How is CVE-2026-48282 exploited?

Network reachability (required): The attacker must reach the ColdFusion service over the network; no prior foothold on the host is needed. Authentication (not-required): No credentials or account of any privilege level are required to trigger the vulnerability. Victim interaction (not-required): The attacker can exploit this vulnerability without any action from a user or administrator on the target system. Attack complexity (info): The exploit is reliable and imposes no special preconditions, race conditions, or environmental requirements on the attacker.

What is the impact of CVE-2026-48282?

An attacker reads arbitrary files on the server, including configuration files, credentials, and application secrets stored outside the web root. An attacker writes or overwrites arbitrary files, enabling placement of a web shell or modification of application code. With scope changed, the attacker achieves arbitrary code execution in the context of the ColdFusion process user, which can extend compromise to the underlying operating system. Full confidentiality, integrity, and availability of the host and any co-located services are at risk once code execution is established.

Back to search

CRITICALCVE-2026-48282Published 2026-06-30Modified 2026-06-30CNA adobe

CVE-2026-48282: ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

CVSS v3.1: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A path traversal vulnerability in Adobe ColdFusion (versions 2025.9, 2023.20, and earlier) allows a remote, unauthenticated attacker to read and write files outside the server's intended directory boundaries. Because scope is changed, successful exploitation can break out of the application context and achieve arbitrary code execution on the underlying host. No fix versions have been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-48282 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including internally built ColdFusion-based images. Any image containing an affected ColdFusion version (2025.9, 2023.20, or earlier) is flagged automatically in both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard surfaces this CVE with its full CVSS v3.1 score of 10.0 (Critical) and weights it against each customer environment's compliance policy to determine urgency and routing. Triage tickets are routable to the appropriate team inbox inside each customer org based on policy-defined ownership rules.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the Adobe advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version is released. In the interim, customers with network-policy controls enabled can apply compensating rules to restrict external access to ColdFusion endpoints while the advisory remains open.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the ColdFusion service over the network; no prior foothold on the host is needed.
AuthenticationNot required
No credentials or account of any privilege level are required to trigger the vulnerability.
Victim interactionNot required
The attacker can exploit this vulnerability without any action from a user or administrator on the target system.
Attack complexityDetail
The exploit is reliable and imposes no special preconditions, race conditions, or environmental requirements on the attacker.

Blast Radius

An attacker reads arbitrary files on the server, including configuration files, credentials, and application secrets stored outside the web root.
An attacker writes or overwrites arbitrary files, enabling placement of a web shell or modification of application code.
With scope changed, the attacker achieves arbitrary code execution in the context of the ColdFusion process user, which can extend compromise to the underlying operating system.
Full confidentiality, integrity, and availability of the host and any co-located services are at risk once code execution is established.

How HarborGuard Handles This

Available on HarborGuard: this Critical-severity CVE (CVSS 10.0) is matched against all customer images on every ingest cycle, with no gap between advisory publication and detection availability. Because Adobe has not yet released a fix, no patched-image rebuild is queued; however, HarborGuard will make one available automatically the moment an upstream fix version is published, and customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads without manual intervention. While the advisory remains open, compensating controls worth considering include network-policy isolation to restrict inbound access to ColdFusion admin and file-serving endpoints, egress filtering to limit what the ColdFusion process can reach externally, and feature-flag or WAF-level gating on path parameters processed by the application. HarborGuard re-evaluates the Adobe advisory on each ingest cycle and will surface the patch the moment it is available.

See how HarborGuard automates this

Affected packages

Adobe / ColdFusion
≤ 2023.20

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified