CVE-2026-48282

Confirmed PUBLISHED

ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Adobe · ColdFusion

Not yet in CISA KEV

Exploited in the wild Active exploitation observed Virtual patch available

Recommended Action

Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.

Confidence
Confirmed
Exploitation Status
Active exploitation observed
Observed in Sensors
Yes
Attempts (30d)
1
Unique Attacker IPs
1
CISA KEV
Not yet in CISA KEV
Virtual Patch
Yes 3 targets
CVSS / EPSS
10.0 Critical EPSS 1.0%

At a Glance

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

CVE Published
Jun 30, 2026
Exploitation Reported
Jul 02, 2026
CVSS
10.0 Critical
EPSS
1.0%
Remote Low complexity No user interaction Unauthenticated

Affected Versions

Vendor Product Version Status
Adobe
ColdFusion

0 to <= 2023.20

Affected

Recommended Actions

  • Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.
  • Review sensor telemetry for request paths, attacker IPs, and payload patterns that may inform detection and exposure validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.