• Request consultation
  • Newsletter
  • Deutsch Deutsch German de
  • English English English en
  • Italiano Italiano Italian it
  • Nederlands Nederlands Dutch nl
Greenbone
  • Products
    • OPENVAS BASIC
      • OPENVAS BASIC: Order
    • OPENVAS SCAN
    • Upcoming Solutions
      • OPENVAS SECURITY INTELLIGENCE
      • OPENVAS AI
    • Solutions for Your Sector
      • Educational Sector
      • Healthcare Sector
      • Public Sector
    • Technology
      • Feed Comparison
      • Product Comparison
        • OPENVAS vs. Nessus
      • Roadmap & Lifecycle
  • Service & Support
    • Technical Support
    • Self-Learning Courses
    • Documents
  • Events
    • Cybersec Europe 2026
    • Webinars
  • Partners
    • MSSP
  • About Greenbone
    • Careers
    • Contact
  • Blog
    • Know-how
      • Attack Vector Timeline
      • Cyberattacks and Defense
      • Cyber Defense Security
      • Cyber Resilience Act
      • Data Security
      • Digital Operational Resilience Act
      • Exposure Management
      • IT and Information Security
      • NIS2 Directive
      • Open Source Vulnerability Management
      • The Vulnerability Timeline
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu
  • Products
    • OPENVAS BASIC
      • OPENVAS BASIC: Order
    • OPENVAS SCAN
    • Upcoming Solutions
      • OPENVAS SECURITY INTELLIGENCE
      • OPENVAS AI
    • Solutions for your sector
      • Educational Sector
      • Healthcare Sector
      • Public Sector
    • Technology
      • Feed Comparison
      • Product Comparison
        • OPENVAS vs. Nessus
      • Roadmap and Lifecycle
    • Request IT Security
  • Service & Support
    • Technical Support
    • Self-Learning Courses
    • Documents
  • Events
    • Cybersec Europe 2026
    • Webinars
  • Partners
    • MSSP
  • About Greenbone
    • Careers
    • Contact
    • Newsletter
  • Our Blog
    • Know-how
      • Attack Vector Timeline
      • Cyberattacks and Defense
      • Cyber Defense Security
      • Cyber Resilience Act
      • Data Security
      • Digital Operational Resilience Act
      • Exposure Management
      • IT and Information Security
      • NIS2 Directive
      • Open Source Vulnerability Management
      • The Vulnerability Timeline
  • German
  • English
  • Italian
  • Dutch
Joseph Lee

CVE-2026-48282: CVSS 10 Flaw in Adobe ColdFusion Is Actively Exploited and More

Blog

CVE-2026-48282 (CVSS 10) is a critical path traversal vulnerability [CWE-22] in Adobe ColdFusion. According to Adobe’s Security Bulletin [APSB26-68], the issue affects ColdFusion 2025 Update 9 and earlier, and ColdFusion 2023 Update 20 and earlier. Exploitation is network-based, which increases the risk to exposed ColdFusion instances, and exploitation does not require authentication. A successful attack allows arbitrary remote code execution (RCE) in the context of the current user.

KEVIntel captured honeypot attacks targeting CVE-2026-48282, indicating that active exploitation may be underway, and CISA has added the flaw to their Known Actively Exploited (KEV) list. Watchtowr Labs has published a public Proof-of-Concept (PoC) exploit with full technical root-cause analysis. Multiple national CERT alerts have been issued for CVE-2026-48282, indicating high concern globally [1][2][3][4][5][6][7][8].

CVE-2026-48282-adobe-coldfusion-exploited

In total, 11 CVEs were disclosed in Adobe’s APSB26-68 advisory, and six of those were assigned the highest possible CVSS severity rating. The OPENVAS ENTERPRISE FEED includes a remote_banner check for CVE-2026-48282 and all other CVEs disclosed in Adobe’s APSB26-68 advisory affecting Adobe ColdFusion. Grabbing a copy of OPENVAS SCAN with a free two-week trial of the OPENVAS ENTERPRISE FEED is a surefire way to gain the deepest insight into where software vulnerabilities exist in your organization’s IT infrastructure.

A Risk Assessment of CVE-2026-48282 in Adobe ColdFusion

CVSS 10 · CriticalActively exploitedIn CISA KEVPublic PoC

Adobe has assigned CVE-2026-48282 the highest CVSS severity rating. The primary defensive concern is that a path traversal [CWE-22] issue in a web-facing application server can allow an attacker to move outside intended directory boundaries and reach sensitive resources. Adobe reports that CVE-2026-48282 can lead to arbitrary RCE in the context of the current user. Because exploitation does not require privileges or user interaction, externally reachable instances carry the highest exposure.

Adobe ColdFusion is an enterprise application server used to build, deploy, and scale data-driven web applications, APIs, intranet portals, administrative systems, and cloud-connected business applications. The exploitation reporting should be treated as operationally significant even without additional technical detail.

Mitigating CVE-2026-48282 in Adobe ColdFusion

CVE-2026-48282 is remediated by updating to ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21. Adobe does not provide any alternative workarounds or compensating controls. Where instances are externally reachable, remediation should be prioritized. The OPENVAS ENTERPRISE FEED includes a remote_banner check to identify Adobe ColdFusion instances affected by CVE-2026-48282.

Start Your Free Trial

The OPENVAS ENTERPRISE FEED includes a remote_banner check for CVE-2026-48282 and every other CVE in Adobe’s APSB26-68 advisory. Grab a copy of OPENVAS SCAN with a free two-week trial of the OPENVAS ENTERPRISE FEED to gain the deepest insight into where software vulnerabilities exist in your organization’s IT infrastructure.

