🔴 Critical  |  Source: CISA Known Exploited Vulnerabilities


A path traversal vulnerability in Adobe ColdFusion (CVE-2026-48282) allows attackers to navigate outside restricted directories and execute arbitrary code under the permissions of the currently running user. CISA has added this to its Known Exploited Vulnerabilities catalogue, confirming active exploitation in the wild. ColdFusion is commonly used to serve web applications, meaning a successful attack could lead to full server compromise.

Security Architect’s Take: Prioritise patching any internet-facing or internally accessible ColdFusion instances immediately ahead of the 10 July 2026 CISA remediation deadline, and consider placing them behind a web application firewall with path traversal detection rules as an interim compensating control whilst patches are applied.

Original advisory: CVE-2026-48282: Adobe ColdFusion