What is CVE-2026-48282?
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
Timeline
- 2026-06-30Published to the U.S. National Vulnerability Database (NVD)
- 2026-07-01NVD record last updated
- 2026-07-07First covered in a defend.network daily briefing
Affected product
Adobe Coldfusion
Remediation Steps
- Apply Adobe ColdFusion security patch for maximum-severity vulnerability
- Scan systems and logs for evidence of exploitation or unauthorized access
- Reset credentials for any accounts with access to affected ColdFusion instances
- Implement web application firewall rules to detect and block exploitation attempts
References
Referenced in our briefings & reports
Browse all tracked CVEs in the defend.network CVE database →
🤖 This CVE page is generated by defend.network from NVD, CISA KEV, EPSS, and our verified daily briefings. Severity and exploitation data come from official sources; always verify remediation steps against the official vendor advisory before acting in production.