Other CVEs From Adobe’s APSB26-68 Advisory

Adobe’s Security Bulletin [APSB26-68] covered a total of 11 CVEs. Six of these were assigned the highest CVSS criticality score. There are no reports of active exploitation for the CVEs described below, and no detailed technical analysis or PoC are available. All CVEs in the security bulletin affect the same product scope. Therefore, the mitigation described above covers all the vulnerabilities.

The ten additional CVEs disclosed in Adobe APSB26-68, each shown with its CVSS severity band and CWE type

CVE-2026-48276 CVSS 10 · Critical CWE-434

An Unrestricted Upload of File with Dangerous Type vulnerability allows arbitrary RCE in the context of the current user.

CVE-2026-48277 CVSS 10 · Critical CWE-20

An Improper Input Validation vulnerability allows arbitrary RCE in the context of the current user.

CVE-2026-48281 CVSS 10 · Critical CWE-20

An Improper Input Validation vulnerability allows arbitrary RCE in the context of the current user.

CVE-2026-48316 CVSS 10 · Critical CWE-20

An Improper Input Validation vulnerability allows arbitrary RCE in the context of the current user.

CVE-2026-48283 CVSS 10 · Critical CWE-434

An Unrestricted Upload of File with Dangerous Type vulnerability allows arbitrary RCE in the context of the current user.

CVE-2026-48313 CVSS 9.3 · Critical CWE-22

A Path Traversal vulnerability allows arbitrary file system read and limited write access. An attacker could access sensitive files and directories outside the intended access scope.

CVE-2026-48315 CVSS 9.3 · Critical CWE-20

An Improper Input Validation vulnerability allows arbitrary RCE in the context of the current user. An attacker can inject malicious scripts into a web page, potentially gaining elevated access or control over the victim’s account or session. Exploitation requires the target to open a malicious file.

CVE-2026-48307 CVSS 8.8 · High CWE-79

A reflected Cross-Site Scripting (XSS) vulnerability allows an attacker to inject malicious scripts into a web page, potentially resulting in arbitrary code execution on the system of victims who open a malicious link.

CVE-2026-48285 CVSS 8.6 · High CWE-918

A Server-Side Request Forgery (SSRF) vulnerability allows an attacker to bypass security measures and gain unauthorized read access.

CVE-2026-48314 CVSS 6.5 · Medium CWE-22

A Path Traversal vulnerability allows an attacker to gain limited read and write access to unauthorized files or directories outside the intended restrictions.

Summary

Adobe’s Security Bulletin [APSB26-68] covered a total of 11 CVEs. Six of these were assigned the highest CVSS criticality score. In-the-wild exploitation has been reported for CVE-2026-48282, which potentially allows arbitrary RCE in the current user context. The affected scope is ColdFusion 2025 Update 9 and earlier, and ColdFusion 2023 Update 20 and earlier. Adobe’s fixed versions are ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21.

The OPENVAS ENTERPRISE FEED includes a remote_banner check for CVE-2026-48282 and all other CVEs disclosed in Adobe’s APSB26-68 advisory affecting Adobe ColdFusion. Grabbing a copy of OPENVAS SCAN with a free two-week trial of the OPENVAS ENTERPRISE FEED is a surefire way to gain the deepest insight into where software vulnerabilities exist in your organization’s IT infrastructure.

 

Contact Test Now Buy Here Back to Overview
Joseph Lee
Joseph Lee

Joseph has had a varied and passionate background in IT and cyber security since the late 1980s. His early technical experience included working on an IBM PS/2, assembling PCs and programming in C++.

He also pursued academic studies in computer and systems engineering, anthropology and an MBA in technology forecasting.

Joseph has worked in data analytics, software development and, in particular, enterprise IT security. He specialises in vulnerability management, encryption and penetration testing.

LinkedIn

13. July 2026/by Joseph Lee
Share this entry
  • Share on LinkedIn
  • Share by Mail
https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png 0 0 Joseph Lee https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png Joseph Lee2026-07-13 14:55:492026-07-13 16:15:09CVE-2026-48282: CVSS 10 Flaw in Adobe ColdFusion Is Actively Exploited and More

Search

Search Search

Archive

  • 2026
  • 2025

Newsletter

Subscribe Now

OPENVAS BASIC

Our entry-level enterprise product

Test 14 Days Free of Charge

Products & Solutions

  • OPENVAS PRODUCTS
  • OPENVAS SECURITY INTELLIGENCE
  • OPENVAS SCAN
  • OPENVAS BASIC
  • OPENVAS FREE
  • OPENVAS AI
ISO9001-EN

Service & Support

  • Technical Support
  • FAQ
  • Documents
  • Warranty
  • Open Source Vulnerability Management
  • Cyber Resilience Act
ISO27001-EN

About us

  • About Greenbone
  • Partners
  • MSSP
  • License information
  • Privacy Statement
  • Terms & Conditions
ISO14001-EN

Contact with us

  • Contact
  • Newsletter
  • Media Contact
  • Careers
  • Security Response
  • Imprint
  • Grounding Page

Community

  • Community Portal
  • Community Forum
© Copyright - Greenbone AG 2020-2026
  • Link to LinkedIn
Link to: June 2026 Threat Report: Technical Debt Demands Visibility Link to: June 2026 Threat Report: Technical Debt Demands Visibility June 2026 Threat Report: Technical Debt Demands Visibility
Scroll to top Scroll to top Scroll to top
Contact
Request IT Security Contact Us Subscribe to Newsletter Follow on LinkedIn