CVE-2026-48282: CVSS 10 Flaw in Adobe ColdFusion Is Actively Exploited and More
CVE-2026-48282 (CVSS 10) is a critical path traversal vulnerability [CWE-22] in Adobe ColdFusion. According to Adobe’s Security Bulletin [APSB26-68], the issue affects ColdFusion 2025 Update 9 and earlier, and ColdFusion 2023 Update 20 and earlier. Exploitation is network-based, which increases the risk to exposed ColdFusion instances, and exploitation does not require authentication. A successful attack allows arbitrary remote code execution (RCE) in the context of the current user.
KEVIntel captured honeypot attacks targeting CVE-2026-48282, indicating that active exploitation may be underway, and CISA has added the flaw to their Known Actively Exploited (KEV) list. Watchtowr Labs has published a public Proof-of-Concept (PoC) exploit with full technical root-cause analysis. Multiple national CERT alerts have been issued for CVE-2026-48282, indicating high concern globally [1][2][3][4][5][6][7][8].

In total, 11 CVEs were disclosed in Adobe’s APSB26-68 advisory, and six of those were assigned the highest possible CVSS severity rating. The OPENVAS ENTERPRISE FEED includes a remote_banner check for CVE-2026-48282 and all other CVEs disclosed in Adobe’s APSB26-68 advisory affecting Adobe ColdFusion. Grabbing a copy of OPENVAS SCAN with a free two-week trial of the OPENVAS ENTERPRISE FEED is a surefire way to gain the deepest insight into where software vulnerabilities exist in your organization’s IT infrastructure.
A Risk Assessment of CVE-2026-48282 in Adobe ColdFusion
CVSS 10 · CriticalActively exploitedIn CISA KEVPublic PoC
Adobe has assigned CVE-2026-48282 the highest CVSS severity rating. The primary defensive concern is that a path traversal [CWE-22] issue in a web-facing application server can allow an attacker to move outside intended directory boundaries and reach sensitive resources. Adobe reports that CVE-2026-48282 can lead to arbitrary RCE in the context of the current user. Because exploitation does not require privileges or user interaction, externally reachable instances carry the highest exposure.
Adobe ColdFusion is an enterprise application server used to build, deploy, and scale data-driven web applications, APIs, intranet portals, administrative systems, and cloud-connected business applications. The exploitation reporting should be treated as operationally significant even without additional technical detail.
Mitigating CVE-2026-48282 in Adobe ColdFusion
CVE-2026-48282 is remediated by updating to ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21. Adobe does not provide any alternative workarounds or compensating controls. Where instances are externally reachable, remediation should be prioritized. The OPENVAS ENTERPRISE FEED includes a remote_banner check to identify Adobe ColdFusion instances affected by CVE-2026-48282.
Start Your Free Trial
The OPENVAS ENTERPRISE FEED includes a remote_banner check for CVE-2026-48282 and every other CVE in Adobe’s APSB26-68 advisory. Grab a copy of OPENVAS SCAN with a free two-week trial of the OPENVAS ENTERPRISE FEED to gain the deepest insight into where software vulnerabilities exist in your organization’s IT infrastructure.
Other CVEs From Adobe’s APSB26-68 Advisory
Adobe’s Security Bulletin [APSB26-68] covered a total of 11 CVEs. Six of these were assigned the highest CVSS criticality score. There are no reports of active exploitation for the CVEs described below, and no detailed technical analysis or PoC are available. All CVEs in the security bulletin affect the same product scope. Therefore, the mitigation described above covers all the vulnerabilities.
The ten additional CVEs disclosed in Adobe APSB26-68, each shown with its CVSS severity band and CWE type
An Unrestricted Upload of File with Dangerous Type vulnerability allows arbitrary RCE in the context of the current user.
An Improper Input Validation vulnerability allows arbitrary RCE in the context of the current user.
An Improper Input Validation vulnerability allows arbitrary RCE in the context of the current user.
An Improper Input Validation vulnerability allows arbitrary RCE in the context of the current user.
An Unrestricted Upload of File with Dangerous Type vulnerability allows arbitrary RCE in the context of the current user.
A Path Traversal vulnerability allows arbitrary file system read and limited write access. An attacker could access sensitive files and directories outside the intended access scope.
An Improper Input Validation vulnerability allows arbitrary RCE in the context of the current user. An attacker can inject malicious scripts into a web page, potentially gaining elevated access or control over the victim’s account or session. Exploitation requires the target to open a malicious file.
A reflected Cross-Site Scripting (XSS) vulnerability allows an attacker to inject malicious scripts into a web page, potentially resulting in arbitrary code execution on the system of victims who open a malicious link.
A Server-Side Request Forgery (SSRF) vulnerability allows an attacker to bypass security measures and gain unauthorized read access.
A Path Traversal vulnerability allows an attacker to gain limited read and write access to unauthorized files or directories outside the intended restrictions.
Summary
Adobe’s Security Bulletin [APSB26-68] covered a total of 11 CVEs. Six of these were assigned the highest CVSS criticality score. In-the-wild exploitation has been reported for CVE-2026-48282, which potentially allows arbitrary RCE in the current user context. The affected scope is ColdFusion 2025 Update 9 and earlier, and ColdFusion 2023 Update 20 and earlier. Adobe’s fixed versions are ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21.
The OPENVAS ENTERPRISE FEED includes a remote_banner check for CVE-2026-48282 and all other CVEs disclosed in Adobe’s APSB26-68 advisory affecting Adobe ColdFusion. Grabbing a copy of OPENVAS SCAN with a free two-week trial of the OPENVAS ENTERPRISE FEED is a surefire way to gain the deepest insight into where software vulnerabilities exist in your organization’s IT infrastructure.
Joseph has had a varied and passionate background in IT and cyber security since the late 1980s. His early technical experience included working on an IBM PS/2, assembling PCs and programming in C++.
He also pursued academic studies in computer and systems engineering, anthropology and an MBA in technology forecasting.
Joseph has worked in data analytics, software development and, in particular, enterprise IT security. He specialises in vulnerability management, encryption and penetration testing.



