Cybersecurity Blog | RedLegg

Security Bulletin: Adobe ColdFusion Path Traversal Arbitrary Code Execution Vulnerability

Written by RedLegg's Cyber Threat Intelligence Team | 7/6/26 11:26 PM

About:

CVE-2026-48282 is a critical path traversal vulnerability affecting Adobe ColdFusion 2025 and Adobe ColdFusion 2023.

The vulnerability results from improper restriction of a pathname to a permitted directory. ColdFusion fails to adequately validate a user-controlled file path before performing a file operation, allowing a crafted path to reference files outside the intended directory boundary.

Successful exploitation may allow an unauthenticated attacker to execute arbitrary code on a vulnerable ColdFusion server. This could lead to unauthorized access to sensitive information, modification of application or system data, deployment of malicious components, disruption of hosted applications, and broader compromise of the underlying server.

NHS England reported that security researchers observed exploitation of CVE-2026-48282 in the wild.

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

Adobe ColdFusion Path Traversal Arbitrary Code Execution Vulnerability

 

Identifier: CVE-2026-48282
PoC or Exploitation:

NHS England reported that security researchers had observed exploitation of CVE-2026-48282 in the wild. 

 
CVSS Score: 10.0 (Critical, CVSS v3.1)


Update / Patch:

 Affected versions include:

  • Adobe ColdFusion 2025 Update 9 and earlier

  • Adobe ColdFusion 2023 Update 20 and earlier

Fixed versions include:

  • Adobe ColdFusion 2025 Update 10

  • Adobe ColdFusion 2023 Update 21

Adobe advisory and patch guidance:

Adobe Security Bulletin APSB26-68

https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html

 

Description:

CVE-2026-48282 is a critical path traversal vulnerability affecting Adobe ColdFusion 2025 and Adobe ColdFusion 2023.
 
The vulnerability results from improper restriction of a pathname to a permitted directory. ColdFusion fails to adequately validate a user-controlled file path before performing a file operation, allowing a crafted path to reference files outside the intended directory boundary.
 
Successful exploitation could allow an unauthenticated attacker to execute arbitrary code on a vulnerable ColdFusion server. This may result in unauthorized access to sensitive information, modification of application or system data, deployment of malicious components, disruption of hosted applications, or further compromise of the underlying server.

 

Mitigation Recommendation:

Immediately upgrade Adobe ColdFusion 2025 deployments to Update 10 and Adobe ColdFusion 2023 deployments to Update 21.
 
Prioritize remediation of internet-facing and externally accessible ColdFusion servers.
 
Review Adobe Security Bulletin APSB26-68 and apply all applicable security updates.
 
Review ColdFusion application logs, web server logs, operating system logs, and endpoint security telemetry for suspicious requests, unexpected file access, anomalous process execution, or unauthorized application changes.
 
Investigate unexpected child processes spawned by ColdFusion or its Java runtime, suspicious scripting activity, newly created files, unauthorized scheduled tasks, or anomalous outbound network connections.
 
Conduct compromise assessments on vulnerable ColdFusion systems, particularly systems that were internet-accessible before the applicable security update was installed.