch-now advisory, such as the zero-days in June 2026's Patch Tuesday: update, reduce exposure, and check whether anyone got in first.
Frequently asked questions
Is CVE-2026-48282 being actively exploited? Yes. Adobe updated its advisory to acknowledge exploitation in limited attacks, the Canadian Centre for Cyber Security flagged in-the-wild use on July 2, and CISA added the flaw to its Known Exploited Vulnerabilities catalog on July 7. Active exploitation is why the federal patch deadline was just three days.
Which ColdFusion versions do I need to update to? ColdFusion 2025 is fixed in Update 10 and ColdFusion 2023 is fixed in Update 21. Anything on Update 9 (2025) or Update 20 (2023) and earlier is vulnerable. Older, end-of-life ColdFusion releases will not receive a fix and should be upgraded.
Does exploiting this require a login?
No. The CVSS vector shows PR:N and UI:N — no privileges and no user interaction — and the flaw is network-exploitable, which is a large part of why it scores a maximum 10.0. Any internet-reachable, unpatched instance is at risk.
I patched late — could I already be compromised? Possibly. Attacks were observed within days of disclosure, before many organizations patched. After updating, hunt for web shells in web-served directories, suspicious traversal requests in your logs, and any unexpected accounts or scheduled tasks.
Sources
- NVD — CVE-2026-48282 Detail: official record, CVSS 10.0 vector, CWE-22 path-traversal description, affected versions, and June 30, 2026 publish date.
- CISA — Adds One Known Exploited Vulnerability to Catalog (July 7, 2026): KEV listing and federal remediation requirement.
- The Hacker News — CISA adds 4 actively exploited Adobe, Joomla, and Langflow flaws to KEV: KEVIntel exploitation evidence and the other three KEV additions.
- The Stack — Max-severity Adobe ColdFusion bug being exploited, warns CISA: Adobe's advisory change to "limited attacks," the Canadian Centre July 2 flag, and the July 10 deadline.
- SecurityWeek — Critical Adobe ColdFusion vulnerability exploited in attacks: independent reporting on active exploitation and impact.
Some links may earn us a commission at no extra cost to you.
Waqas Ahmed Waseer
Waqas Ahmed Waseer is a developer and automation builder with 8+ years shipping production systems used by 100k+ people. He builds custom multi-tenant SaaS, AI automation (n8n, LLM workflows, WhatsApp bots) and hosting infrastructure (WHM/cPanel, CloudLinux) — and is the maker of WaSphere, FlowMaticX, and the WaseerHost hosting brand. 100+ projects delivered for SMBs, agencies and funded startups.



