7 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2026-48282 is a critical path traversal vulnerability affecting Adobe ColdFusion 2025 and Adobe ColdFusion 2023.
The vulnerability results from improper restriction of a pathname to a permitted directory. ColdFusion fails to adequately validate a user-controlled file path before performing a file operation, allowing a crafted path to reference files outside the intended directory boundary.
Successful exploitation may allow an unauthenticated attacker to execute arbitrary code on a vulnerable ColdFusion server. This could lead to unauthorized access to sensitive information, modification of application or system data, deployment of malicious components, disruption of hosted applications, and broader compromise of the underlying server.
NHS England reported that security researchers observed exploitation of CVE-2026-48282 in the wild.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Adobe ColdFusion Path Traversal Arbitrary Code Execution Vulnerability
Identifier: CVE-2026-48282
PoC or Exploitation:
CVSS Score: 10.0 (Critical, CVSS v3.1)
Update / Patch:
Affected versions include:
-
Adobe ColdFusion 2025 Update 9 and earlier
-
Adobe ColdFusion 2023 Update 20 and earlier
Fixed versions include:
-
Adobe ColdFusion 2025 Update 10
-
Adobe ColdFusion 2023 Update 21
Adobe advisory and patch guidance:
Adobe Security Bulletin APSB26-68
https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html
Description:
Mitigation Recommendation: